Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows LightFwdr NOT forwarding IIS logs !?

john_loch
Explorer
‎09-02-2010 06:54 AM

I presently have 4 windows boxes lightforwarding to linux indexer. Forwarder is configured to forward IIS logs, however the forwarder forwards the first line then stops.

The problem is a Windows bug causes the 'modified' timestamp not to change (ie remains same as the creation date) even tho relevant process continues to write to logfile.

This is a known issue, for which a flag existed (alwaysOpenFile = 1) in previous versions. It appears to be no longer supported... SO HOW DO I FORCE THE FORWARDER to continue interrogating the logs ?

I NEED AN ANSWER TO THIS ASAP.

Thanks.

Reply

cnk
Path Finder
‎09-02-2010 03:33 PM

The tailing processor was re-written in 4.1.x (or 4.x.x) and it should now handle Windows IIS logs just fine. I had nothing but problems with 3.4.x forwarders but since upgrading to 4.1.3 everything looks good.

I use 4.1.3 forwarders and the following settings:

inputs.conf

[monitor://C:\WINDOWS\system32\LogFiles\W3SVC1\ex100902.log]
sourcetype=iis
crcSalt=<SOURCE>

props.conf

[iis]
KV_MODE = none
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ = GMT
CHECK_FOR_HEADER = False

Yes, I only monitor the log for the current day. I use some cron foo on the deployment server to update inputs.conf shortly after midnight and then reload the deploy server to push the updated bundle to the clients. This was done under 3.4.x to try to help with some lag issues. Now that I'm on 4.1.3 I should really try monitoring to whole folder again.

Reply

john_loch
Explorer
‎09-03-2010 01:48 AM

Oh, I should also point out I am running the 4.1.2 Light Forwarder. and monitoring the W3SVC1 folder. Thanks

0 Karma
Reply

john_loch
Explorer
‎09-03-2010 01:39 AM

This is likely the problem I face. As the update timestamp s not changing when it should, the processor thinks the files haven't changed and all but abandons them. Which lands me back where i began. How do I force the processor to interrogate the logs ?

Thanks

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-02-2010 04:42 PM

On 4.1.x, you should be fine with monitoring the whole folder without trouble. The old processor would check every file for updates, so lots of files (even if they are from previous days) would slow things down a lot. The new monitor will back off of files that have not been updated frequently, and check them less and less frequently, so they don't have significant performance impact as they age.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...