Getting Data In
Highlighted

Correct path to IIIS logs

New Member

Trying to setup the Universal Forwarder on the Web Server to forward IIS logs to SPLUNK.
The Windows Event log ARE forwarding correctly. My IIS logs are NOT stored in the default location so I'm trying to figure out the correct stanza to use.

My actual IIS log directoiry structure is
E:\weblogs\w3svc1*.log
E:\weblogs\w3svc2*.log
E:\weblogs\w3svc3*.log
Etc... multiple web sites

I tried the following Stanzas neither have seemed to work

[monitor://E:\weblogs\*\*.log]
disabled = 0

[monitor://E:\weblogs\...\*.log]
disabled = 0

I even tried tho log just a single site
[monitor://E:\weblogs\w3svc1\*.log]
disabled = 0

I restart splunk forwarded after changing the path
If I run 'splunk list monitor' I get for all stanzas
E:\weblogs*.log

No logs are being imported that I can tell

Appreciate any assistsnce anyone can provide.

-MARK-

0 Karma
Highlighted

Re: Correct path to IIIS logs

New Member
Sorry lost the backslahes. Here is the correct  directory structure.
E:\weblogs\w3svc1\*.log
E:\weblogs\w3svc2\*.log
E:\weblogs\w3svc3\*.log
0 Karma
Highlighted

Re: Correct path to IIIS logs

Builder

Did you verify the splunk process has permissions to the read the log files you want it to monitor?

Do you see any events in the $SPLUNK_HOME\var\log\splunkd.log regarding these file monitors?

0 Karma
Highlighted

Re: Correct path to IIIS logs

New Member

So is there a specific account that needs permissions? I assume it's the account that the SplunkUniveralForwareder service is running under? I will go look in the $SPLUNK_HOME\var\log\splunkd.log to see if anything is there. Thanks for the advise. -MARK-

0 Karma
Highlighted

Re: Correct path to IIIS logs

New Member

Sorry it has taken me a while to respond to this. Been very busy on another project just got back to this today.
The only entiries in my Splunkd.log are as follows

05-30-2018 11:52:38.167 -0400 INFO  TailingProcessor - Parsing configuration stanza: monitor://e:\WebLogs\*.log.
05-30-2018 11:52:38.167 -0400 INFO  TailingProcessor - Adding watch on path: e:\WebLogs.

I think these are both good

Right now my SplunkForwarder Service is running under the Local System account. I haven't been able to figure out how to give that account READ permisssions to the e:\weblogs folder.

-MARK-

0 Karma