Re: How to configure inputs.conf to forward PingFe...

snehal8 · ‎02-23-2015

Hello Everyone,

I need to forward IIS logs from one of my hosts, so wrote inputs.conf in deployment server and deployed it to the host.

The normal IIS logs were forwarded, but the PingFederate IIS logs were not.

So i tried with this two thinks

[WinEventLog://Application]
disabled = 0 

[WinEventLog://Security]
disabled = 0 

[WinEventLog://System]
disabled = 0 

[WinEventLog://d:\PingFederate\PingIISAgent.evtx] 
disabled = 0

Here, all logs come in except d:\PingFederate\PingIISAgent.evtx so I tried adding monitor instead of WinEventLog, but I received data that wasn't human readable.

Please can anyone help me on this? Where am I going wrong?

Thanks

mcronkrite · ‎03-07-2015

Is the file d:\PingFederate\PingIISAgent.evtx readable if you edit it?
If not then it is in proprietary format.

Sounds like you are trying to read events? You probably need to enable logging from the PING system. You may want to enable logging such as :
Administrator Audit Logging
Runtime Transaction Logging
Security Audit Logging
Server Logging
Which is documented here on Ping's website.
http://documentation.pingidentity.com/display/PF610/Managing+Log+Files

The logs are stored by default in the /pingfederate/log directory and end in *.log not evtx.

satishsdange · ‎02-23-2015

could you please provide sample logs of PingIISAgent.evtx

How to configure inputs.conf to forward PingFederate (.evtx) IIS logs in Splunk?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!