All Apps and Add-ons

Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

skrish91
Path Finder

I have configured Splunk addon for Microsoft IIS inputs. Please find below the input configuration.

[monitor://C:\inetpub\logs\LogFiles\\*\\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis

I don't see any IIS logs coming in.
I also have other apps installed on this machine and can see the data from those apps.
Is something wrong with the input configuration?

0 Karma
1 Solution

mmqt
Path Finder

It's probably your monitor path

Try

[monitor://C:\inetpub\logs\LogFiles\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#MONITOR:

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
  foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files
  /foo/1/bar, /foo/2/bar, etc. However, it does not match
  /foo/bar or /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.

Splunk is recursive by default

recursive = <boolean>
* Whether or not the input monitors subdirectories that it finds within a
  monitored directory.
* If you set this setting to "false", the input does not monitor sub-directories
* Default: true.

View solution in original post

0 Karma

woodcock
Esteemed Legend

I agree with the problem being your stanza header. Did you try what @mmqt suggested? You need to come back here and followup with your situation and add or Accept an answer. Also, usually IIS inputs use INDEXED_EXTRACTIONS feature which was actually developed just for this data source:
https://www.splunk.com/blog/2013/10/18/iis-logs-and-splunk-6.html

0 Karma

nick405060
Motivator

I just ingested IIS logs a week or two ago. My inputs.conf for TA-Windows-Exchange-IIS that I am pushing out from my deployment server has this stanza (make sure to have the UFs restarted):

[monitor://C:\inetpub\logs\LogFiles\W3SVC1]
whitelist = \.log$|\.LOG$
sourcetype=MSExchange:2013:ActiveSync
queue=parsingQueue
ignoreOlderThan=-1d
index=msexchange
disabled=false

And then my props.conf on my indexer:

[MSExchange:2013:ActiveSync]
TRANSFORMS-set = setnull,setparsing

And the transforms.conf on my indexer:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?i)activesync
DEST_KEY = queue
FORMAT = indexQueue

This is my rex (implemented at search time. Not great, I know):

"(?<date>\S+?)\s+?(?<time>\S+?)\s+?(?<ip1>\S+?)\s+?(?<action>\S+?)\s+?(?<file>\S+?)\s+?(?<long>\S+?)\s+?(?<port>\S+?)\s+?(?<id>\S+?)\s+?(?<ip2>\S+?)\s+?(?<device>\S+?) - (?<num>[\s\S]+)"
0 Karma

mmqt
Path Finder

It's probably your monitor path

Try

[monitor://C:\inetpub\logs\LogFiles\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#MONITOR:

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
  foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files
  /foo/1/bar, /foo/2/bar, etc. However, it does not match
  /foo/bar or /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.

Splunk is recursive by default

recursive = <boolean>
* Whether or not the input monitors subdirectories that it finds within a
  monitored directory.
* If you set this setting to "false", the input does not monitor sub-directories
* Default: true.
0 Karma

petemorf
Engager

For some reason I can change the index which Splunk addon for Microsoft IIS sends data.  After I added the index line, it still sends to main:

[monitor://C:\inetpub\logs\LogFiles\]
disabled = 0
sourcetype = ms:iis:default
index = iis_logs

Changed index to iis_logs, but still sending to main.

0 Karma

skrish91
Path Finder

Hi,

Thanks for the suggestion. [monitor://C:\inetpub\logs\LogFiles*] doesnt work for some reason.

Solution:

[monitor://C:\inetpub\logs\LogFiles\...\*.log]

Also I was being stupid while searching for this logs. I always included host field in the search and this particular source doesnt include 'host' field by default. That is the reason I didnt get any output when I searched for it.

0 Karma

kgderrekchapin
Path Finder

What errors are you seeing for the expected file in $SPUNK_HOME/var/log/splunk/splunkd.log?

0 Karma

skrish91
Path Finder

I dont see any errors but I also dont see any data coming in.

0 Karma

kgderrekchapin
Path Finder

If you know the full file path of the logs you are trying to monitor. Can you search index=_internal for that file path and see if the system is attempting to monitor the files and maybe receiving a permissions error?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...