Getting Data In

Why are IIS logs not being indexed from Windows Share?

seanbarbour
New Member

I have a universal forwarder (6.3.3 x64) installed on Windows Server 2012 R2 that is supposed to index IIS logs that live on another Windows server. I am not able to install forwarders on (floating IP for 3 servers) via a Windows share.

I verified the domain user that I am using has access to the log files. I initially installed the forwarder in low privileged mode, however, during troubleshooting, I found that the forwarder was reporting access denied errors when attempting to write to the fishbuckets. To resolve, I added the service account to the local admins group.

Here are my configuration files:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$SPLUNK_HOME/etc/deployment-apps/web_farm_iis/inputs.conf:
[monitor://\\host01.domain.suffix\logs\folder01.uis.kent.edu\W3SVC2\*.txt]
disabled = false
recursive = false
index = web_farm_logs
sourcetype = iis

[monitor://\\host02.domain.suffix\logs\folder02.uis.kent.edu\W3SVC2]
disabled = false
recursive = false
index = web_farm_logs
sourcetype = iis
whitelist = *.txt

serverclass.conf:

serverClass:web_farm_iis]
whitelist.0 = serverWithForwarder
[serverClass:web_farm_iis:app:web_farm_iis]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I know the two stanza are different. I did this while troubleshooting. I have a global stanza that points the repsoitory location to $SPLUNK_HOME/etc/deployment-apps.
I confirmed that the forwarder is receiving the configuration file and the contents of the inputs.conf matches.
I am using Splunk 6.3.3, singe Splunk server.

0 Karma

lguinn2
Legend

The deployment apps in SPLUNK_HOME/etc/deployment-apps/ must follow the standards for Splunk apps. That means that they must have the subdirectory structure with default, meta and local subdirectories at a minimum, and they should also contain app.conf and default.meta files.

Because your app (web_farm_iis) does not have the correct structure, Splunk does not "see" the inputs.conf file.

Also see App creation and deployment

0 Karma

seanbarbour
New Member

I copied the logs to the server that the forwarder is installed on and added a new stanza to index the files that were copied to C:\logs\serverName and the logs were picked up by the forwarder and sent to the indexer.

I have other deployment-apps that work with on the local directory with inputs.conf

I still added the directories you suggested and it did not resolve the issue. The directories were created on the forwarder after I reloaded the server class.

0 Karma

seanbarbour
New Member

I submitted a support ticket to see if there is a way to resolve this issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...