Getting Data In

IIS logs creating licensing issue

andyadino
Engager

alt textHello,

We recently completed a SOW with Splunk Professional Services. As part of the SOW we cleaned up apps, scripts etc. and made Splunk much neater and up to date. Previously we had scripts that would filter the IIS log info we wanted. We collect IIS logs specifically for CAS servers so we know what devices users are getting locked out of.

To replace the scripts, we installed the IIS app from Splunk Base. Everything is great except for one specific CAS server. I'm noticing the logs at this path: C:\inetpub\logs\LogFiles\W3SVC1 (we are an all Windows environment here) are significantly larger than other CAS servers (example: one server has a log file that is about 47,000KB every 24 hours while the problem server is looking at 150,000+KB). The server was also transferring at 60+KBps which is way higher than other servers that report to Splunk. At this point, the Splunk service has throttled the queue because the pool has gotten so large.

One thing I did notice is that a specific user is generating literally 33% of all events that are reported on the problematic CAS server. The logs are simply allowed and blocked EWS syncs and ActiveSync connections. He is running the latest OS X 10.13.4 and iOS 11.3.1 and no other user is running these OS's.

We do not have any other monitoring going on except for that log path above. No other servers are generating log files this large, but we do have 2 other CAS servers that are sending at a heavier index rate to the indexer (these servers are NOT generating a large log file, but bandwidth is around 25 to 30KBps while others hover around 10 to 15KBps).

Has anyone ever run into a similar issue like this or may have an idea of what may be going on? Or has anyone been noticing large log files recently since the latest Apple OS updates and may be causing license usage problems in Splunk?

Any help will be appreciated since the tech and I are kind of stumped on this one. Thank you!

0 Karma

andyadino
Engager

Update:

Seems the allowed ActiveSyncs are causing the flooding in the logs. Currently attempting to black-list sc_status value 200 to filter out successful syncs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...