Absent Member.
Absent Member.
3755 views

IIS File Connector Help Required

Hi Guys,

I'm stuck while installing Microsoft IIS file connector.

Everything seems fine to me... All the usernames, privileges, Log file is shared with full control.

I don't understand what the problem is.

I'm sharing agent.log and relevant files please help me out.

"Unable to init parser due to lack of file" is the error...

Labels (1)
Tags (3)
0 Likes
25 Replies
Absent Member.
Absent Member.

Did you first setup a CIF mount yet? When you do, point to the

/opt/mnt/any_name_you_give_it_when_Setting_up_the_Cif_mount/w3svc1/ directory inside of the connector config.

Tracking?

0 Likes

Firstly, the connector framework expects this file "w3svc1" to be created...which you have...

but during the setup, the path to specify should be one directory above the "w3svc1" folder you have created. This applies to the connector appliance as well.

Example: Lets say i create a folder in C:\ drive named "my_event_folder" and create another folder inside this folder named "w3svc1"

Instead of specifying==> \\123.123.221.123\w3svc1\EX120811.log

The correct method should be

\\123.123.221.123\my_event_folder\

for CIFS it will be on the /opt/mnt/my_event_folder path

The framework will automatically pick up the logs.

I hope this helps

Michael

0 Likes
Absent Member.
Absent Member.

Michael thanks for your help, but it does not work

I see this event repeated again and again on the agent logs: [2012-08-14 08:28:04,682][INFO ][default.com.arcsight.agent.nc.l][run] 0 files processed

This is my agent configuration file:

#ArcSight Properties File

#Tue Aug 14 07:49:04 CEST 2012

action.execute.shell.command.enabled=false

agents.maxAgents=1

agents[0].AgentSequenceNumber=0

agents[0].destination.count=2

agents[0].destination[0].agentid=3eUWuHzkBABD9-d4IPbeyUw\=\=

agents[0].destination[0].failover.count=0

agents[0].destination[0].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n    <Parameter Name\="host" Value\="esm"/>\n    <Parameter Name\="port" Value\="8443"/>\n    <Parameter Name\="aupmaster" Value\="false"/>\n    <Parameter Name\="filterevents" Value\="false"/>\n    <Parameter Name\="fipsciphers" Value\="fipsDefault"/>\n</ParameterValues>\n

agents[0].destination[0].type=http

agents[0].destination[1].agentid=qwabIzkBABCAMgjM6445zw\=\=

agents[0].destination[1].failover.count=0

agents[0].destination[1].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n    <Parameter Name\="host" Value\="esm"/>\n    <Parameter Name\="port" Value\="443"/>\n    <Parameter Name\="rcvrname" Value\="esm-manager_smartmessage"/>\n    <Parameter Name\="compression" Value\="Disabled"/>\n</ParameterValues>\n

