The EWS event, sourcetype MSWindows:2013EWS:IIS #Software: Microsoft Exchange Server #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken OriginalClientIP The result is that the time is still wrongly taken from those exchange events, in UTC.īelow an example of a log of our IIS 10.0, sourcetype MSWindows:2012:IIS #Software: Microsoft Internet Information Services 10.0 I restarted the splunkforwarder service just in case. So I only need to change the timezone in that specific app if I understood correctly.Īnd this is what I did, creating the file nf in the local path of the app.Ĭ:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Windows-Exchange-IIS\local I deployed several apps in the exchange server but onle one app is reporting wrongly, called TA-Windows-Exchange-IIS. To configure time zone settings, edit the nf file in $FORWARDER_HOME/etc/system/local/ or in your own custom application directory in $FORWARDER_HOME/etc/apps/. Trying to correlate failed logon attempts (event 4776) with the IIS OWA logs, I realized that the OWA logs are in UTC by default and I am in CEST time (Madrid).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |