https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411435#M72845 <PRE><CODE>Sorry lost the backslahes. Here is the correct directory structure. E:\weblogs\w3svc1\*.log E:\weblogs\w3svc2\*.log E:\weblogs\w3svc3\*.log </CODE></PRE> Fri, 25 May 2018 17:34:52 GMT putrtek 2018-05-25T17:34:52Z https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411434#M72844 <P>Trying to setup the Universal Forwarder on the Web Server to forward IIS logs to SPLUNK.<BR /> The Windows Event log ARE forwarding correctly. My IIS logs are NOT stored in the default location so I'm trying to figure out the correct stanza to use.</P> <P>My actual IIS log directoiry structure is <BR /> E:\weblogs\w3svc1*.log<BR /> E:\weblogs\w3svc2*.log<BR /> E:\weblogs\w3svc3*.log<BR /> Etc... multiple web sites</P> <P>I tried the following Stanzas neither have seemed to work</P> <P>[monitor://E:\weblogs\*\*.log]<BR /> disabled = 0</P> <P>[monitor://E:\weblogs\...\*.log]<BR /> disabled = 0</P> <P>I even tried tho log just a single site<BR /> [monitor://E:\weblogs\w3svc1\*.log]<BR /> disabled = 0</P> <P>I restart splunk forwarded after changing the path<BR /> If I run 'splunk list monitor' I get for all stanzas<BR /> E:\weblogs*.log</P> <P>No logs are being imported that I can tell</P> <P>Appreciate any assistsnce anyone can provide.</P> <P>-MARK-</P> Fri, 25 May 2018 17:31:28 GMT https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411434#M72844 putrtek 2018-05-25T17:31:28Z https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411435#M72845 <PRE><CODE>Sorry lost the backslahes. Here is the correct directory structure. E:\weblogs\w3svc1\*.log E:\weblogs\w3svc2\*.log E:\weblogs\w3svc3\*.log </CODE></PRE> Fri, 25 May 2018 17:34:52 GMT https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411435#M72845 putrtek 2018-05-25T17:34:52Z https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411436#M72846 <P>Did you verify the splunk process has permissions to the read the log files you want it to monitor?</P> <P>Do you see any events in the $SPLUNK_HOME\var\log\splunkd.log regarding these file monitors?</P> Fri, 25 May 2018 18:02:04 GMT https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411436#M72846 solarboyz1 2018-05-25T18:02:04Z https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411437#M72847 <P>So is there a specific account that needs permissions? I assume it's the account that the SplunkUniveralForwareder service is running under? I will go look in the $SPLUNK_HOME\var\log\splunkd.log to see if anything is there. Thanks for the advise. -MARK-</P> Fri, 25 May 2018 19:04:58 GMT https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411437#M72847 putrtek 2018-05-25T19:04:58Z https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411438#M72848 <P>Sorry it has taken me a while to respond to this. Been very busy on another project just got back to this today.<BR /> The only entiries in my Splunkd.log are as follows</P> <PRE><CODE>05-30-2018 11:52:38.167 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://e:\WebLogs\*.log. 05-30-2018 11:52:38.167 -0400 INFO TailingProcessor - Adding watch on path: e:\WebLogs. </CODE></PRE> <P>I think these are both good</P> <P>Right now my SplunkForwarder Service is running under the Local System account. I haven't been able to figure out how to give that account READ permisssions to the e:\weblogs folder.</P> <P>-MARK-</P> Wed, 30 May 2018 16:25:54 GMT https://community.splunk.com/t5/Getting-Data-In/Correct-path-to-IIIS-logs/m-p/411438#M72848 putrtek 2018-05-30T16:25:54Z