Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarding IIS6 Logfiles Using Universal Forwarder

andiih
Explorer
‎03-22-2013 09:55 AM

My IIS 6 logfiles (W2K3) are getting stuck in the parsingQueue of the SUF - this means that no data gets received from this server. Prior to adding the stanzas below, data was being received normally.

Now I have the following in Metrics.log



03-22-2013 16:46:15.317 +0000 INFO  Metrics - group=queue, name=parsingqueue, max_size_kb=512, current_size_kb=449, current_size=8, largest_size=8, smallest_size=8

and splunkd.log



03-22-2013 16:35:36.222 +0000 INFO  TailingProcessor - Could not send data to output queue (parsingQueue), retrying...

03-22-2013 16:35:36.222 +0000 INFO  BatchReader - Could not send data to output queue (parsingQueue), retrying...

The following inputs.conf on the forwarder (in local)



[monitor://c:\WINDOWS\system32\LogFiles]

disabled=false

recursive=true

followTail = 0

sourcetype=MSWindows:2003:IIS

and props.conf



[MSWindows:2003:IIS]

CHECK_FOR_HEADER = false

I've only just added the props.conf file and sourcetype, but that has not helped (in fact I think it made it worse - I didn't have the BatchReader errors before that)

Any help to configuring IIS to use with a SUF and (debian) indexer would be appreciated!

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎03-22-2013 11:45 AM

What Windows user are you running the splunkforwarder service as? Most of the Windows problems I see are related to permissions. Make sure the Windows user has access to the IIS logs directory.

0 Karma
Reply

andiih
Explorer
‎03-28-2013 04:01 AM

Back on site today, and temporarily swapped from Local System to a "God" account with local and network permissions. No luck. It does seem to be the ParsingQueue that dies with the IIS logfiles.

0 Karma
Reply

andiih
Explorer
‎03-22-2013 11:56 AM

I'll check this next week. It's certainly plausible!

0 Karma
Reply

jstockamp
Communicator
‎03-22-2013 11:12 AM

Are you seeing messages in splunkd.log that you are connected to the indexer? Do you have any other inputs on the forwader that are making it to the indexer?

0 Karma
Reply

andiih
Explorer
‎03-22-2013 11:58 AM

If I take this logfile stanza out,then I get connections and data flows from the windows event logs. When I add it, the parsing queue dies and no data flows

0 Karma
Reply

jstockamp
Communicator
‎03-22-2013 10:41 AM

You might want to add a whiltelist to your input:

whitelist=*.log

0 Karma
Reply

andiih
Explorer
‎03-22-2013 10:56 AM

nice idea, but this doesn't seem to have helped.

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎03-22-2013 10:07 AM

Might be a long shot but I noticed you don't have a slash on the monitor stanza, ie: 

[monitor://C:\Windows\system32\LogFiles]

Also make sure that the Windows firewall is not blocking the TCP connection between the UF and the Indexer.

0 Karma
Reply

andiih
Explorer
‎03-22-2013 10:21 AM

I do have the slashes, its just my (lack of) competence in formatting on this forum. Firewall isn't blocking, as I get the WinEventLog* events through if I take the monitor stanza out

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...