All Apps and Add-ons

What are the benefits of Splunk Add-on for Microsoft IIS?

dmcelroy
Explorer

Hi

I am new to Splunk and looking to use it for analytics in place of Matomo. I have it gathering my logs and I can query them. However, I am trying to understand what benefits I would get from this add-on? Does it enrich the data or provide prebuilt queries/dashboards?

Thanks

Labels (1)
Tags (1)
0 Karma

dmcelroy
Explorer

Hi, thanks for the info. I have been querying the logs we are getting from IIS without this add-on and it seems to be working ok. I can search/filter on the various parts of IIS logs already (cs_username, time_taken, cs_uri_stem etc.) so I still don't really understand what I may be missing out on, plus I will need to ask our admin to make use of this and they will ask why.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

You can collect those logs with just using inputs.conf with correct definition. But in this case (TA IIS) the biggest benefit is when you install this also to SH layer, you will get CIM compliance integration. Also you could chose which are those field names based on your IIS version and probably get some additional extractions.

Also there are some data cleaning for unneeded strings (like comments) before indexing (save license).

See: https://docs.splunk.com/Documentation/AddOns/released/MSIIS/About

As @richgalloway said some other TAs are mandatory for getting data in, some helps and some are just nice to have. In personally I prefer to install these even on nice to have cases.

r. Ismo

 

dmcelroy
Explorer

Thanks. I will approach the team responsible and see if they can add this

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In the Splunk world, an "add-on" is an extension that helps bring data into Splunk.  Sometimes, the add-on will use an API to actively retrieve data, but more often it provides configurations that help Splunk to interpret the data that arrives from a source.

In the case of this add-on, it is expected to be installed with a Splunk Universal Forwarder (UF) on the system on which IIS is running.  The add-on tells the UF to read the IIS logs and forward them to Splunk.  Install the add-on to your indexer(s)  and search head(s) so they know how to extract fields from the logs.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...