Re: IIS integration with splunk

Nawab · ‎01-29-2025

I have an IIS server that is sending logs to splunk, and the logs are saved in w3c format. but I found that logs are save in UTC time format. and only IIS format can save logs in local time but there is no parser for IIs.

if someone have integrated IIS do let me know

Nawab · ‎01-29-2025

Hi, I have installed the add on on search head and indexers, but it is not working.

I am using 1st log format which w3c.

The time in w3c is UTC, but we need it in gtm+3.

for second log format which is IIS, it is not pared at any sourcetype available in addon

dural_yyz · ‎01-29-2025

Can you tell me which format your are ingesting from these examples.

https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807(v=vs.90)

#Software: Internet Information Services 6.0 
#Version: 1.0 
#Date: 2001-05-02 17:42:15 
#Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 
17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0

OR

192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SALES1, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -, 
172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -,

Once you confirm which format someone should be able to provide a recommended props.conf for the ingested sourcetype.

Ofcourse you could opt for the app from Splunk base which looks to be very complete for IIS server logs.

https://splunkbase.splunk.com/app/3185

SanjayReddy · ‎01-29-2025

Hi @Nawab

Have you tried integrated using add on and documention, this documentation helps to setup the iis logs

https://docs.splunk.com/Documentation/AddOns/released/MSIIS/About

https://splunkbase.splunk.com/app/3185

IIS integration with splunk

universal forwarder

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies