I want to forward my IIS logs to Splunk using the Splunk Add-On for Microsoft IIS. I have installed the Add-on on both my Splunk instances and on the Universal Forwarder on the Web Server. I am a bit confused in regard to Inputs.conf and Outputs.conf on the Universal Forwarder and the Add-On.
For the Add-On, I have an Inputs.conf (and outputs.conf) file here: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_microsoft-iis\local
[monitor://C:\inetpub\logs\LogFiles]
disabled = false
sourcetype = ms:iis:auto
And, of course, I have the Splunk Input,conf file - which I needed to create, even though I had specified inputs in the Advanced section of the install file - C:\Program Files\SplunkUniversalForwarder\etc\system\local
Now, I have created an index called 'uat' since this is for our UAT servers. So, in the Splunk Universal Forwarder inputs.conf file, I have this:
[default]
host = INS-B2C01-UAT
index = uat
Of course, I have configured that already running on 9997. I have read through various Splunk doc sources far and wide, but I need some guidance on setting the sources I want to forward. Has anyone set up the the Universal Forwarder with the Microsoft IIS Add-on? If so, a sample of those input.conf files would be great. Thanks.
... View more