Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Monitor Windows IIS Log File

willadams
Contributor
‎07-19-2019 12:51 AM

I am not sure where I have gone wrong but I am trying to take in logs from a number of IIS web servers. The log files for each server doesn't maintain defaults depending on the website. Some services write default logs (i.e. c\inetpub\wwwroot\logs\w3svc*\something.log where other services are using D:\Logs\W3SVC*\something.log.

I created a deployment app to extract the log file using a direct path and this works correctly.

[monitor://D:\Logs\IIS\W3SVC3\*.log]
index=web_iis
sourcetype=iis

However I tried to break this out so that I could monitor all drives and try and do a recursive search for a folder to pick up the same log. I tried the following configuration (same index / source type so not added below)

[monitor:[A-Z]:*\Logs*.log] <-- this doesn't work
[monitor:\...\Logs\.log] <-- this doesn't work
[monitor:[A-Z]:\...\W3SVC\*.log <-- this doesn't work

Is there anyway to get this to work so I can recursively search through whatever drives are on the system for a log file that I expect in W3SVC*?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-19-2019 08:07 AM

Hi willadams,
if you don't have too much paths to monitor, did you tried to use more stanzas?
e.g.:

[monitor://c\inetpub\wwwroot\logs\w3svc*\something.log]
...
[monitor://D:\Logs\W3SVC*\something.log]
...

In this way only one stanza will read your logs but you have in only one inpus.conf all the paths to monitor.

Bye.
Giuseppe

0 Karma
Reply

willadams
Contributor
‎07-19-2019 06:34 PM

I thought of doing multi monitors in a single stanza but I was trying to account for the unknown as unfortunately depending on the website admin depends on where they would of put the logs. I could take the approach of monitoring the standard IIS path but fear this will miss out key information. I had intended to quote some script to detect the iis log configuration on each server and create an input with these paths but was trying to find something that could takethis into account for current and new systems that came along.

0 Karma
Reply

willadams
Contributor
‎07-19-2019 06:40 PM

If I interrogate this registry entry (HKLM\SOFTWARE\Microsoft\WebManagement\Server\LoggingDirectory (REG_SZ)) then the single stanza monitoring could be constructed but where there are multiple websites with potentially multiple log locations on a single box this is where it becomes an administration overhead once the one query to sit then all.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top