Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Why are IIS logs not being indexed from Window...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are IIS logs not being indexed from Windows Share?
I have a universal forwarder (6.3.3 x64) installed on Windows Server 2012 R2 that is supposed to index IIS logs that live on another Windows server. I am not able to install forwarders on (floating IP for 3 servers) via a Windows share.
I verified the domain user that I am using has access to the log files. I initially installed the forwarder in low privileged mode, however, during troubleshooting, I found that the forwarder was reporting access denied errors when attempting to write to the fishbuckets. To resolve, I added the service account to the local admins group.
Here are my configuration files:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$SPLUNK_HOME/etc/deployment-apps/web_farm_iis/inputs.conf:
[monitor://\\host01.domain.suffix\logs\folder01.uis.kent.edu\W3SVC2\*.txt]
disabled = false
recursive = false
index = web_farm_logs
sourcetype = iis
[monitor://\\host02.domain.suffix\logs\folder02.uis.kent.edu\W3SVC2]
disabled = false
recursive = false
index = web_farm_logs
sourcetype = iis
whitelist = *.txt
serverclass.conf:
serverClass:web_farm_iis]
whitelist.0 = serverWithForwarder
[serverClass:web_farm_iis:app:web_farm_iis]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I know the two stanza are different. I did this while troubleshooting. I have a global stanza that points the repsoitory location to $SPLUNK_HOME/etc/deployment-apps.
I confirmed that the forwarder is receiving the configuration file and the contents of the inputs.conf matches.
I am using Splunk 6.3.3, singe Splunk server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The deployment apps in SPLUNK_HOME/etc/deployment-apps/ must follow the standards for Splunk apps. That means that they must have the subdirectory structure with default, meta and local subdirectories at a minimum, and they should also contain app.conf and default.meta files.
Because your app (web_farm_iis) does not have the correct structure, Splunk does not "see" the inputs.conf file.
Also see App creation and deployment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I copied the logs to the server that the forwarder is installed on and added a new stanza to index the files that were copied to C:\logs\serverName and the logs were picked up by the forwarder and sent to the indexer.
I have other deployment-apps that work with on the local directory with inputs.conf
I still added the directories you suggested and it did not resolve the issue. The directories were created on the forwarder after I reloaded the server class.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I submitted a support ticket to see if there is a way to resolve this issue.
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...
