Hi,
I am trying to setup iis logs forwarded to splunk enterprise. I am a bit confused as new to splunk but i have installed the iis add on to splunk.
Do i need to copy the Splunk_TA_microsoft-iis folder to the server with the iis logs? or do i just configure the inputs.conf under the forwarder.
Hi @JohnC67,
I think that you should study just a little how Splunk Works, especially "Getting data in", you can find on youtube some useful videos and on Splunk docs all the infos you need:
https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-
windows.htmlhttps://docs.splunk.com/Documentation/Splunk/8.0.6/Data/WhatSplunkcanmonitor
https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Aboutforwardingandreceivingdata
https://docs.splunk.com/Documentation/Splunk/8.0.6/AddMSWinsingle/Introduction
in few words:
if you have a distributed architecture with one or more Splunk servers and one or more targets to monitor, you have to:
This operation can be done in three ways:
I think that you already configured your target server to send data to Splunk otherwise you have to do this before.
Ciao.
Giuseppe
Hi ,
It is not a new question. It is with reference to the Logs ingestion of IIS server.i have universal forwarder installed on the IIS server and is getting windows log.
Now wants to ingest IIS logs. have downloaded https://splunkbase.splunk.com/app/3185 and installed on search head
was referencing https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Setupaddon
but it is showing invalid directory and i am stuck.
Hi @sonishar,
the topic is the same, but this is a new question, infact the first question was answered!
If you add a new question to an answered one, even if with the same topic, you have the high risk that none will answer to your question, because all of us usually will answer only to open questions, for this reason I hinted to open a new question even if with the same topic of the other one.
Anyway, as you can read at https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Install, you have to install this TA on the Search Heads for the search time parsing acvtivities, but also on Indexers (for the indexes) and Heavy Forwarders (if present) and especially on the universal Forwarders where the logs are written.
Probably this is the reason of the invalid directory, because the TA doesn't find the IIS folder.
Ciao.
Giuseppe
Thank you so much @gcusello
i understood, will be raising new request
Hi @JohnC67,
I think that you should study just a little how Splunk Works, especially "Getting data in", you can find on youtube some useful videos and on Splunk docs all the infos you need:
https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-
windows.htmlhttps://docs.splunk.com/Documentation/Splunk/8.0.6/Data/WhatSplunkcanmonitor
https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Aboutforwardingandreceivingdata
https://docs.splunk.com/Documentation/Splunk/8.0.6/AddMSWinsingle/Introduction
in few words:
if you have a distributed architecture with one or more Splunk servers and one or more targets to monitor, you have to:
This operation can be done in three ways:
I think that you already configured your target server to send data to Splunk otherwise you have to do this before.
Ciao.
Giuseppe
Hi,
Thanks for the information, i was able to get the iis logs into Splunk using the monitor option.
Reagrds
John
Hi ,
Please confirm if you deployed IIS Add on: https://splunkbase.splunk.com/app/3185 on both IIS and Splunk servers( Search Head and Deployment server)
Hi @sonishar,
could you better describe your question?
if it's a new question, please open a new one and not attach it to another closed question.
Ciao.
Giuseppe