Splunk Enterprise

Why am I unable to see IIS logs from one of the servers that has forwarder installed?

shivamchopra
New Member

Splunk 6.4.3
I am unable to see IIS logs from one of the servers that has forwarder installed.
I have following configuration on the universal forwarder:

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2]
sourcetype=iis
disabled = 0

outputs.conf
[tcpout:default-autolb-group]
server = :9997

Would someone please advise what is the missing configuration?

Labels (2)
0 Karma

bheemireddi
Communicator

are you searching in the right index? you did not specify index name in your inputs.conf, which means you are expecting events in index=main?

If you are sure there is nothing wrong on the forwarder side/path etc. may be try index=* sourcetype=iis
OR may be search for index=* source="inetpub"
May be you do have events, or search in the right place?

0 Karma

shivamchopra
New Member

i am doing below search:
index=* host=XXXX

0 Karma

bheemireddi
Communicator

shivamchopra,

You can always check the splunk logs on the universal forwarder to see if it has watch on that path or if it is actually complaining to read the path.

Make sure you have some events in the log files you are reading.

You mentioned sending to the HF first, make sure it is not indexing locally and in fact forwarding them across.
sometimes we miss the obvious, check if the forwarder is in fact talking to the indexer, check the _internal index for that forwarder host.

0 Karma

shivamchopra
New Member

Yes, i can see in the logs that UF has watch on the that path:

07-26-2017 04:07:06.194 -0400 INFO TailingProcessor - Adding watch on path: C:\Windows\inetpub\logs\LogFiles\W3SVC1

Yes, events are there in the log file.
HF is not indexing locally, it is just a forwarder. I can see windows logs from the same server on splunk server. just IIS logs are not appearing.

0 Karma

spodda01da
Explorer

Hi Shivam, I have the same issue... did you manage to resolve it ?

0 Karma

johneng89
Loves-to-Learn

Hello there,

I encountered the same issue, did you get to resolve it?

0 Karma

shivamchopra
New Member

when i post the answer on this screen, it automatically removes the backslash before *

0 Karma

gcusello
Legend

to correctly show it use the Code Sample button (button with 101010).

Probably this is a stupid check: did you verified the log path?
because I read that sometimes IIS logs are in different folders as: %SystemDrive%\inetpub\logs\LogFiles or in %SystemDrive%\Windows\System32\LogFiles\HTTPERR or in C:\Windows\System32\LogFiles\W3SVC1.
you can see this in IIS console

Bye.
Giuseppe

0 Karma

shivamchopra
New Member

Yes, i have already verified the path of log file.

0 Karma

gcusello
Legend

try to put the absolute path not using $WINDIR.
Bye.
Giuseppe

0 Karma

shivamchopra
New Member

that doesn't fix even

0 Karma

shivamchopra
New Member

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

0 Karma

shivamchopra
New Member

Sorry - i put blackslash before *, still doesnt work

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

0 Karma

shivamchopra
New Member

Thanks for your response. it still doesn't work.

inputs.conf
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2*.*]
sourcetype=iis
disabled = 0

in outputs.conf - the IP is for heavy forwarder and HF is directing to Indexer.

0 Karma

gcusello
Legend

beware: there must be a backslash before stars

[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*]

Bye.
Giuseppe

0 Karma

gcusello
Legend

Hi shivamchopra,
I don't see files in your monitor command

inputs.conf

[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*]
sourcetype=iis
disabled = 0

or a limitated set
about outputs.conf I imagine that in your file you have the Indexer IP

outputs.conf

[tcpout:default-autolb-group]
server = xxx.xxx.xxx.xxx:9997

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...