Monitoring Splunk

Issues with deployed app on windows servers monitoring files

ngoetz9915
New Member

I recently wrote a new deployment app to monitor IIS log files. The app looks like it was deployed to the test server since I can see the app in the SplunkUniversalForwarder\etc\apps directory on the windows server.

For some reason, I am not getting any data back from the log files I am trying to monitor.

Here is a copy of the inputs.conf file for the deployed app:

#
# IIS Logging
#
[monitor://D:\LogFiles\IISLogFiles\*\*.log]
disabled = false
followtail = 0
sourcetype=iis
ignoreOlderThan = 180d
index=iislogs
time_before_close = 15
multiline_event_extra_waittime = true

There are currently around 150 files (one per day) in the "d:\LogFiles\IISLogFiles\W3SVC1" directory I am trying to monitor.

Thanks,

0 Karma
1 Solution

FrankVl
Ultra Champion

I noticed in your question you actually had the config as [monitor://D:\LogFiles\IISLogFiles\*\*.log], but since you didn't post this in code tags, some of the backslashes disappeared. I edited your question, to put the config in code tags, such that this is more clear.

So in that case it is back to good old fashioned troubleshooting. Any errors in splunkd.log? Does splunk initiate a watch on that folder? Can you confirm the permissions are set correctly?

Also have a look at: http://docs.splunk.com/Documentation/Splunk/7.0.3/Troubleshooting/Cantfinddata

View solution in original post

0 Karma

ngoetz9915
New Member

It looks like the website changes some of the code I posted because I forgot to mark it as Code Sample when I coppied it to my post.

Here is what is in my inputs.conf file:

#
# IIS Logging
#
[monitor://D:\LogFiles\IISLogFiles\*\*.log]
disabled = false
followtail = 0
sourcetype=iis
ignoreOlderThan = 180d
index=iislogs
time_before_close = 15
multiline_event_extra_waittime = true
0 Karma

FrankVl
Ultra Champion

I had already fixed that for you in your original question post by putting it in code tags, but thanks for confirming. See my answer below for some troubleshooting pointers 🙂

0 Karma

ngoetz9915
New Member

It looks like the website automatically changed some of my code in the previous post.

Going to try posing this again, but I will mark it as code sample so it doesn't get changed..

Here is what is in my inputs.conf file:

#
# IIS Logging
#
[monitor://D:\LogFiles\IISLogFiles\*\*.log]
disabled = false
followtail = 0
sourcetype=iis
ignoreOlderThan = 180d
index=iislogs
time_before_close = 15
multiline_event_extra_waittime = true
0 Karma

FrankVl
Ultra Champion

I noticed in your question you actually had the config as [monitor://D:\LogFiles\IISLogFiles\*\*.log], but since you didn't post this in code tags, some of the backslashes disappeared. I edited your question, to put the config in code tags, such that this is more clear.

So in that case it is back to good old fashioned troubleshooting. Any errors in splunkd.log? Does splunk initiate a watch on that folder? Can you confirm the permissions are set correctly?

Also have a look at: http://docs.splunk.com/Documentation/Splunk/7.0.3/Troubleshooting/Cantfinddata

0 Karma

ngoetz9915
New Member

I think I might have found the issue.

I reviewed the logs on one of the servers that I deployed this app to, but I didn't see any issues. I did see in the logs that the app deployed successfully. Then as part of my troubleshooting I restarted the SplunkFowarder service on one of the windows servers so I could get some clean log files. As soon as I restarted the service, I started getting the data into the indexers.

I never had to manually restart the service before after deploying new apps. Is there something I need to do differently when deploying file monitoring apps? For example, it there a setting I need to put into the deployment app so it automatically restarts the service when the app gets deployed? Once i'm done testing, I am planning to deploy this app to around 200 servers, and I would hate to have to manually restart the SplunkForwared service on all these servers.

Thanks,

0 Karma

FrankVl
Ultra Champion

Triggering a restart upon app deployment is something you configure in the serverclass.conf (set restartSplunkd = true). Or through the Deployment Server GUI: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Useforwardermanagementtomanageapps

0 Karma

adonio
Ultra Champion

looks like your monitor stanza does not reflect the exact location where files are at
location: d:\LogFiles\IISLogFiles\W3SVC1
monitor: //D:\LogFiles\IISLogFiles**.log
modify your monitor stanza to match the exact location: (also make sure it matches the file naming convention)

inputs.conf: [monitor://D:\LogFiles\IISLogFiles\W3SVC1\*.log]
disabled = false
followtail = 0
sourcetype=iis
ignoreOlderThan = 180d
index=iislogs
time_before_close = 15
multiline_event_extra_waittime = true

hope it helps

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...