Why am I unable to see IIS logs from one of the se...

shivamchopra · ‎07-25-2017

Splunk 6.4.3
I am unable to see IIS logs from one of the servers that has forwarder installed.
I have following configuration on the universal forwarder:

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2]
sourcetype=iis
disabled = 0

outputs.conf
[tcpout:default-autolb-group]
server = :9997

Would someone please advise what is the missing configuration?

bheemireddi · ‎07-26-2017

are you searching in the right index? you did not specify index name in your inputs.conf, which means you are expecting events in index=main?

If you are sure there is nothing wrong on the forwarder side/path etc. may be try index=* sourcetype=iis
OR may be search for index=* source="inetpub"
May be you do have events, or search in the right place?

shivamchopra · ‎07-26-2017

i am doing below search:
index=* host=XXXX

bheemireddi · ‎07-26-2017

shivamchopra,

You can always check the splunk logs on the universal forwarder to see if it has watch on that path or if it is actually complaining to read the path.

Make sure you have some events in the log files you are reading.

You mentioned sending to the HF first, make sure it is not indexing locally and in fact forwarding them across.
sometimes we miss the obvious, check if the forwarder is in fact talking to the indexer, check the _internal index for that forwarder host.

shivamchopra · ‎07-26-2017

Yes, i can see in the logs that UF has watch on the that path:

07-26-2017 04:07:06.194 -0400 INFO TailingProcessor - Adding watch on path: C:\Windows\inetpub\logs\LogFiles\W3SVC1

Yes, events are there in the log file.
HF is not indexing locally, it is just a forwarder. I can see windows logs from the same server on splunk server. just IIS logs are not appearing.

spodda01da · ‎01-14-2020

Hi Shivam, I have the same issue... did you manage to resolve it ?

johneng89 · ‎03-30-2022

Hello there,

I encountered the same issue, did you get to resolve it?

shivamchopra · ‎07-26-2017

when i post the answer on this screen, it automatically removes the backslash before *

gcusello · ‎07-26-2017

to correctly show it use the Code Sample button (button with 101010).

Probably this is a stupid check: did you verified the log path?
because I read that sometimes IIS logs are in different folders as: %SystemDrive%\inetpub\logs\LogFiles or in %SystemDrive%\Windows\System32\LogFiles\HTTPERR or in C:\Windows\System32\LogFiles\W3SVC1.
you can see this in IIS console

Bye.
Giuseppe

shivamchopra · ‎07-26-2017

Yes, i have already verified the path of log file.

gcusello · ‎07-26-2017

try to put the absolute path not using $WINDIR.
Bye.
Giuseppe

shivamchopra · ‎07-26-2017

that doesn't fix even

shivamchopra · ‎07-26-2017

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

shivamchopra · ‎07-26-2017

Sorry - i put blackslash before *, still doesnt work

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

shivamchopra · ‎07-26-2017

Thanks for your response. it still doesn't work.

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

in outputs.conf - the IP is for heavy forwarder and HF is directing to Indexer.

gcusello · ‎07-26-2017

beware: there must be a backslash before stars

[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*]

Bye.
Giuseppe

gcusello · ‎07-26-2017

Hi shivamchopra,
I don't see files in your monitor command

inputs.conf

[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*]
sourcetype=iis
disabled = 0

or a limitated set
about outputs.conf I imagine that in your file you have the Indexer IP

outputs.conf

[tcpout:default-autolb-group]
server = xxx.xxx.xxx.xxx:9997

Bye.
Giuseppe

Why am I unable to see IIS logs from one of the servers that has forwarder installed?

installation

using Splunk Enterprise

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!