For faster support I moved this to SIEM which I assume it's about.
Instead of creating client data sources, have you tried just creating three separate parent data sources and setting the respective host ID for each?
What parser are you using? Try Microsoft as vendor, IIS (ASP) and retrieval set to MEF.
Thanks for the reply.
Unfortunately, you can not have multiple data sources using the same IP address for the same log type. Since I have 3 IIS Logs on the same data source, I am unable to create 3 Parent Data Sources.
The Parent / Child layout will not work either due to the same duplicate IP / log type issue. Which leaves the only option (that I can think of) the Parent / Client route. This allows me to set the IP / Hostname on the Parent and only set the Host ID for each "client" which is really just a different path to a different log file on the same server.
As it stands right now, I have no trouble getting all the logs to the SIEM - the problem is that I cannot get the logs to show under their respective "Client" data sources I have created. Below is how it looks right now.
IIS Server Parent Data Source - All IIS Logs for Website A, B, C showing when I click this data source - No way to determine log source!
- Website A Client Data Source - No logs showing here
- Website B Client Data Source - No logs showing here
- Website C Client Data Source - No logs showing here
Any and all ideas are welcome! Thanks.
@streamer Thank you! I have been racking my brain about the Agent Configuration for 2 days straight!
This helps me out VERY much!
If you use IIS 8.5 and above you could also enable your IIS server to write the IIS logs to the Event log and pick them up from their with the SIEM Collector Event log collector.
This works well for us
Do you use IP address in parent datasource configuration. the pictue is blue it out. Thank you.
I have moreover the same case, but the thing is I'm using remote system to fetch IIS logs. When I do I get error which is displayed on the attach screenshot.
Also should I need to add as separate data-source because for macafe collector utility installed on the system I'm also getting windows events from it, but same collector is also used to fetch logs from remote system which is IIS webserver.
@asadz instead of trying to pull from a remote directory, why are you not just simply installing the Collector Agent on the 10.25.1.74 machine? Then you can just make a data source for 10.25.1.74 on the Event Receiver...
I have never seen log collection configured in the manner in which you are attempting, so I cannot really comment on if that will even work or not.