topic Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work in All Apps and Add-ons

Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

skrish91 — Mon, 15 Jul 2019 20:30:09 GMT

I have configured Splunk addon for Microsoft IIS inputs. Please find below the input configuration.

[monitor://C:\inetpub\logs\LogFiles\\*\\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis

I don't see any IIS logs coming in.
I also have other apps installed on this machine and can see the data from those apps.
Is something wrong with the input configuration?

Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

kgderrekchapin — Mon, 15 Jul 2019 21:14:38 GMT

What errors are you seeing for the expected file in $SPUNK_HOME/var/log/splunk/splunkd.log?

Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

skrish91 — Mon, 15 Jul 2019 21:27:12 GMT

I dont see any errors but I also dont see any data coming in.

Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

mmqt — Mon, 15 Jul 2019 22:00:29 GMT

It's probably your monitor path

Try

[monitor://C:\inetpub\logs\LogFiles\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#MONITOR:

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
  foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files
  /foo/1/bar, /foo/2/bar, etc. However, it does not match
  /foo/bar or /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.

Splunk is recursive by default

recursive = <boolean>
* Whether or not the input monitors subdirectories that it finds within a
  monitored directory.
* If you set this setting to "false", the input does not monitor sub-directories
* Default: true.

Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

kgderrekchapin — Tue, 16 Jul 2019 18:50:56 GMT

If you know the full file path of the logs you are trying to monitor. Can you search index=_internal for that file path and see if the system is attempting to monitor the files and maybe receiving a permissions error?

Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

nick405060 — Tue, 16 Jul 2019 18:59:05 GMT

I just ingested IIS logs a week or two ago. My inputs.conf for TA-Windows-Exchange-IIS that I am pushing out from my deployment server has this stanza (make sure to have the UFs restarted):

[monitor://C:\inetpub\logs\LogFiles\W3SVC1]
whitelist = \.log$|\.LOG$
sourcetype=MSExchange:2013:ActiveSync
queue=parsingQueue
ignoreOlderThan=-1d
index=msexchange
disabled=false

And then my props.conf on my indexer:

[MSExchange:2013:ActiveSync]
TRANSFORMS-set = setnull,setparsing

And the transforms.conf on my indexer:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?i)activesync
DEST_KEY = queue
FORMAT = indexQueue

This is my rex (implemented at search time. Not great, I know):

"(?<date>\S+?)\s+?(?<time>\S+?)\s+?(?<ip1>\S+?)\s+?(?<action>\S+?)\s+?(?<file>\S+?)\s+?(?<long>\S+?)\s+?(?<port>\S+?)\s+?(?<id>\S+?)\s+?(?<ip2>\S+?)\s+?(?<device>\S+?) - (?<num>[\s\S]+)"

Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

woodcock — Sun, 28 Jul 2019 11:36:11 GMT

I agree with the problem being your stanza header. Did you try what @mmqt suggested? You need to come back here and followup with your situation and add or Accept an answer. Also, usually IIS inputs use INDEXED_EXTRACTIONS feature which was actually developed just for this data source:
https://www.splunk.com/blog/2013/10/18/iis-logs-and-splunk-6.html

Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

skrish91 — Mon, 05 Aug 2019 13:46:02 GMT

Hi,

Thanks for the suggestion. [monitor://C:\inetpub\logs\LogFiles*] doesnt work for some reason.

Solution:

[monitor://C:\inetpub\logs\LogFiles\...\*.log]

Also I was being stupid while searching for this logs. I always included host field in the search and this particular source doesnt include 'host' field by default. That is the reason I didnt get any output when I searched for it.

Re: Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

petemorf — Tue, 01 Sep 2020 21:20:33 GMT

For some reason I can change the index which Splunk addon for Microsoft IIS sends data. After I added the index line, it still sends to main:

[monitor://C:\inetpub\logs\LogFiles\]
disabled = 0
sourcetype = ms:iis:default
index = iis_logs

Changed index to iis_logs, but still sending to main.