IIS 7 and Above
Centralized Logging via Windows Event Forwarding.
Last post Jan 24, 2018 09:49 AM by Yuk Ding
Jan 23, 2018 04:32 AM|aunraza|LINK
Hello, I understand that with Windows Server 2016, and possibly earlier, it is possible to send IIS logs to the event viewer, as well as the file. I was able to get the logs to the Event Viewer on the local machine running IIS, however, when I try to use
Windows Event Forwarding to retrieve the logs from a Collector, I am unable to do so. The collector doesn't show the option for IIS-Logging when selecting events. It only shows the option if IIS is installed, and even then it is unable to retrieve the logs.
The standard Windows logs (Application, System, Security, etc.) show up just fine.
The purpose of this is to setup a Centralized Logging server, and then use an application such as NXLog to forward to a syslog server. Any help would be appreciated!
Jan 23, 2018 06:38 AM|Yuk Ding|LINK
If you need to set the windows event forwarding, please ensure the IIS manager->site level->logging->Both log file and ETW event has been selected.
Secondly, please go to event viewer->application and service logs\Microsoft\Windows\IIS-logging\->right click logs->Enable.
Then you could create the subscription for application and service logs\Microsoft\Windows\IIS-logging\
Jan 23, 2018 06:43 AM|aunraza|LINK
This works fine on the local machine and I see the logs there, but when using Windows Event Forwarding, where I want to be able to see these events on a central server, I am unable to do so. This works fine for the standard Windows logs.
Jan 23, 2018 08:19 AM|Yuk Ding|LINK
You also need to ensure the machines are in the same domain. Secondly, remember to run cmd as administrator then run
to enable the centralize subscription on the target server.
If it failed, please try to disable the firewall.
Of course ,you need to enable the group policy
Jan 23, 2018 10:29 AM|aunraza|LINK
Centralized logging is working for Windows Logs (Application, System, Security, etc.), but is not working for IIS Logging as I mentioned earlier. The machines are in the same domain. I've already run that command you mentioned as part of the initial steps
to enable centralized logging, but I understand that as part of Windows 2012 and higher, winrm is enabled by default.
Any other suggestions?
Jan 24, 2018 09:49 AM|Yuk Ding|LINK
What's the status when you right click the subscription->status? And could you pass the test when you add the computer to collected initalted I think the problem must be the user account don't have permission to access the forwarding event log. So please
ensure you have added the domain account to active directory user and computer\domain.com\builtin\event viewer log user.
Just remember to reboot both two servers.
If it is still not working ,please try this:
In addition, remember to disable the firewall.