My IIS 6 logfiles (W2K3) are getting stuck in the parsingQueue of the SUF - this means that no data gets received from this server. Prior to adding the stanzas below, data was being received normally.
Now I have the following in Metrics.log
03-22-2013 16:46:15.317 +0000 INFO Metrics - group=queue, name=parsingqueue, max_size_kb=512, current_size_kb=449, current_size=8, largest_size=8, smallest_size=8
03-22-2013 16:35:36.222 +0000 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
03-22-2013 16:35:36.222 +0000 INFO BatchReader - Could not send data to output queue (parsingQueue), retrying...
The following inputs.conf on the forwarder (in local)
followTail = 0
CHECK_FOR_HEADER = false
I've only just added the props.conf file and sourcetype, but that has not helped (in fact I think it made it worse - I didn't have the BatchReader errors before that)
Any help to configuring IIS to use with a SUF and (debian) indexer would be appreciated!
What Windows user are you running the splunkforwarder service as? Most of the Windows problems I see are related to permissions. Make sure the Windows user has access to the IIS logs directory.
Back on site today, and temporarily swapped from Local System to a "God" account with local and network permissions. No luck. It does seem to be the ParsingQueue that dies with the IIS logfiles.
Might be a long shot but I noticed you don't have a slash on the monitor stanza, ie:
Also make sure that the Windows firewall is not blocking the TCP connection between the UF and the Indexer.