All Apps and Add-ons

Why did we get TMG Firewall logs for 2 days, but suddenly stopped with my current inputs.conf configuration?

edwardrose
Contributor

Hello All

I am ingesting TMG firewall logs or trying to. I have opened a case to see if it is a Splunk issue or an issue with the TMG servers themselves, but I thought I might get a quicker answer here.

I added the following stanza to my TA-Windows-2008R2-Exchange-IIS/local/inputs.conf file as TA-Windows-2008R2-Exchange-IIS only gets pushed out to our TMG servers.

[monitorNoHandle://C:\Program Files\Microsoft Forefront Threat Management Gateway\Logs\*.w3c]
sourcetype = tmg:firewall
index = msexchange
disabled = false

I originally did this back on 1/6/2015 and we got logs for that day and into 1/7/2015. But we have not gotten any logs since. So I am assuming that the stanza works but I might have it wrong, since we have nothing since then. I am not sure if the monitorNoHandle is the issue or not but the only other stanza in that file is the following:

[monitorNoHandle://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
sourcetype = MSWindows:2008R2:IIS
queue = parsingQueue
index = msexchange
disabled = false

And those logs seem to be working just fine. Just a bit confused as to why it is not working.

thanks
ed

0 Karma
1 Solution

lmyrefelt
Builder

Not sure that is the way monitorNoHandle is suppose to work .. why don't you try to use the monitor stanza instead ?

from: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Note: You can only monitor single files with MonitorNoHandle. You can not monitor directories. If a file you choose to monitor already exists, Splunk does not index its current contents, only new information that comes into the file as it gets written to.

View solution in original post

lmyrefelt
Builder

Not sure that is the way monitorNoHandle is suppose to work .. why don't you try to use the monitor stanza instead ?

from: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Note: You can only monitor single files with MonitorNoHandle. You can not monitor directories. If a file you choose to monitor already exists, Splunk does not index its current contents, only new information that comes into the file as it gets written to.

edwardrose
Contributor

Yeah I read that as well, but since Splunk Professional services setup the Splunk for Microsoft Exchange portion of our install, I thought I would copy what they setup. I changed it to monitor and will see if new data starts flowing.

thanks
ed

0 Karma

malmoore
Splunk Employee
Splunk Employee

That should fix your issue, at least from the monitoring standpoint. MonitorNoHandle can't monitor directories or wild carded files, it must be a single file.

0 Karma

lmyrefelt
Builder

Also of course; dubble-check / verify path and log-name/suffix

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...