This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 31%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA4%3C/text%3E%3C/svg%3E)
I have installed an AMA agent on an internal IIS server via Azure ARC in an attempt to ingest logs into Microsoft Sentinel.
The ingestion works for a single site, but we have multiple sites on the single IIS server, and the data source only allows specifying a single log location for IIS.
Our logging is configured on a per site basis, so logs are stored as;
C:\inetpub\logs\LogFiles\W3SVC1
C:\inetpub\logs\LogFiles\W3SVC2
C:\inetpub\logs\LogFiles\W3SVC3
Under Home > Monitor > Data Collection Rules > Data Sources > Data Source > File Pattern
Only a single location can be specified, otherwise the collection does not work.
Does anyone know what file pattern can be used for multiple locations? Using the root, commas for multiple locations, or leaving it empty does not work.
Hi,
As explained here, you can use a file wildcard * i.e., C:\inetpub\logs\LogFiles\W3SVC*
Thanks for the reply.
This is for custom log collection and does not seem to work for IIS logs, additionally the article states the following in relation to files patterns "There is no support for directory wildcards."
@tbgangav-MSFT Thanks for the reply.
Unfortualty this applies to custom logs and not IIS logs, additionally the article states the following in regard to file patterns.
"To collect log data in this scenario, you can use a file wildcard. Use the format C:\directoryA\directoryB\*MyLog.txt for Windows and /var/*.log for Linux. There is no support for directory wildcards."
Cheers.
Hi,
Thanks for the update. Yes, the provided document reference was intentional because if https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-iis doesn't help in your use case i.e., having multiple sites on single IIS server then you may follow https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-text-log approach to see if it helps and the note was around file wildcard * as of course currently there is no support for directory wildcards as mentioned in the referred Azure document.
If interested, as shown in below screenshot please go to Feedback section in https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-iis and click on "This product" option and share feature request to support directory wildcards which helps in your use case. In general, Azure product or feature team would check feasibility of a feature request, prioritize against existing feature backlog, add in roadmap as appropriate and would announce and/or update related Azure document once a feature request is addressed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
It seems you can now achieve this using comma separated file pattern entries:
create-a-data-collection-rule-for-a-text-file
This would however mean you will need to continually update the list as new IIS sites and log folders are created, so still not ideal almost 2 years later...