We are trying to take IIS logs in ITSI but cannot enable advanced logging. Is there a option where we can store advance logging in different location and take data from that location. Is it possible to store data twice using configuration in IIS manager.
We are using splunk add-on for Microsoft IIS.
Referred to the link below, but cannot enable all mentioned logs because those logs are also used by other application.
http://docs.splunk.com/Documentation/ITSI/3.1.2/IModules/WebServerModuleconfigurations
I would read more about the Splunk Add on for Microsoft IIS.
https://docs.splunk.com/Documentation/AddOns/released/MSIIS/About
Verify where your IIS logs are writing to:
Standard logs default directory: %SystemDrive%\inetpub\logs\LogFiles
Advanced logs default directory: %SystemDrive%\inetpub\logs\AdvancedLogs
You should be able to configure your inputs.conf to accept both standard logs and advanced
Example inputs.conf:
[monitor://C:\inetpub\logs\AdvancedLogs]
disabled = false
sourcetype = ms:iis:auto
[monitor://C:\inetpub\logs\LogFiles]
disabled = false
sourcetype = ms:iis:auto
They also mention this article to enable Advanced Logging on your IIS server
Hi jdhunter,
Thank you for your answers but have already checked this link and it didn't help.
Is your issue getting advanced IIS logs into Splunk? Or you need to send them to two locations?
We want to store advanced logging enabled data to other location, so we can take data into Splunk from this location.
Have you looked at Route and Filtering techniques?
http://docs.splunk.com/Documentation/Splunk/7.1.2/Forwarding/Routeandfilterdatad