Hi, I am running exchange 2010 and I am having trouble with the IIS logs from 2 of my servers. I have 2 in NJ and 1 in the UK, I am getting all the IIS logs from the CAS server in the UK but not the 2 CAS servers in NJ. They are all configured identically. I have verified the inputs are exactly the same on all the server.
I am fresh out of ideas, anything I should look for?
What is your architecture ? Do you use Universal forwarders to get the IIS logs ? Do your files appears in the TailingProcessor:FileStatus ? (check https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus)
If everything is ok on the CAS servers and if you receive others events on the indexer, it means that you should check the configuration of your indexer. Do you have some nullQueue configuration in a props.conf file ?
Does this article on troubleshooting iis logs.
I did check all that and there are no firewalls enabled. I am getting other data from that server, but just not the IIS logs.
Are other data inputs flowing in from the 2 CAS servers such as event logs, security, etc.? Have you checked the firewall rules between your NJ servers and the Splunk environment?