All Apps and Add-ons

Splunk Add-on for Microsoft IIS: Inputs configuration doesn't work

Path Finder

I have configured Splunk addon for Microsoft IIS inputs. Please find below the input configuration.

[monitor://C:\inetpub\logs\LogFiles\\*\\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis

I don't see any IIS logs coming in.
I also have other apps installed on this machine and can see the data from those apps.
Is something wrong with the input configuration?

0 Karma
1 Solution

Path Finder

It's probably your monitor path

Try

[monitor://C:\inetpub\logs\LogFiles\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#MONITOR:

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
  foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files
  /foo/1/bar, /foo/2/bar, etc. However, it does not match
  /foo/bar or /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.

Splunk is recursive by default

recursive = <boolean>
* Whether or not the input monitors subdirectories that it finds within a
  monitored directory.
* If you set this setting to "false", the input does not monitor sub-directories
* Default: true.

View solution in original post

0 Karma

Esteemed Legend

I agree with the problem being your stanza header. Did you try what @mmqt suggested? You need to come back here and followup with your situation and add or Accept an answer. Also, usually IIS inputs use INDEXED_EXTRACTIONS feature which was actually developed just for this data source:
https://www.splunk.com/blog/2013/10/18/iis-logs-and-splunk-6.html

0 Karma

Motivator

I just ingested IIS logs a week or two ago. My inputs.conf for TA-Windows-Exchange-IIS that I am pushing out from my deployment server has this stanza (make sure to have the UFs restarted):

[monitor://C:\inetpub\logs\LogFiles\W3SVC1]
whitelist = \.log$|\.LOG$
sourcetype=MSExchange:2013:ActiveSync
queue=parsingQueue
ignoreOlderThan=-1d
index=msexchange
disabled=false

And then my props.conf on my indexer:

[MSExchange:2013:ActiveSync]
TRANSFORMS-set = setnull,setparsing

And the transforms.conf on my indexer:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?i)activesync
DEST_KEY = queue
FORMAT = indexQueue

This is my rex (implemented at search time. Not great, I know):

"(?<date>\S+?)\s+?(?<time>\S+?)\s+?(?<ip1>\S+?)\s+?(?<action>\S+?)\s+?(?<file>\S+?)\s+?(?<long>\S+?)\s+?(?<port>\S+?)\s+?(?<id>\S+?)\s+?(?<ip2>\S+?)\s+?(?<device>\S+?) - (?<num>[\s\S]+)"
0 Karma

Path Finder

It's probably your monitor path

Try

[monitor://C:\inetpub\logs\LogFiles\*]
disabled = 0
sourcetype = ms:iis:auto
index = windows_iis

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#MONITOR:

Note concerning wildcards and monitor:
* You can use wildcards to specify your input path for monitored inputs. Use
  "..." for recursive directory matching and "*" for wildcard matching in a
  single directory segment.
* "..." recurses through directories. This means that /foo/.../bar matches
  foo/1/bar, foo/1/2/bar, etc.
* You can use multiple "..." specifications in a single input path. For
  example: /foo/.../bar/...
* The asterisk (*) matches anything in a single path segment; unlike "...", it
  does not recurse. For example, /foo/*/bar matches the files
  /foo/1/bar, /foo/2/bar, etc. However, it does not match
  /foo/bar or /foo/1/2/bar.
  A second example: /foo/m*r/bar matches /foo/mr/bar, /foo/mir/bar,
  /foo/moor/bar, etc. It does not match /foo/mi/or/bar.
* You can combine "*" and "..." as needed: foo/.../bar/* matches any file in
  the bar directory within the specified path.

Splunk is recursive by default

recursive = <boolean>
* Whether or not the input monitors subdirectories that it finds within a
  monitored directory.
* If you set this setting to "false", the input does not monitor sub-directories
* Default: true.

View solution in original post

0 Karma

Engager

For some reason I can change the index which Splunk addon for Microsoft IIS sends data.  After I added the index line, it still sends to main:

[monitor://C:\inetpub\logs\LogFiles\]
disabled = 0
sourcetype = ms:iis:default
index = iis_logs

Changed index to iis_logs, but still sending to main.

0 Karma

Path Finder

Hi,

Thanks for the suggestion. [monitor://C:\inetpub\logs\LogFiles*] doesnt work for some reason.

Solution:

[monitor://C:\inetpub\logs\LogFiles\...\*.log]

Also I was being stupid while searching for this logs. I always included host field in the search and this particular source doesnt include 'host' field by default. That is the reason I didnt get any output when I searched for it.

0 Karma

Path Finder

What errors are you seeing for the expected file in $SPUNK_HOME/var/log/splunk/splunkd.log?

0 Karma

Path Finder

I dont see any errors but I also dont see any data coming in.

0 Karma

Path Finder

If you know the full file path of the logs you are trying to monitor. Can you search index=_internal for that file path and see if the system is attempting to monitor the files and maybe receiving a permissions error?

0 Karma