Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

IIS Logs-Do i need to copy the Splunk_TA_microsoft-iis folder to the server with the iis logs?

JohnC67
Engager
‎09-02-2020 07:42 PM

Hi,

I am trying to setup iis logs forwarded to splunk enterprise. I am a bit confused as new to splunk but i have installed the iis add on to splunk.

Do i need to copy the Splunk_TA_microsoft-iis folder to the server with the iis logs? or do i just configure the inputs.conf under the forwarder.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-03-2020 12:05 AM

Hi @JohnC67,

I think that you should study just a little how Splunk Works, especially "Getting data in", you can find on youtube some useful videos and on Splunk docs all the infos you need:

https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-

windows.htmlhttps://docs.splunk.com/Documentation/Splunk/8.0.6/Data/WhatSplunkcanmonitor

https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Splunk/8.0.6/AddMSWinsingle/Introduction

in few words:

if you have a distributed architecture with one or more Splunk servers and one or more targets to monitor, you have to:

  • untar the TA_Windows_IIS,
  • copy it on the $SPLUNK_HOME\etc\apps folder on both the target server and Splunk servers,
  • restart Splunk on the updated systems.

This operation can be done in three ways:

I think that you already configured your target server to send data to Splunk otherwise you have to do this before.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

sonishar
Explorer
‎09-25-2022 08:57 AM

Hi ,

It is not a new question. It is with reference to the Logs ingestion of IIS server.i  have universal forwarder installed on the IIS server and is getting windows log.

Now wants to ingest IIS logs. have downloaded  https://splunkbase.splunk.com/app/3185  and installed on search head

was referencing https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Setupaddon

but it is showing invalid directory and i am stuck.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2022 11:28 PM

Hi @sonishar,

the topic is the same, but this is a new question, infact the first question was answered!

If you add a new question to an answered one, even if with the same topic, you have the high risk that none will answer to your question, because all of us usually will answer only to open questions, for this reason I hinted to open a new question even if with the same topic of the other one.

Anyway, as you can read at https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Install, you have to install this TA on the Search Heads for the search time parsing acvtivities, but also on Indexers (for the indexes) and Heavy Forwarders (if present) and especially on the universal Forwarders where the logs are written.

Probably this is the reason of the invalid directory, because the TA doesn't find the IIS folder.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sonishar
Explorer
‎09-26-2022 12:37 AM

Thank you so much @gcusello 

i understood, will be raising new request

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-03-2020 12:05 AM

Hi @JohnC67,

I think that you should study just a little how Splunk Works, especially "Getting data in", you can find on youtube some useful videos and on Splunk docs all the infos you need:

https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-

windows.htmlhttps://docs.splunk.com/Documentation/Splunk/8.0.6/Data/WhatSplunkcanmonitor

https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Splunk/8.0.6/AddMSWinsingle/Introduction

in few words:

if you have a distributed architecture with one or more Splunk servers and one or more targets to monitor, you have to:

  • untar the TA_Windows_IIS,
  • copy it on the $SPLUNK_HOME\etc\apps folder on both the target server and Splunk servers,
  • restart Splunk on the updated systems.

This operation can be done in three ways:

I think that you already configured your target server to send data to Splunk otherwise you have to do this before.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

JohnC67
Engager
‎09-06-2020 10:03 PM

Hi,

 

Thanks for the information, i was able to get the iis logs into Splunk using the monitor option.

 

Reagrds

John

0 Karma
Reply
Solved! Jump to solution

sonishar
Explorer
‎09-25-2022 08:24 AM

Hi ,

 

Please confirm if you deployed IIS  Add on:  https://splunkbase.splunk.com/app/3185 on both IIS and Splunk servers( Search Head and Deployment server)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2022 08:42 AM

Hi @sonishar,

could you better describe your question?

if it's a new question, please open a new one and not attach it to another closed question.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-06-2020 11:45 PM

hi @JohnC67,

Good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...