https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12418#M915 <P>I have created my manual extraction of the fields due to the fact that I've never had the CHECK_FOR_HEADER attribute to work. Here's my IIS config:</P> <P><STRONG>props.conf</STRONG></P> <PRE> [iis_default] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False REPORT-iis_default = iis_default [iis_w3c] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False REPORT-iis_w3c = iis_w3c TRANSFORMS-comment = comment </PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE> [no_header] REGEX = NetBIOSName,DNSName,IP,MAC,OS,AuditID,CVE,Name,Description,Date,Risk,CVSSScore,FixInformation DEST_KEY = queue FORMAT = nullQueue [iis_default] FIELDS="c-ip","cs-username","date","time","service","s-name","s-ip","time-taken","c-sent","s-sent","sc-status","sc_win_status","cs_method","cs-uri-stem" DELIMS = "," [iis_w3c] FIELDS="date","time","c-ip","cs-username","s-sitename","s-ip","s-port","cs-method","cs-uri-stem","cs-uri-query","sc-status","sc-win32-status","cs(User-Agent)" DELIMS = " " </PRE> Wed, 28 Apr 2010 19:53:15 GMT BunnyHop 2010-04-28T19:53:15Z https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12417#M914 <P>I have been running the latest Splunk 4.1.1 and have been unsuccessful at getting the auto header extraction to work for IIS or Exchange logs. I am collecting the logs via a Splunk light forwarding agent installed on each of the servers, and then collecting the logs on my main Splunk server (Windows 2008 64bit). From all of the forums and docs, it looks like the file I should be editing is the props.conf located in Splunk\etc\system\local (on the main Splunk indexing server). I have added the following entries:</P> <PRE><CODE>[ExchangeMessageTracking] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False CHECK_FOR_HEADER = True [iis] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False CHECK_FOR_HEADER = True </CODE></PRE> <P>After making the changes I have tried restarting the Splunk services and running "| extract reload=true". I also tried placing these settings in Splunk\etc\apps\search\local. However, nothing seems to work. Splunk indexes the entire file, including the header lines that begin with a "#". If anyone has any suggestions I would really appreciate them.</P> Wed, 28 Apr 2010 05:08:04 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12417#M914 Justin 2010-04-28T05:08:04Z https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12418#M915 <P>I have created my manual extraction of the fields due to the fact that I've never had the CHECK_FOR_HEADER attribute to work. Here's my IIS config:</P> <P><STRONG>props.conf</STRONG></P> <PRE> [iis_default] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False REPORT-iis_default = iis_default [iis_w3c] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False REPORT-iis_w3c = iis_w3c TRANSFORMS-comment = comment </PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE> [no_header] REGEX = NetBIOSName,DNSName,IP,MAC,OS,AuditID,CVE,Name,Description,Date,Risk,CVSSScore,FixInformation DEST_KEY = queue FORMAT = nullQueue [iis_default] FIELDS="c-ip","cs-username","date","time","service","s-name","s-ip","time-taken","c-sent","s-sent","sc-status","sc_win_status","cs_method","cs-uri-stem" DELIMS = "," [iis_w3c] FIELDS="date","time","c-ip","cs-username","s-sitename","s-ip","s-port","cs-method","cs-uri-stem","cs-uri-query","sc-status","sc-win32-status","cs(User-Agent)" DELIMS = " " </PRE> Wed, 28 Apr 2010 19:53:15 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12418#M915 BunnyHop 2010-04-28T19:53:15Z https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12419#M916 <P>BunnyHop, I got the extraction to work by using your suggestion and I also got some additional information from this forum post:<BR /> <A href="http://www.splunk.com/support/forum:SplunkAdministration/3395">http://www.splunk.com/support/forum:SplunkAdministration/3395</A></P> <P>For anyone else with this problem, I only made changes on the main Splunk server and not on a forwarder. I also did not need to restart the Splunk service(s) in order to see the changes take effect.</P> Thu, 29 Apr 2010 01:47:07 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12419#M916 Justin 2010-04-29T01:47:07Z https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12420#M917 <P>I have just uploaded <A href="http://splunk-base.splunk.com/apps/28976/splunk-app-for-microsoft-exchange">Splunk App for Microsoft Exchange</A>, which extracts the information you need. I hope it helps you.</P> Mon, 15 Aug 2011 18:09:08 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12420#M917 ahall_splunk 2011-08-15T18:09:08Z https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12421#M918 <P>I found a new format iis_v6, that seems to be for IIS version 6.0<BR /> here are my settings.</P> <PRE> inputs [montiror:] sourcetype=iis_v6 TZ=GMT in props.conf [iis_v6] pulldown_type = true MAX_TIMESTAMP_LOOKAHEAD = 32 SHOULD_LINEMERGE = False REPORT-iis_v6 = iis_v6 TRANSFORMS-comment = iis_comment in transforms.conf [iis_v6] FIELDS="date","time","s-sitename","s-computername","s-ip","cs-method","cs-uri-stem","cs-uri-query","s-port","cs-username","c-ip","cs-version","cs_User-Agent_","cs_Cookie_","cs_Referer_","cs-host","sc-status","sc-substatus","sc-win32-status","sc-bytes","cs-bytes","time-taken" DELIMS = " " [iis_comment] REGEX = ^# DEST_KEY = queue FORMAT = nullQueue </PRE> Fri, 14 Oct 2011 19:11:40 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12421#M918 yannK 2011-10-14T19:11:40Z https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12422#M919 <P>FYI CHECK_FOR_HEADER is deprecated since 5.0.*<BR /> see <A href="http://docs.splunk.com/Documentation/Splunk/5.0.4/ReleaseNotes/DeprecatedFeatures" target="_blank">http://docs.splunk.com/Documentation/Splunk/5.0.4/ReleaseNotes/DeprecatedFeatures</A></P> Mon, 28 Sep 2020 14:40:02 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12422#M919 yannK 2020-09-28T14:40:02Z https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12423#M920 <P>It is an IIS log. IIS. Windows IIS. This is about as common as logs are. How about an out of the box solution? Just sayin.</P> Wed, 28 Aug 2013 00:10:29 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12423#M920 lukejadamec 2013-08-28T00:10:29Z https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12424#M921 <P>In Splunk 6, you can also use INDEXED_EXTRACTIONS=W3C which auto-extracts the fields from the headers at index-time.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime">http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime</A></P> Thu, 13 Feb 2014 16:33:44 GMT https://community.splunk.com/t5/Getting-Data-In/IIS-and-Exchange-Log-Header-Extraction/m-p/12424#M921 ogdin 2014-02-13T16:33:44Z