Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

IIS Logs and Universal Forwarder?

singhg
Explorer
‎04-19-2012 12:35 PM

Hi,

I am trying to forward IIS logs from one of the server that has forwarder installed. I have below config settings. I don't see any IIS logs on my splunk server.

Inputs.conf
[monitor://c:\inetpub\logs\LogFiles]
ignoreOlderThan = 14d
host =

What Am I missing?

Tags (2)
Reply

mahsaalaeifar
Explorer
‎11-28-2018 09:33 PM

if you have deployment server and want to collect logs from web server through Universal Forwarder, the following may help you

  1. install "Splunk app for web analytics" on SH
  2. Install "splunk add-on for microsioft iis" on SH
  3. Install "splunk add-on for microsioft iis" on IDX
  4. Install UF on the web server
  5. Copy the app “Splunk_TA_microsoft-iis” from $splunk home/etc/apps to “Splunk_TA_microsoft-iis” in $splunk home/etc/deploymentapps
  6. Create inputs.conf in /$splunk home/etc/deploymentapps /Splunk_TA_microsoft-iis/local

monitor://C:\IIS-LOG-Files\W3SVC*.*
disabled = false
sourcetype =iis
index=my-index

  1. Create props.conf in $splunk home/etc/deploymentapps/Splunk_TA_microsoft-iis/local

[iis]
INDEXED_EXTRACTIONS = w3c

make sure you have created output.conf in local directory to send logs to indexer
example of outputs.conf :

[tcpout]
defaultGroup = indexer

[tcpout:indexer]
server = indexer_IP:9997
autoLB = true

  1. Create server class my-serverclass on DS(Deployment server)
  2. Add the Splunk_TA_microsoft-iis to My-serverclass as the app
  3. Create the index My index on IDX
  4. Add the web server as client to My-server-class
  5. Check the web server c:/programfile/splunkuniversalforwarder/ec/app to assure the app Splunk_TA_microsoft-iis is pulled
  6. Restart the splunkuniversalforwarder service on web server
  7. Search for sourcetype iis and index My-index on SH
0 Karma
Reply

paul_1994
Path Finder
‎09-28-2012 03:11 PM

Everything looks correct to me as far as my setup goes.

where are you editing the inputs.conf file? is it in etc\system\local or some app?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-28-2012 10:26 AM

on the forwarder, define an input in a inputs.conf

[monitor://c:\myiisfolder\]
disabled = false
followTail = 0
sourcetype=iis

make sure that the forwarder has outputs.conf configured.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...