![]() I can actually see logs in C:\inetpub\logs\LogFiles\W3SVC1 folder on the IIS server, so there is data there to collect.ĭoes the modified local/nf need to also be configured on the Splunk Enterprise server app or is this nf configuration only needed on the UF deployment app (which is what I have done)?Īny thoughts on why these events aren't being ingested by my Splunk Enterprise server would be greatly appreciated.If I do a search on my Splunk Enterprise instance as follows: " index=_internal host="IIS_Server01" component=Metrics group=per_sourcetype_thruput series="ms:iis:auto" ", I can events being sent from the UF on the IIS server (e.g kbps=0.557, eps=3.3, kb=33, ev=202).Not sure how relevant these are? I think my problem might be more fundamental? ![]() Reverting to the default EVENT_BREAKER regex for now". I am also getting some INFO messages - "ChunkedLBProcessor Failed to find EVENT_BREAKER regex in nf for sourcetype: ms:iis:auto.So the UF is monitoring the IIS log files. The UF has "adding watch on path: C:\inetpub\logs\LogFiles".UF on IIS server is showing connected to my indexer.looking on the IIS server in c:\program files\splunkuniversalforwarder\var\log\splunk\splunkd.log, I can see:.I have gone through and done the following troubleshooting steps: I have created a new server class and pushed this app out to the IIS server.Within the deployment app I have created the following nf file under the deployment app local directory:.I have copied the contents of this add-on to the /opt/splunk/etc/deployment-apps folder.Installed the Microsoft Add-on for Microsoft IIS on my Splunk Enterprise instance (combined Search Head/Indexer/deployment server).I have created a new index for these logs called "windows_iis" - all other settings as default.These were the basic steps I have followed so far: If I look under Settings>indexes, I can see the newly created index, however it has 0 for event count. If I do a search on data in this new index (index=windows_iis), it is returning no results. However I seem to be having difficulties getting any logs from this IIS server. I have recently installed the Microsoft Add-on for Microsoft IIS (version 1.2.0) on my Splunk server and have also deployed this app to a windows server with IIS installed (and a UF installed). I have a Splunk Standalone instance running at v8.2.10
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |