Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to collect Microsoft Web Application Proxy logs from a remote host?

frippe15
New Member
‎09-16-2015 05:19 AM

Hi,

I want to collect Microsoft Web Application Proxy logs from a remote host. I tried with WMI, but in the Splunk Web, it doesn't show up from my remote hosts.
I also tried adding to inputs.conf and installing a forwarder on the remote host, but same result. It doesn't show in Splunk Web. Am I missing something?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-16-2015 06:40 PM

To help narrow down where this is going wrong can you:

1) Try collecting the regular Windows System logs via WMI. Try searching index=* for a recent time period after you know the other system has generated some log entries and see if it shows up in hosts. You can disable this input once you get it working.

2) Repeat the same test only using the UF. You can find an example here. There are probably samples/examples right in some .conf files already on your system, perhaps just commented out. You can disable this after you get it working, or leave it enabled - your choice. If WMI worked but this won't, post your inputs.conf and outputs.conf, as satishsdange suggested.

Really, get those two working first. If you can't, then there's something more broken like permissions on the account are wrong, or maybe the time on the host is off.

3) Once you have the UF forwarding the system event log, we can try the non-default event logs using the it as well. (I have not had luck using WMI to collect non-default logs). Check here for instructions on setting that up. Note particularly you have to use the full name of the operational logs - the link explains that. If it's working - great! If you got #1 and #2 working but not this, then post your inputs.conf and outputs.conf from the UF so we can take a look at them.

Report back with what you find.

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-16-2015 06:40 PM

To help narrow down where this is going wrong can you:

1) Try collecting the regular Windows System logs via WMI. Try searching index=* for a recent time period after you know the other system has generated some log entries and see if it shows up in hosts. You can disable this input once you get it working.

2) Repeat the same test only using the UF. You can find an example here. There are probably samples/examples right in some .conf files already on your system, perhaps just commented out. You can disable this after you get it working, or leave it enabled - your choice. If WMI worked but this won't, post your inputs.conf and outputs.conf, as satishsdange suggested.

Really, get those two working first. If you can't, then there's something more broken like permissions on the account are wrong, or maybe the time on the host is off.

3) Once you have the UF forwarding the system event log, we can try the non-default event logs using the it as well. (I have not had luck using WMI to collect non-default logs). Check here for instructions on setting that up. Note particularly you have to use the full name of the operational logs - the link explains that. If it's working - great! If you got #1 and #2 working but not this, then post your inputs.conf and outputs.conf from the UF so we can take a look at them.

Report back with what you find.

Reply
Solved! Jump to solution

frippe15
New Member
‎09-16-2015 11:47 PM
  1. System logs using WMI works.
  2. Only with UF is not working, this is my inputs.conf: [default] host = xxx-web-t1a

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[WinEventLog://System]
disabled = 0

and outputs:

Version 6.2.5

DO NOT EDIT THIS FILE!

Changes to default files will be lost on update and are difficult to

manage and support.

Please make any changes to system defaults by overriding them in

apps or $SPLUNK_HOME/etc/system/local

(See "Configuration file precedence" in the web documentation).

To override a specific setting, copy the name of the stanza and

setting to the file where you wish to override it.

[tcpout]
maxQueueSize = auto
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
tcpSendBufSz = 0
ackTimeoutOnShutdown = 30
useACK = false
blockWarnThreshold = 100
sslQuietShutdown = false

[syslog]
type = udp
priority = <13>
dropEventsOnQueueFull = -1
maxEventSize = 1024

0 Karma
Reply
Solved! Jump to solution

frippe15
New Member
‎09-17-2015 02:03 AM

It´s working now, I had only default output.conf...:) So with output.conf in local and with tcp output specified, it´s working.

0 Karma
Reply
Solved! Jump to solution

satishsdange
Builder
‎09-16-2015 01:43 PM

can you post your inputs.conf & outputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...