I want to forward my IIS logs to Splunk using the Splunk Add-On for Microsoft IIS. I have installed the Add-on on both my Splunk instances and on the Universal Forwarder on the Web Server. I am a bit confused in regard to Inputs.conf and Outputs.conf on the Universal Forwarder and the Add-On.
For the Add-On, I have an Inputs.conf (and outputs.conf) file here: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-iis\local
[monitor://C:\inetpub\logs\LogFiles]
disabled = false
sourcetype = ms:iis:auto
And, of course, I have the Splunk Input,conf file - which I needed to create, even though I had specified inputs in the Advanced section of the install file - C:\Program Files\SplunkUniversalForwarder\etc\system\local
Now, I have created an index called 'uat' since this is for our UAT servers. So, in the Splunk Universal Forwarder inputs.conf file, I have this:
[default]
host = INS-B2C01-UAT
index = uat
Of course, I have configured that already running on 9997. I have read through various Splunk doc sources far and wide, but I need some guidance on setting the sources I want to forward. Has anyone set up the the Universal Forwarder with the Microsoft IIS Add-on? If so, a sample of those input.conf files would be great. Thanks.
HI ,
For outputs.conf , you need to write the details where UF will be forwarding the logs. It's dependable upon your architecture.
You can forward those logs to HF then HF will send those to Indexers.
Here is a help for Outputs.conf
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Outputsconf
For the inputs.conf , You can use these in app/local folder.
If you are still not getting the logs, Please refresh the monitoring folder and check file permissions
[monitor://LOGPATH]
sourcetype=ms:iis:auto
index=index name
ignoreOlderThan=d
This turned out to be an odd one for me and I am still scratching my head.
I initially installed the Universal Forwarder without selecting anything to forward from the Windows GUI for 'Advanced Options' ... thinking that I could just do a 'clean' install and edit the inputs.conf file - since I had already entered the Splunk Server receiver details in the GUI.
Anyway, this approach did not work. Yes, I stopped the service. Yes, I made the same changes to inputs.conf ... but it didn't work. So I uninstalled the Universal Forwarder and re-installed, but that time I did put in the directory of the logs I wanted to monitor. I went back and made the changes for the ms:iis:auto sourcetype in inputs.conf and restarted. That worked. So I am left with the sinking feeling that, on Windows at least, Spunk is doing something under hood that is not in the config files. I find that kind of troubling.
Thanks again for the responses.
I'm looking at what we did last year - thank you @kmower for that ; -)
I see the following -
cat /opt/splunk/etc/deployment-apps/Splunk_TA_microsoft-iis_forwarder/local/inputs.conf
[default]
index=<index name>
[monitor://L:\Logs\IIS\W3SVC1\*.log]
disabled = false
sourcetype = ms:iis:auto
[monitor://L:\Logs\IIS\W3SVC2\*.log]
disabled = false
sourcetype = ms:iis:auto
hi @kmower
Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!
HI ,
For outputs.conf , you need to write the details where UF will be forwarding the logs. It's dependable upon your architecture.
You can forward those logs to HF then HF will send those to Indexers.
Here is a help for Outputs.conf
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Outputsconf
For the inputs.conf , You can use these in app/local folder.
If you are still not getting the logs, Please refresh the monitoring folder and check file permissions
[monitor://LOGPATH]
sourcetype=ms:iis:auto
index=index name
ignoreOlderThan=d