Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correct path to IIIS logs

putrtek
New Member
‎05-25-2018 10:31 AM

Trying to setup the Universal Forwarder on the Web Server to forward IIS logs to SPLUNK.
The Windows Event log ARE forwarding correctly. My IIS logs are NOT stored in the default location so I'm trying to figure out the correct stanza to use.

My actual IIS log directoiry structure is
E:\weblogs\w3svc1*.log
E:\weblogs\w3svc2*.log
E:\weblogs\w3svc3*.log
Etc... multiple web sites

I tried the following Stanzas neither have seemed to work

[monitor://E:\weblogs\*\*.log]
disabled = 0

[monitor://E:\weblogs\...\*.log]
disabled = 0

I even tried tho log just a single site
[monitor://E:\weblogs\w3svc1\*.log]
disabled = 0

I restart splunk forwarded after changing the path
If I run 'splunk list monitor' I get for all stanzas
E:\weblogs*.log

No logs are being imported that I can tell

Appreciate any assistsnce anyone can provide.

-MARK-

0 Karma
Reply

putrtek
New Member
‎05-30-2018 09:25 AM

Sorry it has taken me a while to respond to this. Been very busy on another project just got back to this today.
The only entiries in my Splunkd.log are as follows

05-30-2018 11:52:38.167 -0400 INFO  TailingProcessor - Parsing configuration stanza: monitor://e:\WebLogs\*.log.
05-30-2018 11:52:38.167 -0400 INFO  TailingProcessor - Adding watch on path: e:\WebLogs.

I think these are both good

Right now my SplunkForwarder Service is running under the Local System account. I haven't been able to figure out how to give that account READ permisssions to the e:\weblogs folder.

-MARK-

0 Karma
Reply

solarboyz1
Builder
‎05-25-2018 11:02 AM

Did you verify the splunk process has permissions to the read the log files you want it to monitor?

Do you see any events in the $SPLUNK_HOME\var\log\splunkd.log regarding these file monitors?

0 Karma
Reply

putrtek
New Member
‎05-25-2018 12:04 PM

So is there a specific account that needs permissions? I assume it's the account that the SplunkUniveralForwareder service is running under? I will go look in the $SPLUNK_HOME\var\log\splunkd.log to see if anything is there. Thanks for the advise. -MARK-

0 Karma
Reply

putrtek
New Member
‎05-25-2018 10:34 AM 
Sorry lost the backslahes. Here is the correct  directory structure.
E:\weblogs\w3svc1\*.log
E:\weblogs\w3svc2\*.log
E:\weblogs\w3svc3\*.log
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top