Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitor Windows IIS Log File

willadams
Contributor
‎07-19-2019 12:51 AM

I am not sure where I have gone wrong but I am trying to take in logs from a number of IIS web servers. The log files for each server doesn't maintain defaults depending on the website. Some services write default logs (i.e. c\inetpub\wwwroot\logs\w3svc*\something.log where other services are using D:\Logs\W3SVC*\something.log.

I created a deployment app to extract the log file using a direct path and this works correctly.

[monitor://D:\Logs\IIS\W3SVC3\*.log]
index=web_iis
sourcetype=iis

However I tried to break this out so that I could monitor all drives and try and do a recursive search for a folder to pick up the same log. I tried the following configuration (same index / source type so not added below)

[monitor:[A-Z]:*\Logs*.log] <-- this doesn't work
[monitor:\...\Logs\.log] <-- this doesn't work
[monitor:[A-Z]:\...\W3SVC\*.log <-- this doesn't work

Is there anyway to get this to work so I can recursively search through whatever drives are on the system for a log file that I expect in W3SVC*?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-19-2019 08:07 AM

Hi willadams,
if you don't have too much paths to monitor, did you tried to use more stanzas?
e.g.:

[monitor://c\inetpub\wwwroot\logs\w3svc*\something.log]
...
[monitor://D:\Logs\W3SVC*\something.log]
...

In this way only one stanza will read your logs but you have in only one inpus.conf all the paths to monitor.

Bye.
Giuseppe

0 Karma
Reply

willadams
Contributor
‎07-19-2019 06:34 PM

I thought of doing multi monitors in a single stanza but I was trying to account for the unknown as unfortunately depending on the website admin depends on where they would of put the logs. I could take the approach of monitoring the standard IIS path but fear this will miss out key information. I had intended to quote some script to detect the iis log configuration on each server and create an input with these paths but was trying to find something that could takethis into account for current and new systems that came along.

0 Karma
Reply

willadams
Contributor
‎07-19-2019 06:40 PM

If I interrogate this registry entry (HKLM\SOFTWARE\Microsoft\WebManagement\Server\LoggingDirectory (REG_SZ)) then the single stanza monitoring could be constructed but where there are multiple websites with potentially multiple log locations on a single box this is where it becomes an administration overhead once the one query to sit then all.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...