Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to update the monitor for IIS and Exchange Message Tracking logs

jbreu
Explorer
‎03-04-2013 02:36 PM

I am having trouble getting the IIS logs and Message Tracking logs to show up Splunk. I am able getting some Exchange information such as mailbox counts, database statistics and items such as that.

We don't have our logs in the default locations and I have found the files that need to be update, I think.

For the Message Tracking logs, I believe that I need to update the file:

C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-2010-HubTransport\default

so that the monitor stanza reads:

[monitor://D:\Logs\MessageTracking]
whitelist=.log$|.LOG$
sourcetype=MSExchange:2010:MessageTracking
queue=parsingQueue
index=msexchange
disabled=false

which is the location of our Message Tracking logs. My question is, do I just update this file or do I need to copy the stanza and insert it into a local file someplace such as:

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local

I am experiencing the same thing with my IIS logs. Do I just update the:

C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Windows-2008R2-Exchange-IIS\default\inputs.conf

file in that location or do I need to copy that to another location as well?

I will admit that I am new to Splunk and I don't find the documentation to be overly clear as to what to do so any guidance that can be provided would be greatly appreciated.

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎03-04-2013 02:44 PM

You got the right location. This is a general problem, and the solution is always the same.

  1. Go to the place where you deploy the plug-ins from. This is the deployment server for most, but you may be installing the TA's by hand.
  2. Take a copy of default/inputs.conf for the TA in question, and place it in local/inputs.conf.
  3. Edit the local/inputs.conf and remove any stanza you do not want to alter
  4. Copy the stanza you do want to alter and paste it right underneath.
  5. In the original stanza, remove all the properties and add "disabled=true"
  6. In the new stanza, change the path to the place where you store your logs

In your case, you are altering TA-Exchange2010-HubTransport/default/inputs.conf, and the new local/inputs.conf should look like this:

[monitor://C:\Program Files\Microsoft\Exchange\v14\Logs\MessageTracking]
disabled=true

[monitor://D:\Logs\MessageTracking] 
whitelist=.log$|.LOG$ 
sourcetype=MSExchange:2010:MessageTracking 
queue=parsingQueue 
index=msexchange 
disabled=false

Note, I don't have access to the technology add-ons right now, so the paths may be wrong, but you get the idea. Don't copy anything you don't want to alter. In this case, you want to alter the original stanza so that it is ignored, and then create a new stanza for the new location.

Repeat the process with the IIS logs in the TA-Windows-2008R2-Exchange-IIS plug-in.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎03-04-2013 02:44 PM

You got the right location. This is a general problem, and the solution is always the same.

  1. Go to the place where you deploy the plug-ins from. This is the deployment server for most, but you may be installing the TA's by hand.
  2. Take a copy of default/inputs.conf for the TA in question, and place it in local/inputs.conf.
  3. Edit the local/inputs.conf and remove any stanza you do not want to alter
  4. Copy the stanza you do want to alter and paste it right underneath.
  5. In the original stanza, remove all the properties and add "disabled=true"
  6. In the new stanza, change the path to the place where you store your logs

In your case, you are altering TA-Exchange2010-HubTransport/default/inputs.conf, and the new local/inputs.conf should look like this:

[monitor://C:\Program Files\Microsoft\Exchange\v14\Logs\MessageTracking]
disabled=true

[monitor://D:\Logs\MessageTracking] 
whitelist=.log$|.LOG$ 
sourcetype=MSExchange:2010:MessageTracking 
queue=parsingQueue 
index=msexchange 
disabled=false

Note, I don't have access to the technology add-ons right now, so the paths may be wrong, but you get the idea. Don't copy anything you don't want to alter. In this case, you want to alter the original stanza so that it is ignored, and then create a new stanza for the new location.

Repeat the process with the IIS logs in the TA-Windows-2008R2-Exchange-IIS plug-in.

0 Karma
Reply
Solved! Jump to solution

ahall_splunk
Splunk Employee
Splunk Employee
‎03-12-2013 02:47 AM

No. Your new location would be (for example), C:/Program Files/SplunkUniversalForwarder/etc/apps/TA-Exchange-2010-HubTransport/local/inputs.conf

0 Karma
Reply
Solved! Jump to solution

jbreu
Explorer
‎03-11-2013 10:01 AM

When you say that I have the right location and that I shouldn't copy anything that I don't want to alter, I am assuming that I copy those specific stanzas to the

"C:Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local"

location?

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...