Configure inputs in the Splunk Add-on for Microsoft IIS

Configure file monitoring inputs

Configure directory monitoring inputs on your data collection node for Microsoft IIS logs. Your forwarders must be installed directly on your Microsoft IIS servers or have the Microsoft IIS log files copied or shared to them from the Microsoft IIS servers. You can configure inputs directly on your forwarders or you can configure inputs on a deployment server and push them to your forwarders.

Configure file monitoring inputs using Splunk Web

1. Log in to Splunk Web.
2. Click Settings > Data inputs.
3. Click Files & directories.
4. Click New.
5. In the File or Directory field, specify the path to the Microsoft IIS standard log directory (default: %SystemDrive%\inetpub\logs\LogFiles) or advanced log directory (default: %SystemDrive%\inetpub\logs\AdvancedLogs), then click Next.
6. In the Sourcetype field, enter the Microsoft IIS source type that matches the field extraction you plan to use.
   • ms:iis:auto enables automatic index-time field extraction. Supports Splunk recommended MS IIS fields if enabled.
   • ms:iis:default enables search-time field extraction.
   • ms:iis:default:85 enables search-time field extraction. Preferable for MS IIS version 8.5 and greater.
   • ms:iis:splunk enables search-time field extraction for Splunk recommended fields MS IIS.
7. Click Review and review the information.
8. If all the information is correct, click Submit.

Next step
Configure the log format to allow extractions using the ms:iis:default, ms:iis:default:85 or ms:iis:splunk sourcetype. See Configure field transformations for the Splunk Add-on for Microsoft IIS.

Configure file monitoring inputs using the configuration files

1. Create $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/inputs.conf.
2. Depending on the IIS source type and field extraction method you want to use, add one of the following stanzas, replacing the default IIS log directory path name with the actual value in your environment and the value for index where you want to collect data into.
   Index-time field extraction:

   [monitor://C:\inetpub\logs\LogFiles]
   disabled = false
   sourcetype = ms:iis:auto
   index = <preferred index>
   

   Search-time field extraction:

   [monitor://C:\inetpub\logs\LogFiles]
   disabled = false
   sourcetype = [ ms:iis:default | ms:iis:default:85 | ms:iis:splunk ]
   index = <preferred index>
   




3. Save the file.
4. Restart the Splunk platform for the new inputs to take effect.

Configure PowerShell inputs

The Splunk Add-on for MS IIS has the following PowerShell input(s). For this, your forwarders must be installed directly on your Microsoft IIS servers. You can configure inputs directly on your forwarders or you can configure inputs on a deployment server and push them to your forwarders:

• powershell://IISModules - This input collects a list of IIS global modules installed on the IIS servers.

Configure PowerShell inputs using Splunk Web

1. Log in to Splunk Web.
2. Select Settings then Data inputs.
3. Select Powershell v3 Modular Input.
4. The PowerShell input for IISModules must be present.
5. Select the IISModules input to update the schedule and then select the More settings checkbox to update the host and index values according to your needs.
6. After updating the fields, select Save.
7. Select Enable under the Status field to enable the PowerShell input.

Configure Powershell inputs using the configuration files

1. Create $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/inputs.conf.
2. Copy the "powershell://IISModules" stanza from the $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/default/inputs.conf to this local conf file. Update the schedule and index values according to your needs. Example:
   

   [powershell://IISModules]
   disabled = 0
   script = Get-WebGlobalModule
   schedule = * */1 * * *
   sourcetype = ms:iis:webglobalmodule
   index = <preferred index>
   

3. Save the file.
4. Restart the Splunk platform for the new input to take effect.