I have subfolders under \logs.
C:\inetpub\sites\www.fqdn.com\logs\
C:\inetpub\sites\www.fqdn.com\logs\W3SVC4\ (the log files are here - *.log)
C:\inetpub\sites\www.fqdn.com\logs\FTPSVC4\ (log files are here - *.log)
C:\inetpub\sites\www.fqdn.com\www\
C:\inetpub\sites\www.fqdn.com\www\xxx\
C:\inetpub\sites\www.fqdn.com\www\yyy\
C:\inetpub\sites\another.fqdn.com\logs\
C:\inetpub\sites\another.fqdn.com\logs\W3SVC7\
C:\inetpub\sites\another.fqdn.com\logs\FTPSVC7\
C:\inetpub\sites\another.fqdn.com\www\
C:\inetpub\sites\another.fqdn.com\www\ (webfiles files here)
C:\inetpub\sites\another.fqdn.com\www\aaa\ (more webfiles here)
C:\inetpub\sites\another.fqdn.com\www\bbb\ (more webfiles here)
What I want, which I think you guys understand, is to monitor all log files under \logs\, no matter what the fqdn folder name is, and what folders are under \logs.
I confirmed that if I monitor the C:\inetpub\sites\lebara.stag.carrot.no\logs\W3SVC4\ the logs are indexed (as it should), but I can't seem to get the correct config with wildcards etc...
Update:
If i add whitelist=\\logs\\ I get this output from splunk list monitor :
C:\inetpub\sites\
C:\inetpub\sites\www.fqdn.com
C:\inetpub\sites\www.fqdn.com\logs
C:\inetpub\sites\www.fqdn.com\logs\ProfileWS
C:\inetpub\sites\www.fqdn.com\logs\W3SVC3
C:\inetpub\sites\www.fqdn.com\www
C:\inetpub\sites\www.fqdn.com\www\App_Data
C:\inetpub\sites\www.fqdn.com\www\aspnet_client
etc... (for each website)
If I add a '*' after the last backslash - whitelist=\\logs\\* - I get the logfiles in the monitor list at least, but still \www\ :
C:\inetpub\sites\
C:\inetpub\sites\www.fqdn.com
C:\inetpub\sites\www.fqdn.com\logs
C:\inetpub\sites\www.fqdn.com\logs\ProfileWS
C:\inetpub\sites\www.fqdn.com\logs\ProfileWS\ProfileWS.error.log
C:\inetpub\sites\www.fqdn.com\logs\ProfileWS\ProfileWS.log
C:\inetpub\sites\www.fqdn.com\logs\W3SVC3
C:\inetpub\sites\www.fqdn.com\logs\W3SVC3\u_ex100725.log
C:\inetpub\sites\www.fqdn.com\logs\W3SVC3\u_ex100726.log
C:\inetpub\sites\www.fqdn.com\logs\W3SVC3\u_ex100727.log
C:\inetpub\sites\www.fqdn.com\www
C:\inetpub\sites\www.fqdn.com\www\App_Data
C:\inetpub\sites\www.fqdn.com\www\aspnet_client
I'm getting quite frustrated here 😞 And regex is almost like greek to me.
Update 2010-07-29:
I'm now running with the whitelist = \\logs\\ config, but no logs gets sent to the splunk indexer. Checking splunkd.log I see this (and lots of the same kind):
07-29-2010 16:07:59.495 INFO TailingProcessor - No configurations match, will ignore path='C:\inetpub\sites\www.fqdn.com\www\bin\CIF.xml'.
07-29-2010 16:07:59.511 INFO TailingProcessor - No configurations match, will ignore path='C:\inetpub\sites\another.fqdn.com\logs\W3SVC7\u_ex100729.log'.
07-29-2010 16:29:20.013 INFO TailingProcessor - No configurations match, will ignore path='C:\inetpub\sites\www.fqdn.com\www\bin\CIF.xml'.
As you all can see, it doesn't match the \logs\ folder and therefor the logs aren't sent to my indexer... Isn't this strange?
... View more