I've been able to deploy universal forwarders to dozens of Windows servers that run IIS logs. I have created a dedicated index and I have pushed an app (used to be Splunk supported, they have since moved to a different app package) to said forwarders. The forwarders are set to send the data to our indexer cluster. To cover my bases for the different versions I have included several different monitor stanzas in the inputs.conf file:
[monitor://C:\inetpub\logs\...\W3S*\*.log]
disabled = false
sourcetype = ms:iis:auto
index=iis
[monitor://C:\inetpub\logs\*\W3S*\*.log]
disabled = false
sourcetype = ms:iis:auto
index=iis
[monitor://C:\Program Files\Microsoft\Exchange Server\V*\Logging\Ews]
disabled = false
sourcetype = ms:iis:auto
index=iis
When deployed to the dozens of servers, I'm not seeing any data come back up or even any path watches coming back when searching the logs coming back from the universal forwarders. As a test I have added several files to a dedicated server and kept playing around with the monitor stanzas with no luck. When opening the inputs.conf locally on that server in notepad, the text looked merged so I added some spaces and line breaks. Restarted the service, I can path watches added but still nothing coming in. Even when specifying a path to a file, nothing comes in:
[monitor://C:\Test\logs\LogFiles\W3SVC1\u_ex221010.log]
disabled = false
sourcetype = ms:iis:auto
index=iis
For something that seems so simple, where am I going wrong?