Mt question here is very similar to the question posted here: http://serverfault.com/questions/469383/iis-advanced-logging-forward-to-syslog.
I am looking for a method that would allow us to forward the IIS Advanced Logging logs to Splunk. We are able to forward regular IIS logs; however I am not sure how to make it work the same for IIS Advanced Logging.
The default file path is different for IIS Advanced Logging (%SystemDrive%\inetpub\logs\AdvancedLogs) and it appears that the file names are based upon the UTC time, see here, and not the local date and time that you can specify with regular logging. This also creates and issue for developing some type of wildcard rule.
Any ideas are welcome.
I implemented this with a new sourcetype and input. I justified a new sourcetype because it is a different model than iis, and has different fields available.
inputs.conf on the IIS Server
props.conf on the INDERXER
TZ = GMT
Do you have any problems with it obtaining the current information since the log files are constantly changing names and to which file is being written to?
nope, I just index everything in the folder and it displays just fine. Related to Advanced IIS, have you ever gotten the filter to work with a User Agent String?
No, I have not gotten it to work with a User Agent string. I would be interested in how to make that work if anyone else has any details.