I am trying to configure Splunk to index IIS failedrequests. My priority is
My current config
props.conf
[iisfailedrequests]
TIME_FORMAT=%Y-%m-%dT%T.%L
TIME_PREFIX=<TimeCreated SystemTime=\"
MAX_TIMESTAMP_LOOKAHEAD=128
SHOULD_LINEMERGE=true
BREAK_ONLY_BEFORE=^<Event|^<failedRequest
TRANSFORMS-removexml = removexml
transforms.conf
[removexml]
REGEX = (^\<\?xml.*|^\<\!--.*)
DEST_KEY = queue
FORMAT = nullQueue
And an example
<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type='text/xsl' href='freb.xsl'?>
<!-- saved from url=(0014)about:internet -->
<failedRequest url="http://server.company.domain/SAFService/SAFService.svc"
siteId="7"
appPoolId="SafServiceAppPool"
processId="3872"
verb="POST"
remoteUserName=""
userName=""
tokenUserName="NT AUTHORITY\IUSR"
authenticationType="anonymous"
activityId="{00000000-0000-0000-977F-0080000000FD}"
failureReason="STATUS_CODE"
statusCode="500"
triggerStatusCode="500"
timeTaken="59782"
xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"
>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDADADA0D9B0F83}"/>
<EventID>0</EventID>
<Version>1</Version>
<Level>0</Level>
<Opcode>1</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2014-10-30T09:51:21.274Z"/>
<Correlation ActivityID="{00000000-0000-0000-977F-0080000000FD}"/>
<Execution ProcessID="3872" ThreadID="3460"/>
<Computer>KLPDSTCPH050V</Computer>
</System>
<EventData>
<Data Name="ContextId">{00000000-0000-0000-977F-0080000000FD}</Data>
<Data Name="SiteId">7</Data>
<Data Name="AppPoolId">SafServiceAppPool</Data>
<Data Name="ConnId">1610645394</Data>
<Data Name="RawConnId">0</Data>
<Data Name="RequestURL">http://server.company.domain/SAFService/SAFService.svc</Data>
<Data Name="RequestVerb">POST</Data>
</EventData>
<RenderingInfo Culture="nb-NO">
<Opcode>GENERAL_REQUEST_START</Opcode>
</RenderingInfo>
<ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
<EventGuid>{D42CF7EF-DE92-473E-8B6C-621EAADADE663113A}</EventGuid>
</ExtendedTracingInfo>
</Event>
It turned out that all above is correct, but I was not aware of the need to restart Splunk - I did only
splunk reload deploy-server
So now when I checked a few days later, all was fine.
It turned out that all above is correct, but I was not aware of the need to restart Splunk - I did only
splunk reload deploy-server
So now when I checked a few days later, all was fine.