I am unable to see IIS logs from one of the servers that has forwarder installed.
I have following configuration on the universal forwarder:
inputs.conf [monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2] sourcetype=iis disabled = 0 outputs.conf [tcpout:default-autolb-group] server = :9997
Would someone please advise what is the missing configuration?
are you searching in the right index? you did not specify index name in your inputs.conf, which means you are expecting events in index=main?
If you are sure there is nothing wrong on the forwarder side/path etc. may be try index=* sourcetype=iis
OR may be search for index=* source="inetpub"
May be you do have events, or search in the right place?
You can always check the splunk logs on the universal forwarder to see if it has watch on that path or if it is actually complaining to read the path.
Make sure you have some events in the log files you are reading.
You mentioned sending to the HF first, make sure it is not indexing locally and in fact forwarding them across.
sometimes we miss the obvious, check if the forwarder is in fact talking to the indexer, check the _internal index for that forwarder host.
Yes, i can see in the logs that UF has watch on the that path:
07-26-2017 04:07:06.194 -0400 INFO TailingProcessor - Adding watch on path: C:\Windows\inetpub\logs\LogFiles\W3SVC1
Yes, events are there in the log file.
HF is not indexing locally, it is just a forwarder. I can see windows logs from the same server on splunk server. just IIS logs are not appearing.
to correctly show it use the Code Sample button (button with 101010).
Probably this is a stupid check: did you verified the log path?
because I read that sometimes IIS logs are in different folders as:
%SystemDrive%\inetpub\logs\LogFiles or in
%SystemDrive%\Windows\System32\LogFiles\HTTPERR or in
you can see this in IIS console
Thanks for your response. it still doesn't work.
disabled = 0
in outputs.conf - the IP is for heavy forwarder and HF is directing to Indexer.
I don't see files in your monitor command
[monitor://$WINDIR\inetpub\logs\LogFiles\W3SVC2\*.*] sourcetype=iis disabled = 0
or a limitated set
about outputs.conf I imagine that in your file you have the Indexer IP
[tcpout:default-autolb-group] server = xxx.xxx.xxx.xxx:9997