agents[0].destination[1].type=loggersecure

agents[0].deviceconnectionalertinterval=60000

agents[0].enabled=true

agents[0].entityid=j56vHzkBABCAAvZ8Fjng7g\=\=

agents[0].fcp.version=0

agents[0].foldertable.count=1

agents[0].foldertable[0].badsubfolder=bad

agents[0].foldertable[0].configfile=iis/iis_file

agents[0].foldertable[0].configfolder=config/agent/oldsdk/

agents[0].foldertable[0].configtype=sdkfilereader

agents[0].foldertable[0].delay=10000

agents[0].foldertable[0].encoding=

agents[0].foldertable[0].extractfieldnames=

agents[0].foldertable[0].extractregex=

agents[0].foldertable[0].extractsource=File Name

agents[0].foldertable[0].fixedlinelength=-1

agents[0].foldertable[0].fixedlinelengthcontains=Fixed Number Of Characters

agents[0].foldertable[0].folder=/opt/mnt/ftp_iis_logs

agents[0].foldertable[0].followexternalrotation=false

agents[0].foldertable[0].ignoredwebsites=

agents[0].foldertable[0].latestlogonly=false

agents[0].foldertable[0].maxretries=-1

agents[0].foldertable[0].minfilelenght=-1

agents[0].foldertable[0].mode=PersistFile

agents[0].foldertable[0].modeoptions=processed

agents[0].foldertable[0].monitoringinterval=60000

agents[0].foldertable[0].preservestate=true

agents[0].foldertable[0].processfoldersrecursively=true

agents[0].foldertable[0].processinglimit=256

agents[0].foldertable[0].processingmode=realtime

agents[0].foldertable[0].processingthreshold=-1

agents[0].foldertable[0].processingtimeout=-1

agents[0].foldertable[0].retryinterval=1

agents[0].foldertable[0].sleeptime=30

agents[0].foldertable[0].startatend=true

agents[0].foldertable[0].triggerextension=.done

agents[0].foldertable[0].usealternaterotationdetection=true

agents[0].foldertable[0].usefieldextractor=false

agents[0].foldertable[0].usenonlockingwindowsfilereader=false

agents[0].foldertable[0].usetriggerfile=false

agents[0].foldertable[0].version=7.0

agents[0].foldertable[0].wildcard=u_ex*.log

agents[0].id=3eUWuHzkBABD9-d4IPbeyUw\=\=

agents[0].internalevent.filecount.duration=-1

agents[0].internalevent.filecount.enable=false

agents[0].internalevent.filecount.minfilecount=-1

agents[0].internalevent.filecount.timer.delay=60

agents[0].internalevent.fileend.enable=true

agents[0].internalevent.filestart.enable=true

agents[0].lastcharacterrechecktime=500

agents[0].persistenceinterval=0

agents[0].preservedstatecount=10

agents[0].preservedstateinterval=30000

agents[0].type=iis_multiserver

nt_collector.use.device.browser=true

remote.management.enabled=true

remote.management.listener.port=9002

remote.management.ssl.organizational.unit=bfkryzYBABCAATLCASIg

transport.types=http,loggersecure,cefsyslog

where ftp_iis_logs are the folder "my event folder"= 201.16.0.1:LogFiles (configure CIF). The logs files are localted on: \\2011.16.0.1\Logfiles\FTPSVC

Any other idea?

thanks for your reply and help

BR

0 Likes

Few things i recall notifying customers while i was in ArcSight Support,

     1. Make sure that "ftp_iis_logs" has no underscore or special character...just use a single word. As the java  framework might interpret this as a special character

     2. Try using a name no longer than 7 characters (ASCII default) ...

     3. Double check the directory listing and make sure the right permission of READ\WRITE to the folder and same for the share.

     4. Enable Debug on the connector and see exactly what the error is telling you. Use below to enable debug and remember to remove it once done...Share debug output as the logs will surely point the right direction where the issue lies.

  1. log.global.debug=true
  2. log.channel.file.property.package.com.arcsight=0

Cheers

Michael

0 Likes
Absent Member.
Absent Member.

Sorry for the delay, holiday time.. I have made all the changes (name of the CIF) but still it doesn´t work...

Attached you can find the log file with enabled debug.

Thanks for your help and time

0 Likes
Absent Member.
Absent Member.

Even i am also facing the same problem. Can anyone help me how to fix this issue?


Regards

Babu

0 Likes
Fleet Admiral
Fleet Admiral

UP?

0 Likes
Absent Member.
Absent Member.

Yes.

0 Likes

Okay first thing first ---

How are you setting up the IIS Connector -

If it is on a ArcMC or ConApp server you need to set up a CIFS mount first -

For the supported IIS MULTI SERVER collector it looks like this

SOME IIS server   -  \\FQDN\c$\inetpub\logs\LogFiles

SOME IIS server   -  \\FQDN\c$\inetpub\logs\LogFiles

That is what your CIFs MNT looks -- that is under the ADMIN page - notice folder w3svc1 and the filename are not specified - the Connector is already programed to pick up the files in that location ---- the user name and password will be used to connect the share to the ArcMC or ConApp server

In the Connector page your path specified is to your CIFs mnt point not the IIS server ---

TypeStatusInput Events (SLC)Input EPS (SLC)
iis_multiserverInitialized3866.43

Edit table parametersTable Parameters

Log FolderWildcardEncodingIIS VersionLatest Log Only
/opt/mnt/FQDNu_ex*.logUTF87.5false
/opt/mnt/FQDNu_ex*.logUTF87.5false

I have used this in both ArcMC and ConApp - let me know if that helps

0 Likes
Absent Member.
Absent Member.

Hi,

Anyone got resolved for IIS Log collection

Thanks

Renjith

0 Likes
Absent Member.
Absent Member.

https://protect724.hp.com/message/33699#33699 , please have a look on this , may be this can help

0 Likes

Hello ,

I have had a few issues myself with this connector but just this morning I managed to have it up and running. The steps that worked for me are the following:

1. I used the ArcSight-7.1.3.7445.0-Connector-Win.exe connector - Microsoft IIS Multiple Server File. I installed the connector on a dedicated Windows Server 2008 machine and had the service "Log On As" the user with whom I shared the logs folder (at the point below).

2. I shared the logs folder on the IIS Server C:\inetpub\logs\LogFiles\ with the user from point 1 (read/write). The connector apparently knows to look into the W3SVCx folders by default, so DON'T SHARE the entire path. The resulting shared path is \\SO-WIN2008-IIS\LogFiles, so that you know to recognize it in the attached agent.properties file.

3. I made a few adjustments in the default resulting agent.properties file. Please find the tuned file attached. Please compare it with yours and check for potential differences.

My IIS server is 7.5 and is installed on a Windows 2008 Server.

Please let me know if this worked for you.

All the best,

Stefan

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.