I would suggest you use the mcAfee windows agent for testing purpose (if you can). below is the URL link on how to configire IIS as a data source using Windows Agent.
Its not necessary to install the agent on the IIS Server as you can install the same on your PC as well.
The IIS logs come 16 different servers and are dropped to share where the datasource is configured to use CIFS file and look in a share for the files. The files all have the same name just from diffrent servers , so for example the all 16 files are named ex0018.log and I have to rename them to somthinh servername_ex0018.log. The collector only seems to do 1 file at a time and only files named with ex*.log it doesn't ever seem to read the files named as server_ex*.log.
How would tailing this logs help me?
is it even possible for the collectopr\parser to read more than 1 file at an collection interval?
I have configured my local device as an agent and I can see in the logs that agent is tailing the logs, how ever the data is not getting retreived from ESM. Is there any log file that I can look at to see where the failure might be?
I have found the debug logs and I see the agent getting the data.
But the data is not getting to the ESM as far as I can tell.
I have my data source set up as:
Data source Model: Internet Information Service
Data Format: Default
Data Retreivel : MEF
Host ID: Match Host ID of the configuration I created in the Windows Agent.
Need some assistance.
Have you verified that IIS is logging in the format expected by the IIS parser?
Here are a couple of KB articles that describe the expected format:
What format must the Microsoft IIS logs be in to be parsed with the SIEM Receiver?
How to configure IIS WebServer as a data source
The latter article discusses sending the logs via syslog, which you can ignore, since it looks like you're usiing the SIEM collector via MEF. However, the instructions for configuring the log format are valid for your use case.