Getting Data In

Timezones & IIS W3C Extended Logging - why don't they work?

john_loch
Explorer

By way of a light forwarder, I'm receiving IIS Logs in W3C Extended Format from 5 boxes which logs events in GMT time - there's no way to change timezones when using this format with IIS.

Because our Splunk Server lives in a GMT+10 timezone, and all our other sourcetypes/events are logged in the servers TZ, we have set up a props.conf file under C:\Program Files\Splunk\etc\system\local with the following entry at top of file to specifically handle IIS logs:

[IIS*]
TZ=GMT

We've also tried:

[IIS*]
TZ = America/Los_Angeles

It seems no matter what I try, I just can't get Splunk to treat my logs correctly. This is a MAJOR problem because it makes them totally unusable in a real time context. The net effect is all entries appear 10 hours into the future.

Have you seen this yourself ? How did you fix it ??

Thanks 🙂

Tags (2)

deidson
New Member

So are IIS logs, which are by default set to GMT, read in and viewed with the web server serving up the searches timezone? Are other logs, like event logs, doing the same?

0 Karma

araitz
Splunk Employee
Splunk Employee

For what it is worth, the IIS-1, IIS-2, ..., IIS-n issue should be fixed in 4.1.4 if you have manually set the sourcetype to IIS in inputs.conf, thus solving your problem the 'right' way 🙂

the_wolverine
Champion

It is broken in 5.0.3 still.... I'm getting iis-2 sourcetype despite hardcoding it in inputs.conf

0 Karma

Justin_Grant
Contributor

hi Alex - could you provide more info about what is being fixed in 4.1.4 re: IIS-1, IIS-2, etc.? What's changing?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

For IIS W3C formatted logs, the time zone is always GMT, so you should set TZ = GMT. The timezone setting of the incoming data is completely independent of the server time zone.

You may not use wildcards in sourcetype stanzas in props.conf (only in source:: and host:: stanzas) so that is one problem.

It would be useful to know what you are setting the sourcetype of your inputs to. They would be set on the light forwarder, and you should set them explicitly. If not set explicitly on the light forwarder, the default rules should set it to iis. Note that if this is the case, the props.conf stanza names are case-sensitive, so that may be another problem.

I'm also not certain why you'd have tried America/Los_Angeles as a TZ setting.

wrangler2x
Motivator

I am using TZ = GMT in ~/etc/system/local/props.conf and the times and dates are correct in splunk. Because I may be taking other iis logs I explicitly set the sourcetype in the deployment-apps directory/default/inputs.conf as

sourcetype = mswin_2008r2_iisw3c

This way I can use another sourcetype if the server version is different.

My ~/etc/system/local/props.conf stanza looks like this (field names can be found in the header of the log file):

[mswin_2008r2_iisw3c]
TZ = GMT
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

0 Karma

BunnyHop
Contributor

Mine is simply this:

[default]
TZ = US/Eastern

So maybe try this?

[name_of_sourcetype]
TZ = US/Pacific

Make sure that whatever it is that you put on the name_of_sourcetype is the sourcetype that the IIS log is using.

BunnyHop
Contributor

From what the user is saying, it seems that setting the TZ to GMT was not working. Perhaps a bug?

0 Karma

Justin_Grant
Contributor

per @gkanapathy's answer above, I believe your answer is not correct-- the time zone should be marked GMT, not local.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...