Getting Data In

Forwarding IIS6 Logfiles Using Universal Forwarder

Explorer

My IIS 6 logfiles (W2K3) are getting stuck in the parsingQueue of the SUF - this means that no data gets received from this server. Prior to adding the stanzas below, data was being received normally.

Now I have the following in Metrics.log


03-22-2013 16:46:15.317 +0000 INFO Metrics - group=queue, name=parsingqueue, max_size_kb=512, current_size_kb=449, current_size=8, largest_size=8, smallest_size=8

and splunkd.log


03-22-2013 16:35:36.222 +0000 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
03-22-2013 16:35:36.222 +0000 INFO BatchReader - Could not send data to output queue (parsingQueue), retrying...

The following inputs.conf on the forwarder (in local)


[monitor://c:\WINDOWS\system32\LogFiles]
disabled=false
recursive=true
followTail = 0
sourcetype=MSWindows:2003:IIS

and props.conf


[MSWindows:2003:IIS]
CHECK_FOR_HEADER = false

I've only just added the props.conf file and sourcetype, but that has not helped (in fact I think it made it worse - I didn't have the BatchReader errors before that)

Any help to configuring IIS to use with a SUF and (debian) indexer would be appreciated!

0 Karma

Splunk Employee
Splunk Employee

What Windows user are you running the splunkforwarder service as? Most of the Windows problems I see are related to permissions. Make sure the Windows user has access to the IIS logs directory.

0 Karma

Explorer

Back on site today, and temporarily swapped from Local System to a "God" account with local and network permissions. No luck. It does seem to be the ParsingQueue that dies with the IIS logfiles.

0 Karma

Explorer

I'll check this next week. It's certainly plausible!

0 Karma

Communicator

Are you seeing messages in splunkd.log that you are connected to the indexer? Do you have any other inputs on the forwader that are making it to the indexer?

0 Karma

Explorer

If I take this logfile stanza out,then I get connections and data flows from the windows event logs. When I add it, the parsing queue dies and no data flows

0 Karma

Communicator

You might want to add a whiltelist to your input:

whitelist=*.log

0 Karma

Explorer

nice idea, but this doesn't seem to have helped.

0 Karma

Splunk Employee
Splunk Employee

Might be a long shot but I noticed you don't have a slash on the monitor stanza, ie:

[monitor://C:\Windows\system32\LogFiles]

Also make sure that the Windows firewall is not blocking the TCP connection between the UF and the Indexer.

0 Karma

Explorer

I do have the slashes, its just my (lack of) competence in formatting on this forum. Firewall isn't blocking, as I get the WinEventLog* events through if I take the monitor stanza out

0 Karma