Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IIS Logs and Universal Forwarder?

singhg
Explorer
‎04-19-2012 12:35 PM

Hi,

I am trying to forward IIS logs from one of the server that has forwarder installed. I have below config settings. I don't see any IIS logs on my splunk server.

Inputs.conf
[monitor://c:\inetpub\logs\LogFiles]
ignoreOlderThan = 14d
host =

What Am I missing?

Tags (2)
Reply

mahsaalaeifar
Explorer
‎11-28-2018 09:33 PM

if you have deployment server and want to collect logs from web server through Universal Forwarder, the following may help you

  1. install "Splunk app for web analytics" on SH
  2. Install "splunk add-on for microsioft iis" on SH
  3. Install "splunk add-on for microsioft iis" on IDX
  4. Install UF on the web server
  5. Copy the app “Splunk_TA_microsoft-iis” from $splunk home/etc/apps to “Splunk_TA_microsoft-iis” in $splunk home/etc/deploymentapps
  6. Create inputs.conf in /$splunk home/etc/deploymentapps /Splunk_TA_microsoft-iis/local

monitor://C:\IIS-LOG-Files\W3SVC*.*
disabled = false
sourcetype =iis
index=my-index

  1. Create props.conf in $splunk home/etc/deploymentapps/Splunk_TA_microsoft-iis/local

[iis]
INDEXED_EXTRACTIONS = w3c

make sure you have created output.conf in local directory to send logs to indexer
example of outputs.conf :

[tcpout]
defaultGroup = indexer

[tcpout:indexer]
server = indexer_IP:9997
autoLB = true

  1. Create server class my-serverclass on DS(Deployment server)
  2. Add the Splunk_TA_microsoft-iis to My-serverclass as the app
  3. Create the index My index on IDX
  4. Add the web server as client to My-server-class
  5. Check the web server c:/programfile/splunkuniversalforwarder/ec/app to assure the app Splunk_TA_microsoft-iis is pulled
  6. Restart the splunkuniversalforwarder service on web server
  7. Search for sourcetype iis and index My-index on SH
0 Karma
Reply

paul_1994
Path Finder
‎09-28-2012 03:11 PM

Everything looks correct to me as far as my setup goes.

where are you editing the inputs.conf file? is it in etc\system\local or some app?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-28-2012 10:26 AM

on the forwarder, define an input in a inputs.conf

[monitor://c:\myiisfolder\]
disabled = false
followTail = 0
sourcetype=iis

make sure that the forwarder has outputs.conf configured.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...