A universal forwarder can be used to collect IIS logfiles from servers.
- Enable TCP reciving port
Add TCP reciving port under Settings -> Forwarding and receiving -> Receive data, default is port 9997 but can be customized - Firewall ports have to be opened in GCP (SaaS) and on the server (On-Premise) to allow connections on port 9997 (9997 can be customized) and 8089 (Can be reversed proxied).
- Download universal forwarder that matches the used Splunk version from https://www.splunk.com/en_us/download/universal-forwarder.html
- Install universal forwarder via command line, replace {GENERATE_PASSWORD} with password and customername.uxmapp.com with the DNS name of the server receiving the data.
msiexec.exe /i splunkforwarder-9.0.2-17e00c557dc1-x64-release.msi AGREETOLICENSE=yes SPLUNKUSERNAME=splunkadmin SPLUNKPASSWORD={GENERATE_PASSWORD} DEPLOYMENT_SERVER=https://customername.uxmapp.com:8089 RECEIVING_INDEXER="customername.uxmapp.com:9997" /quiet
- Setup app to be deployed to universal forwarders
Login to deplyment server or search head that configured during install under DEPLOYMENT_SERVER=X
cd /opt/splunk/etc/deployment-apps/ mkdir -p deployed_app_name/default nano deployed_app_name/default/inputs.conf chown -R splunk:splunk ./deployed_app_name
For IIS monitoring you can add:
inputs.conf
[monitor://C:\inetpub\logs\LogFiles\W3SVC1] disabled = false ignoreOlderThan = 30d sourcetype = uxm:iis index = uxmapp_iis
props.conf
[uxm:iis] DATETIME_CONFIG = INDEXED_EXTRACTIONS = w3c LINE_BREAKER = ([\r\n]+) MAX_TIMESTAMP_LOOKAHEAD = 32 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Web description = W3C Extended log format produced by the Microsoft Internet Information Services (IIS) web server detect_trailing_nulls = auto disabled = false pulldown_type = 1
Reload the deployment server by executing:
sudo runuser -l splunk -c '/opt/splunk/bin/splunk reload deploy-server'
You can clone the iis sourcetype on the indexer under Settings -> Source types to recieve events as uxm:iis to comply with the OEM License restrictions. - Assign universal forward to deployment
See https://docs.splunk.com/Documentation/Splunk/9.0.2/Updating/Updateconfigurations
Create serverclass under Settings -> Forwarder Management
Add the apps and clients to the new serverclass. - Data will begin to be collect at the selected index, you can use the attached IIS dashboard to see the data
For more information see examples at: https://docs.splunk.com/Documentation/Splunk/9.0.2/Updating/Extendedexampledeployseveralstandardforwarders