I am having trouble getting the IIS logs and Message Tracking logs to show up Splunk. I am able getting some Exchange information such as mailbox counts, database statistics and items such as that.
We don't have our logs in the default locations and I have found the files that need to be update, I think.
For the Message Tracking logs, I believe that I need to update the file:
C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-2010-HubTransport\default
so that the monitor stanza reads:
[monitor://D:\Logs\MessageTracking]
whitelist=.log$|.LOG$
sourcetype=MSExchange:2010:MessageTracking
queue=parsingQueue
index=msexchange
disabled=false
which is the location of our Message Tracking logs. My question is, do I just update this file or do I need to copy the stanza and insert it into a local file someplace such as:
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local
I am experiencing the same thing with my IIS logs. Do I just update the:
C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Windows-2008R2-Exchange-IIS\default\inputs.conf
file in that location or do I need to copy that to another location as well?
I will admit that I am new to Splunk and I don't find the documentation to be overly clear as to what to do so any guidance that can be provided would be greatly appreciated.
Thanks.
... View more