Forums: SplunkAdministration: Trying to index IIS log files, having some issues

Hi, I'm sure this is my own ignorance, but I haven't been able to find an explanation in the documentation or in some brief searches here on the forums.

I've setup a free version of Splunk on a WIndows VM. I've successfully added data sources from my Juniper firewall syslog, as well as my Barracuda spam firewall. I'm trying to analyze some IIS logs, just to get a feel for the product.

I've tried adding an input via the following method: Data inputs --> files and directories.

No matter what I input, I get "File path does not exist" when I hit submit. I've mapped a drive to the network share as Z. So, in theory this should work, I just put Z:\ in the 'Full path on server' field, and leave everything else as is. However, that doesn't work. I've also tried changing the 'fully qualified domain name or IP address' field to the web server, and putting the local path (ie: d:\weblogs) in the 'full path on server' field.

Anyway, it must be something simple I am doing wrong, can anyone help me? Thanks.

Same problem here...

Hi, Splunk needs to be running as a domain user, and the user needs to have access to the box. Then you should be able to access the log via CIFS or UNC path

ie \\remotehost\c$\windows\system32\logs

Hope this helps.

But if I've mapped a drive on the splunk server, then it shouldn't matter, as I've already authenticated in order to create the network share. As far as the splunk server is concerned, the Z: drive is a local drive, and that should be it, shouldn't it?

http://splunk.com/doc/3.3/releasenotes/KnownIssues#Windowsspecificconsiderationsandknownissues

Specifying mapped paths that include drive letters (such as C:\) are not supported. To work around this, use a full UNC path to the network resource (in the form \\servername\full\path\to\resource). Splunk must be running as a user with Admin privileges on the network. (SPL-11690)

Okay, well that rules out splunk for me then. Most of my servers are not on a domain, and many of them have different admin passwords. If you ever add the ability to specify different credentials for different sources, that would be sweet. Thanks for the prompt reply, I appreciate it.

There are different ways to approach this.
If the machines are not on the same Domain you could do the following

1) load free version of splunk on the IIS servers and make them lightweight forwarders. You can have it locally read the files and send them to the central index server (the downside of this, is that you need to purchase the central index server license, instead of the free license)

2) you could ftp them to the central index server and have the locally read and imported

3) use the free SNARE agent to see if you can syslog the files over...

I havent run snare on an IIS server, does it support them?
But if you are just testing, Dump the logs manually to Splunk to populate it with the logs to get a feel for it. Just imagine the real time scenario with pro where as soon as an event happens it will be searchable in splunk.
But I am with you I wish the lightweight forwarder were released crippled free like the snare agent.