IIS Logs Not Being Collected

[cpatterson1]

I have started trying to gather IIS logs. I followed the instructions as laid out in the +Log Source of the application. The server I am attempting to do this with is working for sys and event logs. So I added the following to the logs:

Code: Select all

# Watch your IIS log files
<Input our_iis_site>
    Module   im_file
    File     'C:\inetpub\logs\LogFiles\W3SVC2\u_ex*.log'
    SavePos  TRUE
    Exec     $Message = $raw_event;
</Input>

The path is correct to the site's logs and the site is actively logging in extended mode (logs are u_ex in name).

When added to my Route 1 portion, I now have:

Code: Select all

<Route 1>
    Path internal, file1, eventlog, our_iis_site => out
</Route>

We have tried the following:
Restarting the nxlog service
Restarting the server
Setting the log path directly to a specific file
Restarting the Nagios Log Server

The sys and event logs are still populating as expected but no IIS logs are being imported. The log file for nxlog shows it connecting without any errors.

[hsmith]

Can you run a tcpdump and see if they are coming in?

[cpatterson1]

I can see the server is connecting after I create these logs via tcpdump. So they're getting there but not displaying.

[jolson]

I'd like you to verify a few things.

First, what port are you sending your logs to? The default 3515?

Run the following on Nagios Log Server:

Code: Select all

netstat -na | grep 3515
cat /usr/local/nagioslogserver/logstash/etc/conf.d/*

Try running tcpdump with the '-X' flag, it should give you verbose output. Do you see the IIS logs coming at this point?

[cpatterson1]

We ended up figuring this out. We ended up pushing the port for this to 5142 and adding that on the input side. Then we opened the port on the boxes and were able to start receiving IIS logs.

[jolson]

Glad to hear you got it figured out, what is the difference between your inputs? Just the JSON codec?

With your permission, I'd like to close this thread. Thanks cpatterson!