I am running version 6.3.0 on my indexer and all my universal forwarders. I'm currently trying to get things configured properly on one of my iis servers before pushing this configuration out to all of my other iis servers.
The iis logs are being forwarded to my index, but the only fields that are being extracted are `host`, `source` and `sourcetype`.
The `inputs.conf` on my iis server contains:
[monitor://]
sourcetype = iis
index = iis_logs
The `props.conf` on my iis server contains:
[iis]
INDEXED_EXTRACTIONS = w3c
My indexer contains the default `props.conf` which includes
[iis]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = false
INDEXED_EXTRACTIONS = w3c
detect_trailing_nulls = auto
category = web
description = w3c Extended log format produced by the Microsoft Internet Information Services (IIS) web server
Am I missing something that is preventing my indexer from extracting the fields from the iis logs?
↧