All Apps and Add-ons
Highlighted

Where do I configure the Splunk App for Microsoft Exchange to monitor "sourcetype= MSWindows:*:IIS"?

Splunk Employee
Splunk Employee

When running setup, I get this error:

WARNING:  Search "sourcetype="MSWindows:*:IIS" | head 5" did not return any events in the last 24 hours

Where do I configure the app to monitor that sourcetype data?

0 Karma
Highlighted

Re: Where do I configure the Splunk App for Microsoft Exchange to monitor "sourcetype= MSWindows:*:IIS"?

Splunk Employee
Splunk Employee

@jbarry One of the Add-Ons that needs to be deployed with the App for Exchange is "TA-Windows--Exchange-IIS". You'll find these Add-Ons in the appserver\addons folder of the App for Exchange package.

Inside the respective add-on for your OS, you'll find an inputs.conf file in the default folder. This conf file is configured to monitor the following path for IIS logs by default: "C:\WINDOWS\system32\LogFiles\W3SVC1\W3SVC1*.log"

If your IIS logs are in a different place, you can make a copy of this monitoring stanza, create a new inputs.conf file in the local folder of the app, and paste in the modified stanza here to overwrite the default settings.

0 Karma