Splunk Enterprise Security

IIS and ES application & CIM

Path Finder

Hello,

I have set up ES and I am trying to input information from IIS. While the information is being parsed correctly and the fields are being seperated as they should (via the pre-built sourcetype=iis), I see that in the ES is it not being normalized as it should.

I also see that there is no TA for it as well. I have tried adding field-alias on the Search head as seen in http://answers.splunk.com/answers/128538/ta-for-iis-that-follows-the-common-information-model.html

My architecture consists of UF -> HF -> Indexer -> SH (different boxes for all).

So far the fields are not being normalized correctly.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

The latest version of the app is ESS compatible and CIM compliant:

https://splunkbase.splunk.com/app/3185/

View solution in original post

SplunkTrust
SplunkTrust

The latest version of the app is ESS compatible and CIM compliant:

https://splunkbase.splunk.com/app/3185/

View solution in original post

Path Finder
0 Karma

Path Finder

Hi

We are having this issue as well.
It seems odd that IIS is not supported by Enterprise Security out of the box.

Splunk has created an add-on for IIS:
https://apps.splunk.com/app/1579/

However that it not CIM compliant it seems.

Do we really need to create a new TA to get IIS data into ES? And has no one done this before?

Best
Soren

0 Karma

Splunk Employee
Splunk Employee

To onboard IIS data for ES you need to create a TA-iis that maps to the web tag. (Put this TA on the ES Search Head)
Here is the starting point overview on how to add new data to ES
http://docs.splunk.com/Documentation/ES/latest/CreateTA/Overview
Here is the detail for WEB data that IIS will be under:
http://docs.splunk.com/Documentation/ES/3.0/CreateTA/DashboardRequirementsMatrix
look for Web section and extract or alias the fields in your IIS data that are needed for the Web section.
For advanced setup you will want to analyze the IIS application and identify security relevant events and map those to the appropriate ES eventtype/tag.
For example, in your IIS logs you may have url=/login.asp and that would be an authentication tag, and need the appropriate fields in the Dashboard Requirements Matrix.

0 Karma