Splunk® Supported Add-ons

Splunk Add-on for Microsoft IIS

Configure inputs in the Splunk Add-on for Microsoft IIS

Configure file monitoring inputs

Configure directory monitoring inputs on your data collection node for Microsoft IIS logs. Your forwarders must be installed directly on your Microsoft IIS servers or have the Microsoft IIS log files copied or shared to them from the Microsoft IIS servers. You can configure inputs directly on your forwarders or you can configure inputs on a deployment server and push them to your forwarders.

Configure file monitoring inputs using Splunk Web

  1. Log in to Splunk Web.
  2. Click Settings > Data inputs.
  3. Click Files & directories.
  4. Click New.
  5. In the File or Directory field, specify the path to the Microsoft IIS standard log directory (default: %SystemDrive%\inetpub\logs\LogFiles) or advanced log directory (default: %SystemDrive%\inetpub\logs\AdvancedLogs), then click Next.
  6. In the Sourcetype field, enter the Microsoft IIS source type that matches the field extraction you plan to use.
    • ms:iis:auto enables automatic index-time field extraction. Supports Splunk recommended MS IIS fields if enabled.
    • ms:iis:default enables search-time field extraction.
    • ms:iis:default:85 enables search-time field extraction. Preferable for MS IIS version 8.5 and greater.
    • ms:iis:splunk enables search-time field extraction for Splunk recommended fields MS IIS.
  7. Click Review and review the information.
  8. If all the information is correct, click Submit.

Next step
Configure the log format to allow extractions using the ms:iis:default, ms:iis:default:85 or ms:iis:splunk sourcetype. See Configure field transformations for the Splunk Add-on for Microsoft IIS.

Configure file monitoring inputs using the configuration files

  1. Create $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/inputs.conf.
  2. Depending on the IIS source type and field extraction method you want to use, add one of the following stanzas, replacing the default IIS log directory path name with the actual value in your environment and the value for index where you want to collect data into.
    Index-time field extraction:
    [monitor://C:\inetpub\logs\LogFiles]
    disabled = false
    sourcetype = ms:iis:auto
    index = <preferred index>
    

    Search-time field extraction:

    [monitor://C:\inetpub\logs\LogFiles]
    disabled = false
    sourcetype = [ ms:iis:default | ms:iis:default:85 | ms:iis:splunk ]
    index = <preferred index>
    

  3. Save the file.
  4. Restart the Splunk platform for the new inputs to take effect.

Configure PowerShell inputs

The Splunk Add-on for MS IIS has the following PowerShell input(s). For this, your forwarders must be installed directly on your Microsoft IIS servers. You can configure inputs directly on your forwarders or you can configure inputs on a deployment server and push them to your forwarders:

  • powershell://IISModules - This input collects a list of IIS global modules installed on the IIS servers.

Configure PowerShell inputs using Splunk Web

  1. Log in to Splunk Web.
  2. Select Settings then Data inputs.
  3. Select Powershell v3 Modular Input.
  4. The PowerShell input for IISModules must be present.
  5. Select the IISModules input to update the schedule and then select the More settings checkbox to update the host and index values according to your needs.
  6. After updating the fields, select Save.
  7. Select Enable under the Status field to enable the PowerShell input.

Configure Powershell inputs using the configuration files

  1. Create $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/local/inputs.conf.
  2. Copy the "powershell://IISModules" stanza from the $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-iis/default/inputs.conf to this local conf file. Update the schedule and index values according to your needs. Example:
    [powershell://IISModules]
    disabled = 0
    script = Get-WebGlobalModule
    schedule = * */1 * * *
    sourcetype = ms:iis:webglobalmodule
    index = <preferred index>
    
  3. Save the file.
  4. Restart the Splunk platform for the new input to take effect.
Last modified on 31 January, 2024
Install the Splunk Add-on for Microsoft IIS   Configure field transformations in the Splunk Add-on for Microsoft IIS

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters