topic Re: Why are IIS logs not being indexed from Windows Share? in Getting Data In

Why are IIS logs not being indexed from Windows Share?

seanbarbour — Thu, 21 Apr 2016 18:13:12 GMT

I have a universal forwarder (6.3.3 x64) installed on Windows Server 2012 R2 that is supposed to index IIS logs that live on another Windows server. I am not able to install forwarders on (floating IP for 3 servers) via a Windows share.

I verified the domain user that I am using has access to the log files. I initially installed the forwarder in low privileged mode, however, during troubleshooting, I found that the forwarder was reporting access denied errors when attempting to write to the fishbuckets. To resolve, I added the service account to the local admins group.

Here are my configuration files:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$SPLUNK_HOME/etc/deployment-apps/web_farm_iis/inputs.conf:
[monitor://\\host01.domain.suffix\logs\folder01.uis.kent.edu\W3SVC2\*.txt]
disabled = false
recursive = false
index = web_farm_logs
sourcetype = iis

[monitor://\\host02.domain.suffix\logs\folder02.uis.kent.edu\W3SVC2]
disabled = false
recursive = false
index = web_farm_logs
sourcetype = iis
whitelist = *.txt

serverclass.conf:

serverClass:web_farm_iis]
whitelist.0 = serverWithForwarder
[serverClass:web_farm_iis:app:web_farm_iis]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I know the two stanza are different. I did this while troubleshooting. I have a global stanza that points the repsoitory location to $SPLUNK_HOME/etc/deployment-apps.
I confirmed that the forwarder is receiving the configuration file and the contents of the inputs.conf matches.
I am using Splunk 6.3.3, singe Splunk server.

Re: Why are IIS logs not being indexed from Windows Share?

seanbarbour — Fri, 22 Apr 2016 20:30:54 GMT

I submitted a support ticket to see if there is a way to resolve this issue.

Re: Why are IIS logs not being indexed from Windows Share?

lguinn2 — Sun, 24 Apr 2016 01:56:54 GMT

The deployment apps in SPLUNK_HOME/etc/deployment-apps/ must follow the standards for Splunk apps. That means that they must have the subdirectory structure with default, meta and local subdirectories at a minimum, and they should also contain app.conf and default.meta files.

Because your app (web_farm_iis) does not have the correct structure, Splunk does not "see" the inputs.conf file.

Also see App creation and deployment

Re: Why are IIS logs not being indexed from Windows Share?

seanbarbour — Sun, 24 Apr 2016 20:06:38 GMT

I copied the logs to the server that the forwarder is installed on and added a new stanza to index the files that were copied to C:\logs\serverName and the logs were picked up by the forwarder and sent to the indexer.

I have other deployment-apps that work with on the local directory with inputs.conf

I still added the directories you suggested and it did not resolve the issue. The directories were created on the forwarder after I reloaded the server class.