Forums: SplunkAdministration: Forwarder in 4.0.6 isn't sending IIS log file data

Hi all,
I just upgraded a forwarder from 4.0.3 to 4.0.6 on our Windows 2003 Server which forwards to our main splunk installation on CentOS. After my upgrade, logs generated by our applications still work, but I'm unable to properly get the IIS log data. If I run the following command.

splunk list monitor

Splunk gives me this in it's list.

C:\logs\IIS
C:\logs\IIS\SpidertracksServices.log
C:\logs\IIS\W3SVC1685745781\ex091116.log
C:\logs\IIS\W3SVC1685745781\ex091117.log
C:\logs\IIS\W3SVC20923614\ex091116.log
C:\logs\IIS\W3SVC20923614\ex091117.log

As you can see, it's trying to monitor the logs, but I'm unable to see any data in our server (CentOs) from Midnight on. I've tried configuring the input with alwaysOpenFile, but this doesn't seem to help my issue, only increase my CPU usage when splunk starts.

[monitor://C:\logs\IIS]
disabled = false
host = Production-Web-Auckland
index = default
alwaysOpenFile = 1

Any idea's what's going wrong? I'm receiving all other data, including WMI from the forwarder, just not those logs. They appear in the source list if I search for source="*ex091117*", I just don't have any data for them.

Thanks,
Todd

So, to answer my own question, IIS is logging the timestamp in the UTC timezone. Now that I've figured this out, I'll want splunk to record the events in the same timezone our Splunk Server (CentOS at UTC +13) uses. How can I configure my sourcetype of "iis" to change the timezone from UTC to the server time? I've tried adding the following in /system/local/props.conf on my CentOS machine (the one that actually indexes data), but this doesn't seem to work.

{{

1. Copyright (C) 2005-2009 Splunk Inc. All Rights Reserved. Version 4.0
2. DO NOT EDIT THIS FILE!
3. Please make all changes to files in $SPLUNK_HOME/etc/system/local.
4. To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
5. into ../local and edit there.

#

1. This file contains possible attribute/value pairs for configuring
2. Splunk's processing properties.

#

[sourcetype:iis]
TZ=Etc/UTC

}}

Thanks,
Todd

You need to use:

[iis]
TZ=UTC

(the timezone name is fine, but sourcetype clauses don't use [sourcetype]

Also, if your forwarder is not a Light Forwarder, you need to put that in the props.conf of the forwarder. If it's a Light Forwarder, it goes on the indexer. It's fine to have it in both places.

Hmmm. I'm having the same problem, a light forwarder sending IIS6 logs where the timestamp in the log is in UTC.

The documentation on applying timezones is NOT very clear at all, IMHO. It doesn't make it clear, for example, that this needs to go into props.conf instead of inputs.conf, and it doesn't make it clear that it needs to occur on the receiver instead of the light forwarder.

Thanks to you both for this post.

Dang. Still didn't help. I tried putting several things into local/inputs.conf on the receiver:

[source::...\httperr*.log]
TZ = GMT+0

[source::...\W3SVC1\ex*.log]
TZ = GMT+0

[iis-2]
TZ = GMT+0

None of those has helped -- an event logged NOW will show up in splunk five hours into the future.

I have heard the same thing from a customer recently, I will file a bug and would encourage you to email support at splunk d0t com to open a case as well.