Getting Data In

How to filter IIS logs on Universal Forwarder

saeidsaeidsaeid
Engager

Dear all,

I'd like to filter IIS logs and forward only .aspx requests to Splunk.
I tried something like this:

[monitor://C:\inetpub\logs\LogFiles\*\*.log]
 _TCP_ROUTING = default-autolb-group
 disabled = 0
 sourcetype=iis
 whitelist = (\.aspx\s)

But the "whitelist" doesn't work and forwards all log lines to Splunk.
Could any one help me please?

Thanks for your attention.

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Hi @saeidsaeidsaeid

The whilelist in inputs.conf is only for filtering based on filename. You will need to use this method to discard the non-asp events:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad#Keep_specific_even...

Since the [iis] sourcetype uses index extractions, you should setup this props on the UF.

All the best.

View solution in original post

woodcock
Esteemed Legend

I agree with what @chrisyoungerjds said. Also, you should be able to do the filtering that you need inside IIS because it has extensive logging configuration features. In fact, that is why INDEXED_EXTRACTIONS was created (which is definitely the way that you should handle IIS) because your IIS admin could change the names/orders of the fields at any time. The whole explanation on your options can be found here:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

chrisyounger
SplunkTrust
SplunkTrust

Hi @saeidsaeidsaeid

The whilelist in inputs.conf is only for filtering based on filename. You will need to use this method to discard the non-asp events:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad#Keep_specific_even...

Since the [iis] sourcetype uses index extractions, you should setup this props on the UF.

All the best.

View solution in original post