I have set up ES and I am trying to input information from IIS. While the information is being parsed correctly and the fields are being seperated as they should (via the pre-built sourcetype=iis), I see that in the ES is it not being normalized as it should.
I also see that there is no TA for it as well. I have tried adding field-alias on the Search head as seen in http://answers.splunk.com/answers/128538/ta-for-iis-that-follows-the-common-information-model.html
My architecture consists of UF -> HF -> Indexer -> SH (different boxes for all).
So far the fields are not being normalized correctly.
We are having this issue as well.
It seems odd that IIS is not supported by Enterprise Security out of the box.
Splunk has created an add-on for IIS:
However that it not CIM compliant it seems.
Do we really need to create a new TA to get IIS data into ES? And has no one done this before?
To onboard IIS data for ES you need to create a TA-iis that maps to the web tag. (Put this TA on the ES Search Head)
Here is the starting point overview on how to add new data to ES
Here is the detail for WEB data that IIS will be under:
look for Web section and extract or alias the fields in your IIS data that are needed for the Web section.
For advanced setup you will want to analyze the IIS application and identify security relevant events and map those to the appropriate ES eventtype/tag.
For example, in your IIS logs you may have url=/login.asp and that would be an authentication tag, and need the appropriate fields in the Dashboard Requirements Matrix.