Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

IIS Advance Logs Forwarding

jgodfrey_kumc
Engager
‎04-18-2013 10:52 AM

Mt question here is very similar to the question posted here: http://serverfault.com/questions/469383/iis-advanced-logging-forward-to-syslog.

I am looking for a method that would allow us to forward the IIS Advanced Logging logs to Splunk. We are able to forward regular IIS logs; however I am not sure how to make it work the same for IIS Advanced Logging.

The default file path is different for IIS Advanced Logging (%SystemDrive%\inetpub\logs\AdvancedLogs) and it appears that the file names are based upon the UTC time, see here, and not the local date and time that you can specify with regular logging. This also creates and issue for developing some type of wildcard rule.

Any ideas are welcome.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎04-18-2013 11:04 AM

I implemented this with a new sourcetype and input. I justified a new sourcetype because it is a different model than iis, and has different fields available.

inputs.conf on the IIS Server

[monitor://%SYSTEM_DRIVE%/inetpublogs/AdvancedLogs/*]
sourcetype=iis_advanced

props.conf on the INDERXER
[iis_advanced]
TZ = GMT

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎04-18-2013 11:04 AM

I implemented this with a new sourcetype and input. I justified a new sourcetype because it is a different model than iis, and has different fields available.

inputs.conf on the IIS Server

[monitor://%SYSTEM_DRIVE%/inetpublogs/AdvancedLogs/*]
sourcetype=iis_advanced

props.conf on the INDERXER
[iis_advanced]
TZ = GMT

Reply
Solved! Jump to solution

jgodfrey_kumc
Engager
‎04-18-2013 11:25 AM

No, I have not gotten it to work with a User Agent string. I would be interested in how to make that work if anyone else has any details.

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎04-18-2013 11:13 AM

nope, I just index everything in the folder and it displays just fine. Related to Advanced IIS, have you ever gotten the filter to work with a User Agent String?

0 Karma
Reply
Solved! Jump to solution

jgodfrey_kumc
Engager
‎04-18-2013 11:11 AM

Do you have any problems with it obtaining the current information since the log files are constantly changing names and to which file is being written to?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...