Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IIS integration with splunk

Nawab
Communicator
‎01-29-2025 04:17 AM

I have an IIS server that is sending logs to splunk, and the logs are saved in w3c format. but I found that logs are save in UTC time format. and only IIS format can save logs in local time but there is no parser for IIs.

 

if someone have integrated IIS do let me know

Labels (1)
Labels
0 Karma
Reply

Nawab
Communicator
‎01-29-2025 11:56 PM

Hi, I have installed the add on on search head and indexers, but it is not working.

I am using 1st log format which w3c.

 

The time in w3c is UTC, but we need it in gtm+3.

 

for second log format which is IIS, it is not pared at any sourcetype available in addon

0 Karma
Reply

dural_yyz
Motivator
‎01-29-2025 06:21 AM

Can you tell me which format your are ingesting from these examples.

https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807(v=vs.90)

#Software: Internet Information Services 6.0 
#Version: 1.0 
#Date: 2001-05-02 17:42:15 
#Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 
17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0

OR

192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SALES1, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -, 
172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -,

 

Once you confirm which format someone should be able to provide a recommended props.conf for the ingested sourcetype.

Ofcourse you could opt for the app from Splunk base which looks to be very complete for IIS server logs.

https://splunkbase.splunk.com/app/3185

 

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎01-29-2025 06:18 AM

Hi @Nawab 

Have you tried integrated using  add on and documention, this documentation helps to setup the iis logs

https://docs.splunk.com/Documentation/AddOns/released/MSIIS/About 

https://splunkbase.splunk.com/app/3185 


0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top