Getting Data In

IIS Logs

JohnC67
Engager

Hi,

I am trying to setup iis logs forwarded to splunk enterprise. I am a bit confused as new to splunk but i have installed the iis add on to splunk.

Do i need to copy the Splunk_TA_microsoft-iis folder to the server with the iis logs? or do i just configure the inputs.conf under the forwarder.

Labels (1)
0 Karma
1 Solution

gcusello
Legend

Hi @JohnC67,

I think that you should study just a little how Splunk Works, especially "Getting data in", you can find on youtube some useful videos and on Splunk docs all the infos you need:

https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-

windows.htmlhttps://docs.splunk.com/Documentation/Splunk/8.0.6/Data/WhatSplunkcanmonitor

https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Splunk/8.0.6/AddMSWinsingle/Introduction

in few words:

if you have a distributed architecture with one or more Splunk servers and one or more targets to monitor, you have to:

  • untar the TA_Windows_IIS,
  • copy it on the $SPLUNK_HOME\etc\apps folder on both the target server and Splunk servers,
  • restart Splunk on the updated systems.

This operation can be done in three ways:

I think that you already configured your target server to send data to Splunk otherwise you have to do this before.

Ciao.

Giuseppe

View solution in original post

gcusello
Legend

Hi @JohnC67,

I think that you should study just a little how Splunk Works, especially "Getting data in", you can find on youtube some useful videos and on Splunk docs all the infos you need:

https://www.splunk.com/en_us/training/videos/getting-data-in-to-splunk-enterprise-

windows.htmlhttps://docs.splunk.com/Documentation/Splunk/8.0.6/Data/WhatSplunkcanmonitor

https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Splunk/8.0.6/AddMSWinsingle/Introduction

in few words:

if you have a distributed architecture with one or more Splunk servers and one or more targets to monitor, you have to:

  • untar the TA_Windows_IIS,
  • copy it on the $SPLUNK_HOME\etc\apps folder on both the target server and Splunk servers,
  • restart Splunk on the updated systems.

This operation can be done in three ways:

I think that you already configured your target server to send data to Splunk otherwise you have to do this before.

Ciao.

Giuseppe

View solution in original post

JohnC67
Engager

Hi,

 

Thanks for the information, i was able to get the iis logs into Splunk using the monitor option.

 

Reagrds

John

0 Karma

gcusello
Legend

hi @JohnC67,

Good for you!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