Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

IIS and ES application & CIM

dimitris_vergos
Path Finder
‎09-29-2014 04:13 AM

Hello,

I have set up ES and I am trying to input information from IIS. While the information is being parsed correctly and the fields are being seperated as they should (via the pre-built sourcetype=iis), I see that in the ES is it not being normalized as it should.

I also see that there is no TA for it as well. I have tried adding field-alias on the Search head as seen in http://answers.splunk.com/answers/128538/ta-for-iis-that-follows-the-common-information-model.html

My architecture consists of UF -> HF -> Indexer -> SH (different boxes for all).

So far the fields are not being normalized correctly.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎07-25-2018 05:04 AM

The latest version of the app is ESS compatible and CIM compliant:

https://splunkbase.splunk.com/app/3185/

View solution in original post

Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎07-25-2018 05:04 AM

The latest version of the app is ESS compatible and CIM compliant:

https://splunkbase.splunk.com/app/3185/

Reply
Solved! Jump to solution

hsesterhenn
Path Finder
‎04-07-2015 09:56 AM

Just as a pointer to the right answer:

http://answers.splunk.com/answers/128538/ta-for-iis-that-follows-the-common-information-model.html

0 Karma
Reply
Solved! Jump to solution

sorenmaigaard
Path Finder
‎10-03-2014 02:23 AM

Hi

We are having this issue as well.
It seems odd that IIS is not supported by Enterprise Security out of the box.

Splunk has created an add-on for IIS:
https://apps.splunk.com/app/1579/

However that it not CIM compliant it seems.

Do we really need to create a new TA to get IIS data into ES? And has no one done this before?

Best
Soren

0 Karma
Reply
Solved! Jump to solution

mcronkrite
Splunk Employee
Splunk Employee
‎09-29-2014 06:37 AM

To onboard IIS data for ES you need to create a TA-iis that maps to the web tag. (Put this TA on the ES Search Head)
Here is the starting point overview on how to add new data to ES
http://docs.splunk.com/Documentation/ES/latest/CreateTA/Overview
Here is the detail for WEB data that IIS will be under:
http://docs.splunk.com/Documentation/ES/3.0/CreateTA/DashboardRequirementsMatrix
look for Web section and extract or alias the fields in your IIS data that are needed for the Web section.
For advanced setup you will want to analyze the IIS application and identify security relevant events and map those to the appropriate ES eventtype/tag.
For example, in your IIS logs you may have url=/login.asp and that would be an authentication tag, and need the appropriate fields in the Dashboard Requirements Matrix.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...