All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why did we get TMG Firewall logs for 2 days, but suddenly stopped with my current inputs.conf configuration?

edwardrose
Contributor
‎02-11-2015 12:53 PM

Hello All

I am ingesting TMG firewall logs or trying to. I have opened a case to see if it is a Splunk issue or an issue with the TMG servers themselves, but I thought I might get a quicker answer here.

I added the following stanza to my TA-Windows-2008R2-Exchange-IIS/local/inputs.conf file as TA-Windows-2008R2-Exchange-IIS only gets pushed out to our TMG servers.

[monitorNoHandle://C:\Program Files\Microsoft Forefront Threat Management Gateway\Logs\*.w3c]
sourcetype = tmg:firewall
index = msexchange
disabled = false

I originally did this back on 1/6/2015 and we got logs for that day and into 1/7/2015. But we have not gotten any logs since. So I am assuming that the stanza works but I might have it wrong, since we have nothing since then. I am not sure if the monitorNoHandle is the issue or not but the only other stanza in that file is the following:

[monitorNoHandle://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
sourcetype = MSWindows:2008R2:IIS
queue = parsingQueue
index = msexchange
disabled = false

And those logs seem to be working just fine. Just a bit confused as to why it is not working.

thanks
ed

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lmyrefelt
Builder
‎02-11-2015 01:07 PM

Not sure that is the way monitorNoHandle is suppose to work .. why don't you try to use the monitor stanza instead ?

from: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Note: You can only monitor single files with MonitorNoHandle. You can not monitor directories. If a file you choose to monitor already exists, Splunk does not index its current contents, only new information that comes into the file as it gets written to.

View solution in original post

Reply
Solved! Jump to solution
Solution

lmyrefelt
Builder
‎02-11-2015 01:07 PM

Not sure that is the way monitorNoHandle is suppose to work .. why don't you try to use the monitor stanza instead ?

from: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Note: You can only monitor single files with MonitorNoHandle. You can not monitor directories. If a file you choose to monitor already exists, Splunk does not index its current contents, only new information that comes into the file as it gets written to.

Reply
Solved! Jump to solution

edwardrose
Contributor
‎02-11-2015 01:09 PM

Yeah I read that as well, but since Splunk Professional services setup the Splunk for Microsoft Exchange portion of our install, I thought I would copy what they setup. I changed it to monitor and will see if new data starts flowing.

thanks
ed

0 Karma
Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎02-16-2015 09:20 AM

That should fix your issue, at least from the monitoring standpoint. MonitorNoHandle can't monitor directories or wild carded files, it must be a single file.

0 Karma
Reply
Solved! Jump to solution

lmyrefelt
Builder
‎02-11-2015 01:24 PM

Also of course; dubble-check / verify path and log-name/suffix

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top