topic Problem forwarding Advanced IIS Logs in Getting Data In

Problem forwarding Advanced IIS Logs

DaClyde — Mon, 28 Sep 2020 15:12:37 GMT

I am experiencing an issue where my universal forwarder (v5.0.4) is not forwarding my IIS Advanced Logs to the indexer. Here is the stanza from my inputs.conf

[monitor://F:\inetpub\logs\LogFiles\W3SVC1\]

disabled = false

whitelist = iis_D(\d+)-(\d+).log

sourcetype = adviis

index = adviis

I can tell it sees the logs because I get these entries in my metrics.log:

11-05-2013 14:28:01.726 -0600 INFO Metrics - group=per_index_thruput, series="adviis", kbps=0.012349, eps=0.161290, kb=0.382813, ev=5, avg_age=0.600000, max_age=3

11-05-2013 14:28:01.726 -0600 INFO Metrics - group=per_source_thruput, series="f:\inetpub\logs\logfiles\w3svc1\iis_d20131105-202617637.log", kbps=0.012349, eps=0.161290, kb=0.382813, ev=5, avg_age=0.600000, max_age=3

11-05-2013 14:28:01.726 -0600 INFO Metrics - group=per_sourcetype_thruput, series="adviis", kbps=0.012349, eps=0.161290, kb=0.382813, ev=5, avg_age=0.600000, max_age=3

And my splunkd.log shows it watching the folder:

11-05-2013 13:38:04.363 -0600 INFO TailingProcessor - Adding watch on path: F:\inetpub\logs\LogFiles\W3SVC1.

So why is nothing showing up in my index? I can forward WinEventLogs and standard IIS logs with no issue between these two machines. I even manually imported one of these logs into the indexer just to make sure the "adviis" index and sourcetypes existed (I know that shouldn't be necessary).

I've cleared the fishbucket multiple times, but these files just won't budge.

UPDATE

Shane's answer accounted for everything but my ineptitude and ignorance about how the search head relates to an indexer. From the Manager in the web interface, if you create an index, it is going to create the index on the machine that web UI represents. In my case, I was just creating the adviis index on the search head. No amount of forwarding to the indexer is going to find that index.

To get everything lined up properly, I had to delete the adviis index from the search head and delete the corresponding adviis index folder from /Splunk/var/lib/splunk/. Then I deleted the assorted attempted copies of the same folder and indexes.conf files that had been generated. Then (after finally remembering the login for the indexer), I logged into the web UI on the indexer and created the adviis index through the Manager that way. Now all the bits and pieces were in place, I flushed the fishbucket on my forwarder and data started moving.

So all of Shane's advice was correct, if I had created the index properly in the first place. Thank you Shane!

Re: Problem forwarding Advanced IIS Logs

ShaneNewman — Tue, 05 Nov 2013 20:54:02 GMT

If you are monitoring that exact path twice, one entry will be ignored. You will have to bring them both in with a single monitor stanza, then use props.conf and transforms.conf to distinguish sourcetypes at index time.

props.conf

[iis_log]
NO_BINARY_CHECK = 1
#TRANSFORMS-0_define_sourcetype = iis_sourcetype_transform

transforms.conf

[iis_sourcetype_transform]
SOURCE_KEY = MetaData:Source
REGEX = iis_D(d+)-(d+).log
DEST_KEY = MetaData:Sourcetype
FORMAT =  sourcetype::adviis

Does that help?

Re: Problem forwarding Advanced IIS Logs

yong_ly — Tue, 05 Nov 2013 21:07:01 GMT

I agree with Shane, make sure you don't have conflicting stanzas in inputs/props/transforms..

Another thing you can check the timestamp recognition, I've had something similiar in the past where I thought the logs weren't being indexed only to discover that it had been put into the wrong index or under the wrong sourcetype or the timestamp had read it wrong so it was sitting there but marked as a year ago..

You can check by just searching for the source=inetpub\logs\LogFiles\W3SVC1 over ALL TIME.. that should pick up any instances of the files that have been indexed..

Re: Problem forwarding Advanced IIS Logs

lukejadamec — Tue, 05 Nov 2013 21:37:22 GMT

You can also check the adviis index in Manager>Indexes to see if it is getting data.

Re: Problem forwarding Advanced IIS Logs

kristian_kolb — Tue, 05 Nov 2013 21:49:19 GMT

also, you can verify that the timestamps are parsed correctly.

| dbinspect index=adviis

Check that the earliestTime and latestTime timestamps match your data.

Re: Problem forwarding Advanced IIS Logs

DaClyde — Tue, 05 Nov 2013 22:52:19 GMT

For now, my inputs.conf on the forwarder only has the monitor one stanza.

I've added your recommended stanzas to my props and transforms on the indexer, but so far, no luck. Now I'm getting this message on the search head:

Search peer SPLUNK402 has the following message: received event for unconfigured/disabled/deleted index='adviis' with source='source::F:\inetpub\logs\LogFiles\W3SVC1\iis_D20131105-001238183.log' host='host::Weeble' sourcetype='sourcetype::adviis' (1 missing total)

Re: Problem forwarding Advanced IIS Logs

DaClyde — Tue, 05 Nov 2013 22:53:50 GMT

To append to that, the adviis index does exist because I can see yesteday's log (that I manually imported through the Manager>Data Inputs page) if I do a "search index=adviis sourcetype=adviis" for the last 24 hours.

Re: Problem forwarding Advanced IIS Logs

DaClyde — Tue, 05 Nov 2013 23:01:18 GMT

The timestamps look good on the file I manually imported. Searching all time, and even adding a latest=+10d doesn't find any stray data outside the one manual import.

Re: Problem forwarding Advanced IIS Logs

ShaneNewman — Tue, 05 Nov 2013 23:05:24 GMT

This means that the index has been disabled. When you go through the Manager console and select indexes, does it say the index is disabled? If so, enable it.

Re: Problem forwarding Advanced IIS Logs

DaClyde — Tue, 05 Nov 2013 23:19:41 GMT

It is enabled. I even deleted the index, re-created it, restarted the indexer, flushed the fishbucket on the forwarder and restarted that, but I'm still getting the same error. If I generate traffic on the forwarder, I can see new entries pop up in the metrics.log on the forwarder, so it's trying to work.

Re: Problem forwarding Advanced IIS Logs

ShaneNewman — Tue, 05 Nov 2013 23:22:30 GMT

Just to clarify, SPLUNK402 is your indexer, correct?

Re: Problem forwarding Advanced IIS Logs

DaClyde — Tue, 05 Nov 2013 23:28:52 GMT

That is correct.

Re: Problem forwarding Advanced IIS Logs

ShaneNewman — Tue, 05 Nov 2013 23:32:30 GMT

Do you have time for a quick webex?

Re: Problem forwarding Advanced IIS Logs

DaClyde — Tue, 05 Nov 2013 23:34:12 GMT

Sure, that would be great.

Re: Problem forwarding Advanced IIS Logs

ShaneNewman — Tue, 05 Nov 2013 23:35:40 GMT

send me an email, you can get my contact info by clicking on my username.

Re: Problem forwarding Advanced IIS Logs

ShaneNewman — Thu, 07 Nov 2013 23:40:36 GMT

Anytime! Glad I could help.