Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

IIS Monitor causing tail errors on universal forwarder

BP9906
Builder
‎04-20-2012 10:16 AM

I added this to my inputs.conf:

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC*\]
disabled = false
followTail = 0
recursive = true
index=iis
ignoreOlderThan = 7d

When the deployment server gets the deployment app and reloads, the splunkd.log on the universal forwarder errors many times this error:

04-20-2012 10:14:14.368 -0700 ERROR TailingProcessor - matching C:\WINDOWS\system32\LogFiles\Cluster\ against ^C:\\WINDOWS\\system32\\LogFiles\\W3SVC[^\\]*\\$
04-20-2012 10:14:14.368 -0700 ERROR TailingProcessor - matching C:\WINDOWS\system32\LogFiles\HTTPERR\ against ^C:\\WINDOWS\\system32\\LogFiles\\W3SVC[^\\]*\\$

How do I get rid of this repeat error message?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BP9906
Builder
‎10-30-2012 01:57 PM

I found this to work the best.

[monitor://C:\WINDOWS\system32\LogFiles\*\*.log]

disabled = false
followTail = 0
recursive = true
index=iis
ignoreOlderThan = 7d
sourcetype=MSWindows:2003:IIS

[monitor://C:\inetpub\logs\LogFiles\*\*.log]
disabled = false
followTail = 0
recursive = true
index=iis
ignoreOlderThan = 7d
sourcetype=MSWindows:2008R2:IIS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

BP9906
Builder
‎10-30-2012 01:57 PM

I found this to work the best.

[monitor://C:\WINDOWS\system32\LogFiles\*\*.log]

disabled = false
followTail = 0
recursive = true
index=iis
ignoreOlderThan = 7d
sourcetype=MSWindows:2003:IIS

[monitor://C:\inetpub\logs\LogFiles\*\*.log]
disabled = false
followTail = 0
recursive = true
index=iis
ignoreOlderThan = 7d
sourcetype=MSWindows:2008R2:IIS

0 Karma
Reply
Solved! Jump to solution

BP9906
Builder
‎04-20-2012 12:01 PM

I resolved it by removing the wildcard char. It must be a splunk forwarder error to repeat the error in the log.

ie

[monitor://C:WINDOWS\system32\LogFiles] 
disabled = false 
followTail = 0 
recursive = true 
index=iis 
ignoreOlderThan = 7d
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...