Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitor Windows IIS Log File

willadams
Contributor
‎07-19-2019 12:51 AM

I am not sure where I have gone wrong but I am trying to take in logs from a number of IIS web servers. The log files for each server doesn't maintain defaults depending on the website. Some services write default logs (i.e. c\inetpub\wwwroot\logs\w3svc*\something.log where other services are using D:\Logs\W3SVC*\something.log.

I created a deployment app to extract the log file using a direct path and this works correctly.

[monitor://D:\Logs\IIS\W3SVC3\*.log]
index=web_iis
sourcetype=iis

However I tried to break this out so that I could monitor all drives and try and do a recursive search for a folder to pick up the same log. I tried the following configuration (same index / source type so not added below)

[monitor:[A-Z]:*\Logs*.log] <-- this doesn't work
[monitor:\...\Logs\.log] <-- this doesn't work
[monitor:[A-Z]:\...\W3SVC\*.log <-- this doesn't work

Is there anyway to get this to work so I can recursively search through whatever drives are on the system for a log file that I expect in W3SVC*?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-19-2019 08:07 AM

Hi willadams,
if you don't have too much paths to monitor, did you tried to use more stanzas?
e.g.:

[monitor://c\inetpub\wwwroot\logs\w3svc*\something.log]
...
[monitor://D:\Logs\W3SVC*\something.log]
...

In this way only one stanza will read your logs but you have in only one inpus.conf all the paths to monitor.

Bye.
Giuseppe

0 Karma
Reply

willadams
Contributor
‎07-19-2019 06:34 PM

I thought of doing multi monitors in a single stanza but I was trying to account for the unknown as unfortunately depending on the website admin depends on where they would of put the logs. I could take the approach of monitoring the standard IIS path but fear this will miss out key information. I had intended to quote some script to detect the iis log configuration on each server and create an input with these paths but was trying to find something that could takethis into account for current and new systems that came along.

0 Karma
Reply

willadams
Contributor
‎07-19-2019 06:40 PM

If I interrogate this registry entry (HKLM\SOFTWARE\Microsoft\WebManagement\Server\LoggingDirectory (REG_SZ)) then the single stanza monitoring could be constructed but where there are multiple websites with potentially multiple log locations on a single box this is where it becomes an administration overhead once the one query to sit then all.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...