https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330456#M6620 <P>that doesn't fix even</P> Thu, 27 Jul 2017 01:52:05 GMT shivamchopra 2017-07-27T01:52:05Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330445#M6609 <P>Splunk 6.4.3<BR />I am unable to see IIS logs from one of the servers that has forwarder installed. <BR />I have following configuration on the universal forwarder:</P> <LI-CODE lang="markup">inputs.conf [monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2] sourcetype=iis disabled = 0 outputs.conf [tcpout:default-autolb-group] server = :9997</LI-CODE> <P>Would someone please advise what is the missing configuration?</P> Wed, 30 Mar 2022 22:24:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330445#M6609 shivamchopra 2022-03-30T22:24:35Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330446#M6610 <P>Hi shivamchopra,<BR /> I don't see files in your monitor command</P> <P><STRONG>inputs.conf</STRONG></P> <PRE><CODE>[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*] sourcetype=iis disabled = 0 </CODE></PRE> <P>or a limitated set<BR /> about outputs.conf I imagine that in your file you have the Indexer IP</P> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE>[tcpout:default-autolb-group] server = xxx.xxx.xxx.xxx:9997 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 26 Jul 2017 07:19:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330446#M6610 gcusello 2017-07-26T07:19:31Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330447#M6611 <P>Thanks for your response. it still doesn't work.</P> <P>inputs.conf<BR /> [monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]<BR /> sourcetype=iis<BR /> disabled = 0</P> <P>in outputs.conf - the IP is for heavy forwarder and HF is directing to Indexer. </P> Wed, 26 Jul 2017 07:30:30 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330447#M6611 shivamchopra 2017-07-26T07:30:30Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330448#M6612 <P>beware: there must be a backslash before stars</P> <PRE><CODE>[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*] </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 26 Jul 2017 07:57:37 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330448#M6612 gcusello 2017-07-26T07:57:37Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330449#M6613 <P>Sorry - i put blackslash before *, still doesnt work</P> <P>inputs.conf<BR /> [monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]<BR /> sourcetype=iis<BR /> disabled = 0</P> Wed, 26 Jul 2017 08:12:53 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330449#M6613 shivamchopra 2017-07-26T08:12:53Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330450#M6614 <P>inputs.conf<BR /> [monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]<BR /> sourcetype=iis<BR /> disabled = 0</P> Wed, 26 Jul 2017 08:13:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330450#M6614 shivamchopra 2017-07-26T08:13:32Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330451#M6615 <P>when i post the answer on this screen, it automatically removes the backslash before *</P> Wed, 26 Jul 2017 08:14:12 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330451#M6615 shivamchopra 2017-07-26T08:14:12Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330452#M6616 <P>to correctly show it use the Code Sample button (button with 101010).</P> <P>Probably this is a stupid check: did you verified the log path?<BR /> because I read that sometimes IIS logs are in different folders as: <CODE>%SystemDrive%\inetpub\logs\LogFiles</CODE> or in <CODE>%SystemDrive%\Windows\System32\LogFiles\HTTPERR</CODE> or in <CODE>C:\Windows\System32\LogFiles\W3SVC1</CODE>.<BR /> you can see this in IIS console</P> <P>Bye.<BR /> Giuseppe</P> Wed, 26 Jul 2017 08:55:15 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330452#M6616 gcusello 2017-07-26T08:55:15Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330453#M6617 <P>Yes, i have already verified the path of log file.</P> Wed, 26 Jul 2017 10:00:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330453#M6617 shivamchopra 2017-07-26T10:00:48Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330454#M6618 <P>try to put the absolute path not using $WINDIR.<BR /> Bye.<BR /> Giuseppe</P> Wed, 26 Jul 2017 10:54:28 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330454#M6618 gcusello 2017-07-26T10:54:28Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330455#M6619 <P>shivamchopra,</P> <P>You can always check the splunk logs on the universal forwarder to see if it has watch on that path or if it is actually complaining to read the path.</P> <P>Make sure you have some events in the log files you are reading.</P> <P>You mentioned sending to the HF first, make sure it is not indexing locally and in fact forwarding them across. <BR /> sometimes we miss the obvious, check if the forwarder is in fact talking to the indexer, check the _internal index for that forwarder host.</P> Wed, 26 Jul 2017 15:09:37 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330455#M6619 bheemireddi 2017-07-26T15:09:37Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330456#M6620 <P>that doesn't fix even</P> Thu, 27 Jul 2017 01:52:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330456#M6620 shivamchopra 2017-07-27T01:52:05Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330457#M6621 <P>Yes, i can see in the logs that UF has watch on the that path:</P> <P>07-26-2017 04:07:06.194 -0400 INFO TailingProcessor - Adding watch on path: C:\Windows\inetpub\logs\LogFiles\W3SVC1</P> <P>Yes, events are there in the log file. <BR /> HF is not indexing locally, it is just a forwarder. I can see windows logs from the same server on splunk server. just IIS logs are not appearing. </P> Thu, 27 Jul 2017 01:54:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330457#M6621 shivamchopra 2017-07-27T01:54:16Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330458#M6622 <P>are you searching in the right index? you did not specify index name in your inputs.conf, which means you are expecting events in index=main?</P> <P>If you are sure there is nothing wrong on the forwarder side/path etc. may be try index=* sourcetype=iis<BR /> OR may be search for index=* source="<EM>inetpub</EM>"<BR /> May be you do have events, or search in the right place?</P> Thu, 27 Jul 2017 02:11:40 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330458#M6622 bheemireddi 2017-07-27T02:11:40Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330459#M6623 <P>i am doing below search: <BR /> index=* host=XXXX</P> Thu, 27 Jul 2017 02:34:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330459#M6623 shivamchopra 2017-07-27T02:34:33Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330460#M6624 <P>Hi Shivam, I have the same issue... did you manage to resolve it ?</P> Tue, 14 Jan 2020 08:04:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/330460#M6624 spodda01da 2020-01-14T08:04:33Z https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/591633#M12020 <P>Hello there,</P><P>I encountered the same issue, did you get to resolve it?</P> Wed, 30 Mar 2022 22:08:26 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-am-I-unable-to-see-IIS-logs-from-one-of-the-servers-that-has/m-p/591633#M12020 johneng89 2022-03-30T22:08:26Z