I have a Splunk Standalone instance running at v8.2.10
I have recently installed the Microsoft Add-on for Microsoft IIS (version 1.2.0) on my Splunk server and have also deployed this app to a wind...
See more...
I have a Splunk Standalone instance running at v8.2.10
I have recently installed the Microsoft Add-on for Microsoft IIS (version 1.2.0) on my Splunk server and have also deployed this app to a windows server with IIS installed (and a UF installed). However I seem to be having difficulties getting any logs from this IIS server.
If I do a search on data in this new index (index=windows_iis), it is returning no results. If I look under Settings>indexes, I can see the newly created index, however it has 0 for event count.
These were the basic steps I have followed so far:
I have created a new index for these logs called "windows_iis" - all other settings as default.
Installed the Microsoft Add-on for Microsoft IIS on my Splunk Enterprise instance (combined Search Head/Indexer/deployment server).
I have copied the contents of this add-on to the /opt/splunk/etc/deployment-apps folder
Within the deployment app I have created the following inputs.conf file under the deployment app local directory: [monitor://C:\inetpub\logs\LogFiles] disabled=false sourcetype=ms:iis:auto index=windows_iis
I have reloaded the deployment server.
I have created a new server class and pushed this app out to the IIS server.
I have gone through and done the following troubleshooting steps:
looking on the IIS server in c:\program files\splunkuniversalforwarder\var\log\splunk\splunkd.log, I can see:
UF on IIS server is showing connected to my indexer.
The UF has "adding watch on path: C:\inetpub\logs\LogFiles". So the UF is monitoring the IIS log files.
I am also getting some INFO messages - "ChunkedLBProcessor Failed to find EVENT_BREAKER regex in props.conf for sourcetype: ms:iis:auto. Reverting to the default EVENT_BREAKER regex for now". Not sure how relevant these are? I think my problem might be more fundamental?
If I do a search on my Splunk Enterprise instance as follows: "index=_internal host="IIS_Server01" component=Metrics group=per_sourcetype_thruput series="ms:iis:auto" ", I can events being sent from the UF on the IIS server (e.g kbps=0.557, eps=3.3, kb=33, ev=202).
I can actually see logs in C:\inetpub\logs\LogFiles\W3SVC1 folder on the IIS server, so there is data there to collect.
Does the modified local/inputs.conf need to also be configured on the Splunk Enterprise server app or is this inputs.conf configuration only needed on the UF deployment app (which is what I have done)?
Any thoughts on why these events aren't being ingested by my Splunk Enterprise server would be greatly appreciated.
Thanks,