I can write a custom field extractor that works on the search-head but having problems with the auto portion.
Since w3c is variable and can have a user defined list of fields I am trying to get the auto function to work. I think this will read a commant field and use that to define the search time extractions. This is what is written currently in the test environment.
Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
Running a search i can see the data is there, but the fields are not indexed properly.
Make sure you've installed the IIS TA on the forwarder (even if it's a universal forwarder) and indexer for ms:iis:auto to work. From the docs:
If you use a universal forwarder for data collection, install the add-on on both your universal forwarder and indexer.
The forwarder needs to be installed directly on the Microsoft IIS server for directory monitoring. As an alternative, the Microsoft IIS log files can be copied or shared to the machine where the forwarder is installed.