Knowledge Base

Find answers to common questions about Cloudmersive products and services.



Sending Cloudmersive Private Cloud Logs to Splunk
1/1/2025 - Cloudmersive Support


Below is a step-by-step guide on how to ingest IIS logs from a Cloudmersive Private Cloud deployment (which uses IIS) into Splunk. These instructions assume that you have administrative access to both the Windows Server where Cloudmersive Private Cloud is running (and thus where IIS logs reside) and the Splunk environment (either Splunk Enterprise or Splunk Cloud).

Prerequisites

  1. Administrative Permissions:

    • You must have administrative privileges on the Windows Server hosting Cloudmersive Private Cloud (IIS logs).
    • You must have credentials with sufficient permissions to configure Splunk data inputs and/or install forwarders on the Windows Server.

  2. Splunk Universal Forwarder:

    • If you plan to forward IIS log data from a Windows Server to a Splunk indexer (or Heavy Forwarder), you need to install the Splunk Universal Forwarder on the same host running Cloudmersive Private Cloud.

  3. Windows IIS:

    • Ensure IIS logging is enabled on your Windows Server. Typically, logs are stored under: 
      C:\inetpub\logs\LogFiles\

Install and Configure Splunk Universal Forwarder

Skip this section if you already have a Splunk forwarder installed and running on your Windows Server.

  1. Download and install the Universal Forwarder:

    • Download the appropriate Universal Forwarder installer for your Windows version from Splunk Downloads.
    • Run the installer with administrative privileges.
    • Follow the prompts and provide the required configuration details (Splunk credentials, default management port, etc.).

  2. Obtain the Splunk Receiver Information:

    • You will need the Splunk indexer’s hostname or IP and the receiving port (often 9997 by default) if you are sending logs directly to the indexer or heavy forwarder.

  3. Enable Receiving on the Splunk Indexer (if needed):

    • In Splunk Web on the Indexer:
      • Go to Settings > Forwarding and receiving > Receive data.
      • Click New Receiving Port and enter the port (e.g., 9997).
      • Save your changes.

  4. Configure the Forwarder to send data to the Indexer:

    • On the Windows Server, open the Splunk Universal Forwarder configuration file outputs.conf, typically found under:

      C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf

    • Add or update the [tcpout] settings to point to your Splunk Indexer:

      [tcpout]
defaultGroup = default-auto

[tcpout:default-auto]
server = <your_indexer_hostname_or_IP>:9997

    • Restart the Universal Forwarder service for changes to take effect.

      net stop splunkforwarder
net start splunkforwarder

Identify the IIS Log Directory

By default, IIS logs are stored under:

C:\inetpub\logs\LogFiles\

Each site configured within IIS typically has its own sub-folder (e.g., W3SVC1, W3SVC2, etc.). Confirm the specific path for Cloudmersive Private Cloud’s IIS site logs by:

  1. Opening Internet Information Services (IIS) Manager.
  2. Right-clicking on the specific site (Cloudmersive Private Cloud site).
  3. Selecting Explore or Open Feature for Logging to identify the folder path.

Configure the Universal Forwarder to Monitor IIS Logs

  1. Open the inputs.conf file:

    • Typically located here on Windows: 
      C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf

  2. Create a new monitor stanza for IIS logs:

    • Add a stanza that points to your IIS log directory and set the correct sourcetype for IIS logs. For instance: 
      [monitor://C:\inetpub\logs\LogFiles\W3SVC*]
sourcetype = iis
index = iis_logs   ; Or any index you prefer. Must be defined in Splunk
disabled = 0
    • Note: If you prefer to monitor all subdirectories under LogFiles, you can use: 
      [monitor://C:\inetpub\logs\LogFiles\*]
sourcetype = iis
index = iis_logs
disabled = 0

  3. Save and Exit:

    • After saving the file, restart the Splunk Universal Forwarder service: 
      net stop splunkforwarder
net start splunkforwarder

Create/Verify the IIS Index in Splunk

If you’ve specified a custom index (e.g., iis_logs) in inputs.conf, ensure it exists on your Splunk indexer:

  1. In Splunk Web, go to Settings > Indexes.
  2. Click New Index (if not already created).
  3. Provide a name, e.g., iis_logs.
  4. Save the new index.

(Optional) Install and Configure the Splunk Add-on for Microsoft IIS

For better field extractions and CIM compliance, you can use the Splunk Add-on for Microsoft IIS. This add-on automatically extracts many IIS fields and makes searches easier.

  1. Download the Add-on from Splunkbase.
  2. Install the Add-on on your search head (and on your heavy forwarders if relevant).
  3. Configure the add-on to process data with the sourcetype iis or a custom sourcetype you define.

Validate Data Ingestion

  1. Log in to Splunk (either Enterprise or Cloud).

  2. Navigate to Search & Reporting (or Search in Splunk Cloud).

  3. Run a search for your index and sourcetype:

    index=iis_logs sourcetype=iis

    or if you used a different index name, adjust accordingly.

  4. Check for New Events:

    • You should see events corresponding to your IIS logs.
    • Confirm fields are properly extracted (e.g., date_time, cs_uri_stem, sc_status, etc.) if using the Splunk Add-on for Microsoft IIS.

  5. Troubleshoot if necessary:

    • Verify the Universal Forwarder is running.
    • Check splunkd.log on the forwarder for errors (found in C:\Program Files\SplunkUniversalForwarder\var\log\splunk\).
    • Confirm that the Indexer is receiving traffic (forwarder management screen or Monitoring Console in Splunk).

Recommended Search & Dashboards

Once data is flowing, you can create dashboards to monitor key metrics from your Cloudmersive Private Cloud instance:

  1. Requests Over Time:

    index=iis_logs sourcetype=iis
| timechart count by cs_method

  2. Top 10 URIs:

    index=iis_logs sourcetype=iis
| stats count by cs_uri_stem
| sort -count
| head 10

  3. HTTP Status Breakdown:

    index=iis_logs sourcetype=iis
| stats count by sc_status
| sort -count

Use these searches as a starting point for further exploration and to build operational dashboards.

Summary

By following these steps:

  1. Install and configure the Splunk Universal Forwarder on the Windows Server running IIS for Cloudmersive Private Cloud.
  2. Set up monitor inputs for the IIS log directory in inputs.conf.
  3. Specify the correct sourcetype (e.g., iis) and index (e.g., iis_logs).
  4. Validate ingestion by searching the logs in Splunk.

This setup ensures comprehensive visibility into your Cloudmersive Private Cloud’s IIS logs, allowing you to monitor activity, troubleshoot issues, and generate insights through Splunk dashboards and alerts.

800 free API calls/month, with no expiration

Get started now! or Sign in with Google

API Products

Validate APIs

Natural Language Processing (NLP) APIs

Optical Character Recognition (OCR) APIs

Barcode APIs

Image and Face Recognition and Processing APIs

Virus Scan APIs

Security Threat Detection APIs

Document and Data Conversion APIs

Questions? We'll be your guide.

Contact Sales