Splunk Enterprise

Why am I unable to see IIS logs from one of the servers that has forwarder installed?

shivamchopra
New Member

Splunk 6.4.3
I am unable to see IIS logs from one of the servers that has forwarder installed.
I have following configuration on the universal forwarder:

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2]
sourcetype=iis
disabled = 0

outputs.conf
[tcpout:default-autolb-group]
server = :9997

Would someone please advise what is the missing configuration?

Labels (2)
0 Karma

bheemireddi
Communicator

are you searching in the right index? you did not specify index name in your inputs.conf, which means you are expecting events in index=main?

If you are sure there is nothing wrong on the forwarder side/path etc. may be try index=* sourcetype=iis
OR may be search for index=* source="inetpub"
May be you do have events, or search in the right place?

0 Karma

shivamchopra
New Member

i am doing below search:
index=* host=XXXX

0 Karma

bheemireddi
Communicator

shivamchopra,

You can always check the splunk logs on the universal forwarder to see if it has watch on that path or if it is actually complaining to read the path.

Make sure you have some events in the log files you are reading.

You mentioned sending to the HF first, make sure it is not indexing locally and in fact forwarding them across.
sometimes we miss the obvious, check if the forwarder is in fact talking to the indexer, check the _internal index for that forwarder host.

0 Karma

shivamchopra
New Member

Yes, i can see in the logs that UF has watch on the that path:

07-26-2017 04:07:06.194 -0400 INFO TailingProcessor - Adding watch on path: C:\Windows\inetpub\logs\LogFiles\W3SVC1

Yes, events are there in the log file.
HF is not indexing locally, it is just a forwarder. I can see windows logs from the same server on splunk server. just IIS logs are not appearing.

0 Karma

spodda01da
Path Finder

Hi Shivam, I have the same issue... did you manage to resolve it ?

0 Karma

johneng89
Loves-to-Learn

Hello there,

I encountered the same issue, did you get to resolve it?

0 Karma

shivamchopra
New Member

when i post the answer on this screen, it automatically removes the backslash before *

0 Karma

gcusello
SplunkTrust
SplunkTrust

to correctly show it use the Code Sample button (button with 101010).

Probably this is a stupid check: did you verified the log path?
because I read that sometimes IIS logs are in different folders as: %SystemDrive%\inetpub\logs\LogFiles or in %SystemDrive%\Windows\System32\LogFiles\HTTPERR or in C:\Windows\System32\LogFiles\W3SVC1.
you can see this in IIS console

Bye.
Giuseppe

0 Karma

shivamchopra
New Member

Yes, i have already verified the path of log file.

0 Karma

gcusello
SplunkTrust
SplunkTrust

try to put the absolute path not using $WINDIR.
Bye.
Giuseppe

0 Karma

shivamchopra
New Member

that doesn't fix even

0 Karma

shivamchopra
New Member

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

0 Karma

shivamchopra
New Member

Sorry - i put blackslash before *, still doesnt work

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

0 Karma

shivamchopra
New Member

Thanks for your response. it still doesn't work.

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

in outputs.conf - the IP is for heavy forwarder and HF is directing to Indexer.

0 Karma

gcusello
SplunkTrust
SplunkTrust

beware: there must be a backslash before stars

[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*]

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi shivamchopra,
I don't see files in your monitor command

inputs.conf

[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*]
sourcetype=iis
disabled = 0

or a limitated set
about outputs.conf I imagine that in your file you have the Indexer IP

outputs.conf

[tcpout:default-autolb-group]
server = xxx.xxx.xxx.xxx:9997

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...