I'm having a problem getting Splunk to monitor an active IIS log. When I look at the SplunkD log, I see the following errors:
05-17-2012 16:55:52.503 -0400 WARN FileClassifierManager - The file 'D:\LOGS\MSFTPSVC1\ex120517.log' is invalid. Reason: binary
05-17-2012 16:55:52.503 -0400 INFO TailingProcessor - Ignoring file 'D:\LOGS\MSFTPSVC1\ex120517.log' due to: binary
When I open the log file, I see normal text, however there is a bunch of white space at the bottom of the file. I assume this has to due with IIS still writing to the file.
How can I get Splunk to read this active log file so we can get real-time data?
In props.conf, put
[iis*]
NO_BINARY_CHECK = true
This assumes that the "offending" file has a sourcetype that starts with iis. Feel free to substitute a source specification instead of the sourcetype.
Also, have you tried running btool on the forwarder -
$ cd /opt/splunkforwarder # or wherever you installed splunk
$ ./splunk btool props list iis --debug
or just
$ ./splunk btool props list --debug | more
Where did you put the props.conf?
On the UF or on the indexer?
I saw that as a possible solution on the Wiki and I tried to implement it....but it didn't seem to work for me.
This server has a Universal forwarder installed and didn't have a props.conf file by default. I created one for my source type and added the no binary check, but I got the same result.