All Apps and Add-ons

Why did we get TMG Firewall logs for 2 days, but suddenly stopped with my current inputs.conf configuration?

edwardrose
Contributor

Hello All

I am ingesting TMG firewall logs or trying to. I have opened a case to see if it is a Splunk issue or an issue with the TMG servers themselves, but I thought I might get a quicker answer here.

I added the following stanza to my TA-Windows-2008R2-Exchange-IIS/local/inputs.conf file as TA-Windows-2008R2-Exchange-IIS only gets pushed out to our TMG servers.

[monitorNoHandle://C:\Program Files\Microsoft Forefront Threat Management Gateway\Logs\*.w3c]
sourcetype = tmg:firewall
index = msexchange
disabled = false

I originally did this back on 1/6/2015 and we got logs for that day and into 1/7/2015. But we have not gotten any logs since. So I am assuming that the stanza works but I might have it wrong, since we have nothing since then. I am not sure if the monitorNoHandle is the issue or not but the only other stanza in that file is the following:

[monitorNoHandle://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
sourcetype = MSWindows:2008R2:IIS
queue = parsingQueue
index = msexchange
disabled = false

And those logs seem to be working just fine. Just a bit confused as to why it is not working.

thanks
ed

0 Karma
1 Solution

lmyrefelt
Builder

Not sure that is the way monitorNoHandle is suppose to work .. why don't you try to use the monitor stanza instead ?

from: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Note: You can only monitor single files with MonitorNoHandle. You can not monitor directories. If a file you choose to monitor already exists, Splunk does not index its current contents, only new information that comes into the file as it gets written to.

View solution in original post

lmyrefelt
Builder

Not sure that is the way monitorNoHandle is suppose to work .. why don't you try to use the monitor stanza instead ?

from: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Note: You can only monitor single files with MonitorNoHandle. You can not monitor directories. If a file you choose to monitor already exists, Splunk does not index its current contents, only new information that comes into the file as it gets written to.

edwardrose
Contributor

Yeah I read that as well, but since Splunk Professional services setup the Splunk for Microsoft Exchange portion of our install, I thought I would copy what they setup. I changed it to monitor and will see if new data starts flowing.

thanks
ed

0 Karma

malmoore
Splunk Employee
Splunk Employee

That should fix your issue, at least from the monitoring standpoint. MonitorNoHandle can't monitor directories or wild carded files, it must be a single file.

0 Karma

lmyrefelt
Builder

Also of course; dubble-check / verify path and log-name/suffix

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...