IIS log ingestion using AMA Agents for multiple IIS sites

AdamBaumgartner-4096 0 Reputation points
2023-01-27T00:19:02.34+00:00

I have installed an AMA agent on an internal IIS server via Azure ARC in an attempt to ingest logs into Microsoft Sentinel.

The ingestion works for a single site, but we have multiple sites on the single IIS server, and the data source only allows specifying a single log location for IIS.

Our logging is configured on a per site basis, so logs are stored as;

C:\inetpub\logs\LogFiles\W3SVC1

C:\inetpub\logs\LogFiles\W3SVC2

C:\inetpub\logs\LogFiles\W3SVC3

Under Home > Monitor > Data Collection Rules > Data Sources > Data Source > File Pattern

Only a single location can be specified, otherwise the collection does not work.

Does anyone know what file pattern can be used for multiple locations? Using the root, commas for multiple locations, or leaving it empty does not work.

User's image

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,326 questions
Internet Information Services
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,164 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. tbgangav-MSFT 10,416 Reputation points
    2023-01-27T04:39:10.8833333+00:00

    Hi,

    As explained here, you can use a file wildcard * i.e., C:\inetpub\logs\LogFiles\W3SVC*


  2. Richard 25 Reputation points
    2024-10-22T22:38:31.7666667+00:00

    It seems you can now achieve this using comma separated file pattern entries:

    create-a-data-collection-rule-for-a-text-file

    This would however mean you will need to continually update the list as new IIS sites and log folders are created, so still not ideal almost 2 years later...

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.