How to setup / migrate a few Web server logs into ...

SamHTexas · ‎03-11-2021

How to setup / migrate a few Web server logs into Splunk. I need to set Splunk to ingest some web server logs into Splunk. Need step by step, if someone can help please

gcusello · ‎03-12-2021

Hi @SamHTexas,

try to follow these preliminary steps:

exactly identify path and filenames of your logs (e.g.: C:\inetpub\logs\LogFiles);
install the Splunk Universal Forwarder (https://docs.splunk.com/Documentation/Forwarder/8.1.2/Forwarder/Installtheuniversalforwardersoftware...
configure it to send logs to your indexers (https://docs.splunk.com/Documentation/Forwarder/8.1.2/Forwarder/Configuretheuniversalforwarder);
restart Splunk on Forwarder;
check if the Splunk internal logs are arriving (index=_internal).

To take logs you can use:

a Technican Add-On from splunkbase (https://splunkbase.splunk.com);
a custom input.

in the first case

install the Splunk Add-On for your Web server (e.g. Microsoft IIS https://splunkbase.splunk.com/app/3185);
Configure it enabling the stanzas you need,
restart Splunk on Forwarder;
check the logs.

In the second case you have to:

create by CLI (Universal Frwarders hasn't a web interface) your own inputs.conf in $SPLUNK_HOME\etc\system\local (or $SPLUNK_HOME/etc/system/local on Linux), containing:

[monitor://C:\inetpub\logs\LogFiles]
disabled = false
sourcetype = ms:iis:auto
index = <preferred index>

Restart Splunk on Forwarder
check the logs.

I hint always the first one!

To better understand how to do this you can see https://docs.splunk.com/Documentation/Splunk/8.1.2/Data/Getstartedwithgettingdatain

there are also some interesting videos in YouTube to do this.

Ciao.

Giuseppe

How to setup / migrate a few Web server logs into Splunk

resource usage

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms