I have a universal forwarder (6.3.3 x64) installed on Windows Server 2012 R2 that is supposed to index IIS logs that live on another Windows server. I am not able to install forwarders on (floating IP for 3 servers) via a Windows share.
I verified the domain user that I am using has access to the log files. I initially installed the forwarder in low privileged mode, however, during troubleshooting, I found that the forwarder was reporting access denied errors when attempting to write to the fishbuckets. To resolve, I added the service account to the local admins group.
Here are my configuration files:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$SPLUNK_HOME/etc/deployment-apps/web_farm_iis/inputs.conf:
[monitor://\\host01.domain.suffix\logs\folder01.uis.kent.edu\W3SVC2\*.txt]
disabled = false
recursive = false
index = web_farm_logs
sourcetype = iis
[monitor://\\host02.domain.suffix\logs\folder02.uis.kent.edu\W3SVC2]
disabled = false
recursive = false
index = web_farm_logs
sourcetype = iis
whitelist = *.txt
serverclass.conf:
serverClass:web_farm_iis]
whitelist.0 = serverWithForwarder
[serverClass:web_farm_iis:app:web_farm_iis]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I know the two stanza are different. I did this while troubleshooting. I have a global stanza that points the repsoitory location to $SPLUNK_HOME/etc/deployment-apps.
I confirmed that the forwarder is receiving the configuration file and the contents of the inputs.conf matches.
I am using Splunk 6.3.3, singe Splunk server.
The deployment apps in SPLUNK_HOME/etc/deployment-apps/
must follow the standards for Splunk apps. That means that they must have the subdirectory structure with default
, meta
and local
subdirectories at a minimum, and they should also contain app.conf and default.meta files.
Because your app (web_farm_iis
) does not have the correct structure, Splunk does not "see" the inputs.conf file.
Also see App creation and deployment
I copied the logs to the server that the forwarder is installed on and added a new stanza to index the files that were copied to C:\logs\serverName and the logs were picked up by the forwarder and sent to the indexer.
I have other deployment-apps that work with on the local directory with inputs.conf
I still added the directories you suggested and it did not resolve the issue. The directories were created on the forwarder after I reloaded the server class.
I submitted a support ticket to see if there is a way to resolve this issue.