arkender
Visitor.
585 views

IIS Custom Field Rename .log Files, Breaks SmartConnector

Jump to solution

Hello,  using IIS smart connector 7.1.4 on a Windows 2012 server box collecting IIS logs.  I had to add a custom field for collecting the true client IP address and in doing so, windows appends "_x" to the log file - so "u_ex15121113.log" becomes "u_ex15121113_x.log". 


The agent.log file reports "Unable to init parser due to lack of file [D:\inetpub\logs\LogFiles\W3SVC1\U_EX15121113.log], will wait for [5] seconds and retry"


It's obvious it's expecting the old naming format without the "_x" appended, but all my logs have it since adding a custom field.  Does anyone know how to fix this?

Labels (1)
0 Likes
1 Solution

Accepted Solutions
vinceg Absent Member.
Absent Member.

Re: IIS Custom Field Rename .log Files, Breaks SmartConnector

Jump to solution

Is it appropriate to use the Microsoft IIS Multiple Site File SmartConnector?

With this connector you can configure a file specification to look for, and this can contain a wildcard.

0 Likes
4 Replies
vinceg Absent Member.
Absent Member.

Re: IIS Custom Field Rename .log Files, Breaks SmartConnector

Jump to solution

Is it appropriate to use the Microsoft IIS Multiple Site File SmartConnector?

With this connector you can configure a file specification to look for, and this can contain a wildcard.

0 Likes
foxlin
New Member.

Re: IIS Custom Field Rename .log Files, Breaks SmartConnector

Jump to solution
 

Have you solved it? I have the same problem 

0 Likes
arkender
Visitor.

Re: IIS Custom Field Rename .log Files, Breaks SmartConnector

Jump to solution

Thanks Vince, did a reinstall of the connector and selected the multiple file smart connector and it's picking up the new log files.

New problem - my logger is parsing the ad.c-pp column which is the true client IP source address of IIS requests, but once my ESM gets it, it no longer appears in the event base info.  Parsing issue with the ESM - any ideas?

0 Likes
vinceg Absent Member.
Absent Member.

Re: IIS Custom Field Rename .log Files, Breaks SmartConnector

Jump to solution

Jason,

This isn't an ESM parsing issue - all the parsing is done at the connector level.

What's happening is the connector sees the additional data you've configured to appear in your IIS logs, and puts this in "non-standard" CEF fields. These are referred to as "Additional Data" fields (hence the "ad." prefix).

Depending on how you've got your Logger set up, this will index the data and display it after searches, as you've seen already. I think this is the default behaviour. ESM behaves differently - in order to access any Additional Data fields you must first declare what it is that you're interested in, on a per-connector basis.

Check out the (even though you're dealing with a SmartConnector) for further information - the section "Additional Data Mapping" is what you're after.

On a Console you'll need to select your connector and enter:

- the Device Vendor + Product combination you want the additional mapping to apply to (which in your case will be "Microsoft" and "Internet Information Server" I believe)

- the additional data name ("c-pp" in your scenario)

- the "standard" CEF field you would like ESM to use for this field (if this were me I'd try reusing Source Address as by the sounds of things what's there at the minute is probably less than useful - I think this will then get overwritten by your mapping. Failing that just use a field this isn't populated by the connector).

This whole Additional Data mechanism applies to any connector you deal with - there's often some useful tidbits hidden in there so this is worth being aware of.

HTH

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.