Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Correct path to IIIS logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct path to IIIS logs
Trying to setup the Universal Forwarder on the Web Server to forward IIS logs to SPLUNK.
The Windows Event log ARE forwarding correctly. My IIS logs are NOT stored in the default location so I'm trying to figure out the correct stanza to use.
My actual IIS log directoiry structure is
E:\weblogs\w3svc1*.log
E:\weblogs\w3svc2*.log
E:\weblogs\w3svc3*.log
Etc... multiple web sites
I tried the following Stanzas neither have seemed to work
[monitor://E:\weblogs\*\*.log]
disabled = 0
[monitor://E:\weblogs\...\*.log]
disabled = 0
I even tried tho log just a single site
[monitor://E:\weblogs\w3svc1\*.log]
disabled = 0
I restart splunk forwarded after changing the path
If I run 'splunk list monitor' I get for all stanzas
E:\weblogs*.log
No logs are being imported that I can tell
Appreciate any assistsnce anyone can provide.
-MARK-
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry it has taken me a while to respond to this. Been very busy on another project just got back to this today.
The only entiries in my Splunkd.log are as follows
05-30-2018 11:52:38.167 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://e:\WebLogs\*.log.
05-30-2018 11:52:38.167 -0400 INFO TailingProcessor - Adding watch on path: e:\WebLogs.
I think these are both good
Right now my SplunkForwarder Service is running under the Local System account. I haven't been able to figure out how to give that account READ permisssions to the e:\weblogs folder.
-MARK-
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you verify the splunk process has permissions to the read the log files you want it to monitor?
Do you see any events in the $SPLUNK_HOME\var\log\splunkd.log regarding these file monitors?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is there a specific account that needs permissions? I assume it's the account that the SplunkUniveralForwareder service is running under? I will go look in the $SPLUNK_HOME\var\log\splunkd.log to see if anything is there. Thanks for the advise. -MARK-
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry lost the backslahes. Here is the correct directory structure.
E:\weblogs\w3svc1\*.log
E:\weblogs\w3svc2\*.log
E:\weblogs\w3svc3\*.log
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
