Trying to setup the Universal Forwarder on the Web Server to forward IIS logs to SPLUNK.
The Windows Event log ARE forwarding correctly. My IIS logs are NOT stored in the default location so I'm trying to figure out the correct stanza to use.
My actual IIS log directoiry structure is
E:\weblogs\w3svc1\*.log
E:\weblogs\w3svc2\*.log
E:\weblogs\w3svc3\*.log
Etc... multiple web sites
I tried the following Stanzas neither have seemed to work
[monitor://E:\weblogs\\*\\*.log]
disabled = 0
[monitor://E:\weblogs\\...\\*.log]
disabled = 0
I even tried tho log just a single site
[monitor://E:\weblogs\\w3svc1\\*.log]
disabled = 0
I restart splunk forwarded after changing the path
If I run 'splunk list monitor' I get for all stanzas
E:\weblogs\*.log
No logs are being imported that I can tell
Appreciate any assistsnce anyone can provide.
-MARK-
↧