All Apps and Add-ons

Can you help me configure the Universal Forwarder with the Splunk Add-on for Microsoft IIS?

kmower
Communicator

I want to forward my IIS logs to Splunk using the Splunk Add-On for Microsoft IIS. I have installed the Add-on on both my Splunk instances and on the Universal Forwarder on the Web Server. I am a bit confused in regard to Inputs.conf and Outputs.conf on the Universal Forwarder and the Add-On.

For the Add-On, I have an Inputs.conf (and outputs.conf) file here: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-iis\local

[monitor://C:\inetpub\logs\LogFiles]
disabled = false
sourcetype = ms:iis:auto

And, of course, I have the Splunk Input,conf file - which I needed to create, even though I had specified inputs in the Advanced section of the install file - C:\Program Files\SplunkUniversalForwarder\etc\system\local

Now, I have created an index called 'uat' since this is for our UAT servers. So, in the Splunk Universal Forwarder inputs.conf file, I have this:

[default]
host = INS-B2C01-UAT
index = uat

Of course, I have configured that already running on 9997. I have read through various Splunk doc sources far and wide, but I need some guidance on setting the sources I want to forward. Has anyone set up the the Universal Forwarder with the Microsoft IIS Add-on? If so, a sample of those input.conf files would be great. Thanks.

0 Karma
1 Solution

iamarkaprabha
Contributor

HI ,
For outputs.conf , you need to write the details where UF will be forwarding the logs. It's dependable upon your architecture.
You can forward those logs to HF then HF will send those to Indexers.
Here is a help for Outputs.conf
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Outputsconf
For the inputs.conf , You can use these in app/local folder.
If you are still not getting the logs, Please refresh the monitoring folder and check file permissions

[monitor://LOGPATH]
sourcetype=ms:iis:auto
index=index name
ignoreOlderThan=d

View solution in original post

kmower
Communicator

This turned out to be an odd one for me and I am still scratching my head.

I initially installed the Universal Forwarder without selecting anything to forward from the Windows GUI for 'Advanced Options' ... thinking that I could just do a 'clean' install and edit the inputs.conf file - since I had already entered the Splunk Server receiver details in the GUI.

Anyway, this approach did not work. Yes, I stopped the service. Yes, I made the same changes to inputs.conf ... but it didn't work. So I uninstalled the Universal Forwarder and re-installed, but that time I did put in the directory of the logs I wanted to monitor. I went back and made the changes for the ms:iis:auto sourcetype in inputs.conf and restarted. That worked. So I am left with the sinking feeling that, on Windows at least, Spunk is doing something under hood that is not in the config files. I find that kind of troubling.

Thanks again for the responses.

0 Karma

ddrillic
Ultra Champion

I'm looking at what we did last year - thank you @kmower for that ; -)

I see the following -

cat /opt/splunk/etc/deployment-apps/Splunk_TA_microsoft-iis_forwarder/local/inputs.conf

[default]
index=<index name>

[monitor://L:\Logs\IIS\W3SVC1\*.log]
disabled = false
sourcetype = ms:iis:auto

[monitor://L:\Logs\IIS\W3SVC2\*.log]
disabled = false
sourcetype = ms:iis:auto
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @kmower

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

iamarkaprabha
Contributor

HI ,
For outputs.conf , you need to write the details where UF will be forwarding the logs. It's dependable upon your architecture.
You can forward those logs to HF then HF will send those to Indexers.
Here is a help for Outputs.conf
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Outputsconf
For the inputs.conf , You can use these in app/local folder.
If you are still not getting the logs, Please refresh the monitoring folder and check file permissions

[monitor://LOGPATH]
sourcetype=ms:iis:auto
index=index name
ignoreOlderThan=d
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...