Re: Splunk not monitoring IIS log due to Binary da...

jchampagne · ‎05-17-2012

I'm having a problem getting Splunk to monitor an active IIS log. When I look at the SplunkD log, I see the following errors:

05-17-2012 16:55:52.503 -0400 WARN FileClassifierManager - The file 'D:\LOGS\MSFTPSVC1\ex120517.log' is invalid. Reason: binary
05-17-2012 16:55:52.503 -0400 INFO TailingProcessor - Ignoring file 'D:\LOGS\MSFTPSVC1\ex120517.log' due to: binary

When I open the log file, I see normal text, however there is a bunch of white space at the bottom of the file. I assume this has to due with IIS still writing to the file.

How can I get Splunk to read this active log file so we can get real-time data?

lguinn2 · ‎05-17-2012

In props.conf, put

[iis*]
NO_BINARY_CHECK = true

This assumes that the "offending" file has a sourcetype that starts with iis. Feel free to substitute a source specification instead of the sourcetype.

lguinn2 · ‎05-17-2012

Also, have you tried running btool on the forwarder -

$ cd /opt/splunkforwarder # or wherever you installed splunk

$ ./splunk btool props list iis --debug

or just

$ ./splunk btool props list --debug | more

lguinn2 · ‎05-17-2012

Where did you put the props.conf?
On the UF or on the indexer?

jchampagne · ‎05-17-2012

I saw that as a possible solution on the Wiki and I tried to implement it....but it didn't seem to work for me.

This server has a Universal forwarder installed and didn't have a props.conf file by default. I created one for my source type and added the no binary check, but I got the same result.

Splunk not monitoring IIS log due to Binary data

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases