Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

IIS and file mod time

reedmohn
Communicator
‎07-04-2014 05:41 AM

I am sure I read something about IIS and log file modtime in here somewhere, but I can't find that post again.
Anyway, from the Splunk docs and other comments, I gather that IIS not updating modtime is the reason why I have odd issues with IIS logs.
Can anyone confirm this?

What happens is that suddenly, some time during the day, my IIS logs stop coming in. I haven't sat around to watch it for hours, but I can see that next morning, all the data is there.
I haven't confirmed, but I would guess that the log file switch at midnight is what triggers a read of the file, and the the data is indexed.

The question then is: is there a solution to that problem? Can I make Splunk follow the log continuously (without duplicate indexing results, of course)?

As said, I thought I read the answer to that question in here before, but I can't find it again.

Tags (3)
0 Karma
Reply

musskopf
Builder
‎07-06-2014 10:14 PM

One odd thing about IIS logs I noted is that they, by default, rotate every 24hours at 0:00 GMT (+000), in other words, they actually rotate in the middle of the day over here (depending on your regional/timezone settings).

To minimize any problem I changed the IIS to rotate logs every hour... it not only gives me smaller files to work but also more predictability. I also added the line to my inputs.conf:

ignoreOlderThan = 7d

so it won't re-scan older files. After 8 days I have a PS script do remove/archive the logs as well.

Not related, but I also suggest installing the Advanced Logging module for IIS... gives you the ability to get more information and configure custom fields in your http log.

0 Karma
Reply

reedmohn
Communicator
‎07-07-2014 04:10 AM

That's a config choice in IIS: you can select whether to use local time for file name and rollover. If you don't, it will use UTC. For companies with many log sources across timezones, aligning everything to UTC can be beneficial.

I'll check out the Advanced logging module, thanks for the tip!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...