Splunk Enterprise Security

How to get IIS events into Enterprise Security App

New Member

Splunkers,

I am trying to get IIS log W3C log events into Enterprise Security App. I made the IIS events an eventtype with tag: web, and made the following field aliases:

cip as src
cs
Cookie as cookie
csReferer as httpreferrer
csUserAgent as httpuseragent
csbytes as bytesin
sip as dest
cs
method as httpmethod
cs
uristem as uripath
ssitename as site
sc
bytes as bytesout
sc
status as status
cs_username as user

I made the permissions as wide as possible, but after a reboot ESA still does not see the data as for example the ESA HTTP User Agent Analysis remains blank. What am I doing wrong?

0 Karma

Splunk Employee
Splunk Employee

As mentioned, you need to have these events tagged for web and proxy for ES. You should refer to the documentation for ES's dashboards for how your data should be tagged to appear in these correctly.

http://docs.splunk.com/Documentation/ES/3.2.1/User/MoreNetworkdashboards

http://docs.splunk.com/Documentation/CIM/4.1.0/User/Web

0 Karma

New Member

Hello,
I also need to get IIS logs into Splunk ES app, which add-on did you used ?
Thx,

0 Karma

Champion

The web data model was intended for use with proxy log and thus requires two tags: web and proxy.