Firstly, the connector framework expects this file "w3svc1" to be created...which you have...

but during the setup, the path to specify should be one directory above the "w3svc1" folder you have created. This applies to the connector appliance as well.

Example: Lets say i create a folder in C:\ drive named "my_event_folder" and create another folder inside this folder named "w3svc1"

Instead of specifying==> \\123.123.221.123\w3svc1\EX120811.log

The correct method should be

\\123.123.221.123\my_event_folder\

for CIFS it will be on the /opt/mnt/my_event_folder path

The framework will automatically pick up the logs.

I hope this helps

Michael

Michael thanks for your help, but it does not work

I see this event repeated again and again on the agent logs: [2012-08-14 08:28:04,682][INFO ][default.com.arcsight.agent.nc.l][run] 0 files processed

This is my agent configuration file:

#ArcSight Properties File

#Tue Aug 14 07:49:04 CEST 2012

action.execute.shell.command.enabled=false

agents.maxAgents=1

agents[0].AgentSequenceNumber=0

agents[0].destination.count=2

agents[0].destination[0].agentid=3eUWuHzkBABD9-d4IPbeyUw\=\=

agents[0].destination[0].failover.count=0

agents[0].destination[0].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n    <Parameter Name\="host" Value\="esm"/>\n    <Parameter Name\="port" Value\="8443"/>\n    <Parameter Name\="aupmaster" Value\="false"/>\n    <Parameter Name\="filterevents" Value\="false"/>\n    <Parameter Name\="fipsciphers" Value\="fipsDefault"/>\n</ParameterValues>\n

agents[0].destination[0].type=http

agents[0].destination[1].agentid=qwabIzkBABCAMgjM6445zw\=\=

agents[0].destination[1].failover.count=0

agents[0].destination[1].params=<?xml version\="1.0" encoding\="UTF-8"?>\n<ParameterValues>\n    <Parameter Name\="host" Value\="esm"/>\n    <Parameter Name\="port" Value\="443"/>\n    <Parameter Name\="rcvrname" Value\="esm-manager_smartmessage"/>\n    <Parameter Name\="compression" Value\="Disabled"/>\n</ParameterValues>\n

