My IIS 6 logfiles (W2K3) are getting stuck in the parsingQueue of the SUF - this means that no data gets received from this server. Prior to adding the stanzas below, data was being received normally.
Now I have the following in Metrics.log
03-22-2013 16:46:15.317 +0000 INFO Metrics - group=queue, name=parsingqueue, max_size_kb=512, current_size_kb=449, current_size=8, largest_size=8, smallest_size=8
and splunkd.log
03-22-2013 16:35:36.222 +0000 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
03-22-2013 16:35:36.222 +0000 INFO BatchReader - Could not send data to output queue (parsingQueue), retrying...
The following inputs.conf on the forwarder (in local)
[monitor://c:\WINDOWS\system32\LogFiles]
disabled=false
recursive=true
followTail = 0
sourcetype=MSWindows:2003:IIS
and props.conf
[MSWindows:2003:IIS]
CHECK_FOR_HEADER = false
I've only just added the props.conf file and sourcetype, but that has not helped (in fact I think it made it worse - I didn't have the BatchReader errors before that)
Any help to configuring IIS to use with a SUF and (debian) indexer would be appreciated!
What Windows user are you running the splunkforwarder service as? Most of the Windows problems I see are related to permissions. Make sure the Windows user has access to the IIS logs directory.
Back on site today, and temporarily swapped from Local System to a "God" account with local and network permissions. No luck. It does seem to be the ParsingQueue that dies with the IIS logfiles.
I'll check this next week. It's certainly plausible!
Are you seeing messages in splunkd.log that you are connected to the indexer? Do you have any other inputs on the forwader that are making it to the indexer?
If I take this logfile stanza out,then I get connections and data flows from the windows event logs. When I add it, the parsing queue dies and no data flows
You might want to add a whiltelist to your input:
whitelist=*.log
nice idea, but this doesn't seem to have helped.
Might be a long shot but I noticed you don't have a slash on the monitor stanza, ie:
[monitor://C:\Windows\system32\LogFiles]
Also make sure that the Windows firewall is not blocking the TCP connection between the UF and the Indexer.
I do have the slashes, its just my (lack of) competence in formatting on this forum. Firewall isn't blocking, as I get the WinEventLog* events through if I take the monitor stanza out