I apologize if this has been asked before, I couldn't find it via the search/google/youtube.
I'm outputting IIS AppPool/Site configurations to text file (One for AppPools, and one for Sites), and ingesting them into splunk. For the life of me I cannot figure out how to get this to format correctly in splunk, or what I need to do in order to put it in a readable format that I can use to compare 2 IIS Configs against each other in a table. I'll share a test config file that I made, and maybe someone can tell me how I should be formatting it.
AppCmd does give you the option to export to XML, would this be an easier option for splunk to parse it correctly?
SITE
SITE.NAME:"Test"
SITE.ID:"2"
bindings:"http/*:80:*"
state:"Started"
[site]
name:"Test"
id:"2"
serverAutoStart:"true"
[bindings]
[binding]
protocol:"http"
bindingInformation:"*:80:*"
sslFlags:"0"
[limits]
maxBandwidth:"4294967295"
maxConnections:"4294967295"
connectionTimeout:"00:02:00"
maxUrlSegments:"32"
[logFile]
logExtFileFlags:"Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, HttpSubStatus"
customLogPluginClsid:""
logFormat:"W3C"
logTargetW3C:"File"
directory:"C:\inetpub\logs\LogFiles"
period:"Daily"
truncateSize:"20971520"
localTimeRollover:"false"
enabled:"true"
logSiteId:"true"
flushByEntryCountW3CLog:"0"
maxLogLineLength:"65536"
[customFields]
maxCustomFieldLength:"4096"
[traceFailedRequestsLogging]
enabled:"false"
directory:"C:\inetpub\logs\FailedReqLogFiles"
maxLogFiles:"50"
maxLogFileSizeKB:"1024"
customActionsEnabled:"false"
[applicationDefaults]
path:""
applicationPool:""
enabledProtocols:"http"
serviceAutoStartEnabled:"false"
serviceAutoStartProvider:""
preloadEnabled:"false"
[virtualDirectoryDefaults]
path:""
physicalPath:""
userName:""
password:""
logonMethod:"ClearText"
allowSubDirConfig:"true"
[ftpServer]
allowUTF8:"true"
serverAutoStart:"true"
[connections]
unauthenticatedTimeout:"30"
controlChannelTimeout:"120"
dataChannelTimeout:"30"
disableSocketPooling:"false"
serverListenBacklog:"60"
minBytesPerSecond:"240"
maxConnections:"4294967295"
resetOnMaxConnections:"false"
maxBandwidth:"4294967295"
[security]
[dataChannelSecurity]
matchClientAddressForPort:"true"
matchClientAddressForPasv:"true"
[commandFiltering]
maxCommandLine:"4096"
allowUnlisted:"true"
[ssl]
serverCertHash:""
serverCertStoreName:"MY"
ssl128:"false"
controlChannelPolicy:"SslRequire"
dataChannelPolicy:"SslRequire"
[sslClientCertificates]
clientCertificatePolicy:"CertIgnore"
useActiveDirectoryMapping:"false"
validationFlags:""
revocationFreshnessTime:"00:00:00"
revocationUrlRetrievalTimeout:"00:01:00"
[authentication]
[anonymousAuthentication]
enabled:"false"
userName:"IUSR"
password:""
defaultLogonDomain:"NT AUTHORITY"
logonMethod:"ClearText"
[basicAuthentication]
enabled:"false"
defaultLogonDomain:""
logonMethod:"ClearText"
[clientCertAuthentication]
Splunk seems to extract some fields in [ ], but not all of them, and for some reason it thinks the whole config is a single entry as well.
Again, I apologize if this or a similar question has been asked. I'm relatively new to splunk. I appreciate and and all assistance.
Thanks.
I would suggest trying the output as XML, in order to get more logical parsing out of the box for Splunk. Your observation is correct... the whole config IS a single entry. You are trying to compare the fields in one entry with the fields in another entry.