agents[0].destination[1].type=loggersecure

agents[0].deviceconnectionalertinterval=60000

agents[0].enabled=true

agents[0].entityid=j56vHzkBABCAAvZ8Fjng7g\=\=

agents[0].fcp.version=0

agents[0].foldertable.count=1

agents[0].foldertable[0].badsubfolder=bad

agents[0].foldertable[0].configfile=iis/iis_file

agents[0].foldertable[0].configfolder=config/agent/oldsdk/

agents[0].foldertable[0].configtype=sdkfilereader

agents[0].foldertable[0].delay=10000

agents[0].foldertable[0].encoding=

agents[0].foldertable[0].extractfieldnames=

agents[0].foldertable[0].extractregex=

agents[0].foldertable[0].extractsource=File Name

agents[0].foldertable[0].fixedlinelength=-1

agents[0].foldertable[0].fixedlinelengthcontains=Fixed Number Of Characters

agents[0].foldertable[0].folder=/opt/mnt/ftp_iis_logs

agents[0].foldertable[0].followexternalrotation=false

agents[0].foldertable[0].ignoredwebsites=

agents[0].foldertable[0].latestlogonly=false

agents[0].foldertable[0].maxretries=-1

agents[0].foldertable[0].minfilelenght=-1

agents[0].foldertable[0].mode=PersistFile

agents[0].foldertable[0].modeoptions=processed

agents[0].foldertable[0].monitoringinterval=60000

agents[0].foldertable[0].preservestate=true

agents[0].foldertable[0].processfoldersrecursively=true

agents[0].foldertable[0].processinglimit=256

agents[0].foldertable[0].processingmode=realtime

agents[0].foldertable[0].processingthreshold=-1

agents[0].foldertable[0].processingtimeout=-1

agents[0].foldertable[0].retryinterval=1

agents[0].foldertable[0].sleeptime=30

agents[0].foldertable[0].startatend=true

agents[0].foldertable[0].triggerextension=.done

agents[0].foldertable[0].usealternaterotationdetection=true

agents[0].foldertable[0].usefieldextractor=false

agents[0].foldertable[0].usenonlockingwindowsfilereader=false

agents[0].foldertable[0].usetriggerfile=false

agents[0].foldertable[0].version=7.0

agents[0].foldertable[0].wildcard=u_ex*.log

agents[0].id=3eUWuHzkBABD9-d4IPbeyUw\=\=

agents[0].internalevent.filecount.duration=-1

agents[0].internalevent.filecount.enable=false

agents[0].internalevent.filecount.minfilecount=-1

agents[0].internalevent.filecount.timer.delay=60

agents[0].internalevent.fileend.enable=true

agents[0].internalevent.filestart.enable=true

agents[0].lastcharacterrechecktime=500

agents[0].persistenceinterval=0

agents[0].preservedstatecount=10

agents[0].preservedstateinterval=30000

agents[0].type=iis_multiserver

nt_collector.use.device.browser=true

remote.management.enabled=true

remote.management.listener.port=9002

remote.management.ssl.organizational.unit=bfkryzYBABCAATLCASIg

transport.types=http,loggersecure,cefsyslog

where ftp_iis_logs are the folder "my event folder"= 201.16.0.1:LogFiles (configure CIF). The logs files are localted on: \\2011.16.0.1\Logfiles\FTPSVC

Any other idea?

thanks for your reply and help

BR

Few things i recall notifying customers while i was in ArcSight Support,

     1. Make sure that "ftp_iis_logs" has no underscore or special character...just use a single word. As the java  framework might interpret this as a special character

     2. Try using a name no longer than 7 characters (ASCII default) ...

     3. Double check the directory listing and make sure the right permission of READ\WRITE to the folder and same for the share.

     4. Enable Debug on the connector and see exactly what the error is telling you. Use below to enable debug and remember to remove it once done...Share debug output as the logs will surely point the right direction where the issue lies.

1. log.global.debug=true
2. log.channel.file.property.package.com.arcsight=0

Cheers

Michael

Sorry for the delay, holiday time.. I have made all the changes (name of the CIF) but still it doesn´t work...

Attached you can find the log file with enabled debug.

Thanks for your help and time

Even i am also facing the same problem. Can anyone help me how to fix this issue?

Regards

Babu

UP?

Yes.

Okay first thing first ---

How are you setting up the IIS Connector -

If it is on a ArcMC or ConApp server you need to set up a CIFS mount first -

For the supported IIS MULTI SERVER collector it looks like this

SOME IIS server   -  \\FQDN\c$\inetpub\logs\LogFiles

SOME IIS server   -  \\FQDN\c$\inetpub\logs\LogFiles

That is what your CIFs MNT looks -- that is under the ADMIN page - notice folder w3svc1 and the filename are not specified - the Connector is already programed to pick up the files in that location ---- the user name and password will be used to connect the share to the ArcMC or ConApp server

In the Connector page your path specified is to your CIFs mnt point not the IIS server ---

Table Parameters

I have used this in both ArcMC and ConApp - let me know if that helps

Hi,

Anyone got resolved for IIS Log collection

Thanks

Renjith

https://protect724.hp.com/message/33699#33699 , please have a look on this , may be this can help

Hello ,

I have had a few issues myself with this connector but just this morning I managed to have it up and running. The steps that worked for me are the following:

1. I used the ArcSight-7.1.3.7445.0-Connector-Win.exe connector - Microsoft IIS Multiple Server File. I installed the connector on a dedicated Windows Server 2008 machine and had the service "Log On As" the user with whom I shared the logs folder (at the point below).

2. I shared the logs folder on the IIS Server C:\inetpub\logs\LogFiles\ with the user from point 1 (read/write). The connector apparently knows to look into the W3SVCx folders by default, so DON'T SHARE the entire path. The resulting shared path is \\SO-WIN2008-IIS\LogFiles, so that you know to recognize it in the attached agent.properties file.

3. I made a few adjustments in the default resulting agent.properties file. Please find the tuned file attached. Please compare it with yours and check for potential differences.

My IIS server is 7.5 and is installed on a Windows 2008 Server.

Please let me know if this worked for you.

All the best,

Stefan