Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IIS integration with splunk

Nawab
Communicator
‎01-29-2025 04:17 AM

I have an IIS server that is sending logs to splunk, and the logs are saved in w3c format. but I found that logs are save in UTC time format. and only IIS format can save logs in local time but there is no parser for IIs.

 

if someone have integrated IIS do let me know

Labels (1)
Labels
0 Karma
Reply

Nawab
Communicator
‎01-29-2025 11:56 PM

Hi, I have installed the add on on search head and indexers, but it is not working.

I am using 1st log format which w3c.

 

The time in w3c is UTC, but we need it in gtm+3.

 

for second log format which is IIS, it is not pared at any sourcetype available in addon

0 Karma
Reply

dural_yyz
Motivator
‎01-29-2025 06:21 AM

Can you tell me which format your are ingesting from these examples.

https://learn.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807(v=vs.90)

#Software: Internet Information Services 6.0 
#Version: 1.0 
#Date: 2001-05-02 17:42:15 
#Fields: time c-ip cs-method cs-uri-stem sc-status cs-version 
17:42:15 172.16.255.255 GET /default.htm 200 HTTP/1.0

OR

192.168.114.201, -, 03/20/01, 7:55:20, W3SVC2, SALES1, 172.21.13.45, 4502, 163, 3223, 200, 0, GET, /DeptLogo.gif, -, 
172.16.255.255, anonymous, 03/20/01, 23:58:11, MSFTPSVC, SALES1, 172.16.255.255, 60, 275, 0, 0, 0, PASS, /Intro.htm, -,

 

Once you confirm which format someone should be able to provide a recommended props.conf for the ingested sourcetype.

Ofcourse you could opt for the app from Splunk base which looks to be very complete for IIS server logs.

https://splunkbase.splunk.com/app/3185

 

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎01-29-2025 06:18 AM

Hi @Nawab 

Have you tried integrated using  add on and documention, this documentation helps to setup the iis logs

https://docs.splunk.com/Documentation/AddOns/released/MSIIS/About 

https://splunkbase.splunk.com/app/3185 


0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...