I've been able to deploy universal forwarders to dozens of Windows servers that run IIS logs. I have created a dedicated index and I have pushed an app (used to be Splunk supported, they have since moved to a different app package) to said forwarders. The forwarders are set to send the data to our indexer cluster. To cover my bases for the different versions I have included several different monitor stanzas in the inputs.conf file:

[monitor://C:\inetpub\logs\...\W3S*\*.log]

disabled = false

sourcetype = ms:iis:auto

index=iis



[monitor://C:\inetpub\logs\*\W3S*\*.log]

disabled = false

sourcetype = ms:iis:auto

index=iis



[monitor://C:\Program Files\Microsoft\Exchange Server\V*\Logging\Ews]

disabled = false

sourcetype = ms:iis:auto

index=iis

When deployed to the dozens of servers, I'm not seeing any data come back up or even any path watches coming back when searching the logs coming back from the universal forwarders. As a test I have added several files to a dedicated server and kept playing around with the monitor stanzas with no luck. When opening the inputs.conf locally on that server in notepad, the text looked merged so I added some spaces and line breaks. Restarted the service, I can path watches added but still nothing coming in. Even when specifying a path to a file, nothing comes in:

[monitor://C:\Test\logs\LogFiles\W3SVC1\u_ex221010.log]

disabled = false

sourcetype = ms:iis:auto

index=iis

For something that seems so simple, where am I going wrong?