Re: How to configure inputs.conf to forward PingFe...

snehal8 · ‎02-23-2015

Hello Everyone,

I need to forward IIS logs from one of my hosts, so wrote inputs.conf in deployment server and deployed it to the host.

The normal IIS logs were forwarded, but the PingFederate IIS logs were not.

So i tried with this two thinks

[WinEventLog://Application]
disabled = 0 

[WinEventLog://Security]
disabled = 0 

[WinEventLog://System]
disabled = 0 

[WinEventLog://d:\PingFederate\PingIISAgent.evtx] 
disabled = 0

Here, all logs come in except d:\PingFederate\PingIISAgent.evtx so I tried adding monitor instead of WinEventLog, but I received data that wasn't human readable.

Please can anyone help me on this? Where am I going wrong?

Thanks

mcronkrite · ‎03-07-2015

Is the file d:\PingFederate\PingIISAgent.evtx readable if you edit it?
If not then it is in proprietary format.

Sounds like you are trying to read events? You probably need to enable logging from the PING system. You may want to enable logging such as :
Administrator Audit Logging
Runtime Transaction Logging
Security Audit Logging
Server Logging
Which is documented here on Ping's website.
http://documentation.pingidentity.com/display/PF610/Managing+Log+Files

The logs are stored by default in the /pingfederate/log directory and end in *.log not evtx.

satishsdange · ‎02-23-2015

could you please provide sample logs of PingIISAgent.evtx

How to configure inputs.conf to forward PingFederate (.evtx) IIS logs in Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation