- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- App for generating inputs.conf for IIS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
App for generating inputs.conf for IIS
The Splunk Add-on for Microsoft IIS still requires the administrator to manually create an inputs.conf file on each IIS host, customized with the paths of all Log directories. For large, diverse environments, this can be time consuming.
The following app can be deployed to your Windows servers, alongside the IIS add-on. On first-run it will automatically populate its inputs.conf with monitor stanzas. Each monitor will correspond to one IIS website's log folder.
├── bin
│ ├── generate_inputs.cmd
│ ├── generate_inputs.ps1
│ └── restart_splunk.cmd
├── default
│ └── app.conf
└── local
├── app.conf
└── inputs.conf
bin/generate_inputs.cmd
REM store path of this bin folder
set "BINPATH=%~dp0"
REM set "SPLUNK_HOME=C:\Program Files\SplunkUniversalForwarder"
Powershell -ExecutionPolicy ByPass -File "%BINPATH%generate_inputs.ps1" -splunkHome "%SPLUNK_HOME%"
bin/generate_inputs.ps1
# generate inputs.conf for IIS
Import-Module WebAdministration
$INPUTSCONF = "$PSScriptRoot\..\local\inputs.conf"
# only if IIS websites exist and inputs.conf contains no monitors
If ((Get-Website) -And (-Not (Select-String -Pattern "^\[monitor" -Path "$INPUTSCONF" -quiet))) {
foreach($WebSite in $(get-website)) {
$logFile="$($Website.logFile.directory)\W3SVC$($website.id)".replace("%SystemDrive%",$env:SystemDrive)
Add-Content -Path "$INPUTSCONF" -Value ""
Add-Content -Path "$INPUTSCONF" -Value "# $($website.name)"
Add-Content -Path "$INPUTSCONF" -Value "[monitor://$logfile]"
Add-Content -Path "$INPUTSCONF" -Value "disabled = false"
Add-Content -Path "$INPUTSCONF" -Value "ignoreOlderThan = 14d"
Add-Content -Path "$INPUTSCONF" -Value "sourcetype = ms:iis:auto"
Add-Content -Path "$INPUTSCONF" -Value "index = default"
}
# restart splunk if inputs.conf now contains monitors
if (Select-String -Pattern "^\[monitor" -Path "$INPUTSCONF" -quiet) {
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "$PSScriptRoot\restart_splunk.cmd"
}
}
bin/restart_splunk.cmd
@echo off
timeout /t 5
rem "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" restart
sc stop SplunkForwarder
sc start SplunkForwarder
exit
local/inputs.conf
[script://.\bin\generate_inputs.cmd]
disabled = False
index = _internal
interval = -1
# autogenerated monitors will be written below this line
Limitations: the script will not change inputs.conf once it has been written out. It would need to be undeployed/redeployed to catch up to any IIS configuration changes. It also will not resolve environment variables in the paths other than systemdrive (which would be unusual, but could happen). It's also possible for a Windows foldername to contain a bracket "]" character which might crash the [monitor://] stanza. I haven't tested, and don't know if there's a method for escaping it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@satyenshah very cool post, but is there a question here?
if you created an app for the community to use, publish it on splunkbase:
https://splunkbase.splunk.com/
for guidlines on how to publish an app, read here:
https://docs.splunk.com/Documentation/Splunkbase/splunkbase/Splunkbase/Optionsforsubmittingcontent
and submit here:
https://splunkbase.splunk.com/new/
again, if it is not a question, kindly close it by accepting the answer
Preparing your Splunk Environment for OpenSSL3
Unleash Unified Security and Observability with Splunk Cloud Platform
Splunk AppDynamics with Cisco Secure Application
