All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why did we get TMG Firewall logs for 2 days, but suddenly stopped with my current inputs.conf configuration?

edwardrose
Contributor
‎02-11-2015 12:53 PM

Hello All

I am ingesting TMG firewall logs or trying to. I have opened a case to see if it is a Splunk issue or an issue with the TMG servers themselves, but I thought I might get a quicker answer here.

I added the following stanza to my TA-Windows-2008R2-Exchange-IIS/local/inputs.conf file as TA-Windows-2008R2-Exchange-IIS only gets pushed out to our TMG servers.

[monitorNoHandle://C:\Program Files\Microsoft Forefront Threat Management Gateway\Logs\*.w3c]
sourcetype = tmg:firewall
index = msexchange
disabled = false

I originally did this back on 1/6/2015 and we got logs for that day and into 1/7/2015. But we have not gotten any logs since. So I am assuming that the stanza works but I might have it wrong, since we have nothing since then. I am not sure if the monitorNoHandle is the issue or not but the only other stanza in that file is the following:

[monitorNoHandle://C:\inetpub\logs\LogFiles\W3SVC1\*.log]
sourcetype = MSWindows:2008R2:IIS
queue = parsingQueue
index = msexchange
disabled = false

And those logs seem to be working just fine. Just a bit confused as to why it is not working.

thanks
ed

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lmyrefelt
Builder
‎02-11-2015 01:07 PM

Not sure that is the way monitorNoHandle is suppose to work .. why don't you try to use the monitor stanza instead ?

from: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Note: You can only monitor single files with MonitorNoHandle. You can not monitor directories. If a file you choose to monitor already exists, Splunk does not index its current contents, only new information that comes into the file as it gets written to.

View solution in original post

Reply
Solved! Jump to solution
Solution

lmyrefelt
Builder
‎02-11-2015 01:07 PM

Not sure that is the way monitorNoHandle is suppose to work .. why don't you try to use the monitor stanza instead ?

from: http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Monitorfilesanddirectories

Note: You can only monitor single files with MonitorNoHandle. You can not monitor directories. If a file you choose to monitor already exists, Splunk does not index its current contents, only new information that comes into the file as it gets written to.

Reply
Solved! Jump to solution

edwardrose
Contributor
‎02-11-2015 01:09 PM

Yeah I read that as well, but since Splunk Professional services setup the Splunk for Microsoft Exchange portion of our install, I thought I would copy what they setup. I changed it to monitor and will see if new data starts flowing.

thanks
ed

0 Karma
Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎02-16-2015 09:20 AM

That should fix your issue, at least from the monitoring standpoint. MonitorNoHandle can't monitor directories or wild carded files, it must be a single file.

0 Karma
Reply
Solved! Jump to solution

lmyrefelt
Builder
‎02-11-2015 01:24 PM

Also of course; dubble-check / verify path and log-name/suffix

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...