IIS WEB SERVER LOGS

bvuma_m · ‎2014-05-12

i have installed smart connector for collecting IIS logs on the ISS web server, the smart connector authenticate successfully on all the shares for the IIS logs, but on the ESM the logs are not received. I have manually run the share and the box i have installed the smart connector and it goes through, i can see log files on the share that are supposed to be pulled by the smart connector, please help

paul.mac.carman1 · ‎2014-05-27

Have you been able to get a solution to this issue?

gediminas.margi1 · ‎2014-05-29

I have the same problem at the moment.

We have some IIS servers and connector server in a domain. Everything works in folders. I can see them. But smart connector fails to do its task. I have set permissions to that particular smart connector so that domain user could access it, and service is set to run as that user but I only get this:

[Thu May 29 07:46:47 EEST 2014] [INFO ] {Eps=0.0, Evts=10}

[Thu May 29 07:46:47 EEST 2014] [INFO ] {C=0, ET=Up, HT=Up, N=IIS Multi server,

S=4, T=0.0}

FATAL EXCEPTION:

java.lang.NullPointerException

at com.arcsight.agent.dd.i.a(i.java:81)

at com.arcsight.agent.util.r.run(r.java:320)

at java.lang.Thread.run(Thread.java:680)

[Thu May 29 07:47:02 EEST 2014] [INFO ] Processing request from [127.0.0.1] for

service method [getSupportedAPIVersion]

[Thu May 29 07:47:02 EEST 2014] [INFO ] Processing request from [127.0.0.1] for

service method [getCounterSnapshot]

FATAL EXCEPTION:

java.lang.NullPointerException

at com.arcsight.agent.dd.i.a(i.java:81)

at com.arcsight.agent.util.r.run(r.java:320)

at java.lang.Thread.run(Thread.java:680)

[Thu May 29 07:47:47 EEST 2014] [INFO ] {Eps=0.0, Evts=10}

[Thu May 29 07:47:47 EEST 2014] [INFO ] {C=0, ET=Up, HT=Up, N=IIS Multi server,

S=4, T=0.0}

FATAL EXCEPTION:

java.lang.NullPointerException

at com.arcsight.agent.dd.i.a(i.java:81)

at com.arcsight.agent.util.r.run(r.java:320)

at java.lang.Thread.run(Thread.java:680)

[Thu May 29 07:48:02 EEST 2014] [INFO ] Processing request from [127.0.0.1] for

service method [getSupportedAPIVersion]

[Thu May 29 07:48:02 EEST 2014] [INFO ] Processing request from [127.0.0.1] for

service method [getCounterSnapshot]

FATAL EXCEPTION:

java.lang.NullPointerException

at com.arcsight.agent.dd.i.a(i.java:81)

at com.arcsight.agent.util.r.run(r.java:320)

at java.lang.Thread.run(Thread.java:680)

I know that the logs are fine because I can do some "magic" with folder symlinking network mounts and stuff like that. But its not the way it should work.

paul.mac.carman1 · ‎2014-06-03

A few suggestions / notes (recently did connectivity to IIS file, multiserver, and multisite):

1) Which version of IIS is running? For the SmartConnector to "see" the files, in addition to setting the path to the files, there's a small update I needed to make in agent.properties file:

For multiserver and multisite, for the path to the W3SVC* directories, in the path for the SmartConnector, put up to the following - do not include the W3SVC dirs. In this example, the W3SVC* directories are under LogFiles. For example: C:\arcsight\sample_logs\LogFiles\
For multisite (if IIS files are 7.5), the default agent.properties file needs to be updated so logfile.name.prefix=u_ex (not just ex)
For multiserver, leave default encoding as UTF8 for all versions (no ANSI)

2) As a test, setup SmartConnector to run standalone first, and verify access to the log files when the SmartConnector is run manually. (Mapped drives are not seen by service accounts, so full UNC needed, if using networked drives)

3) To verify processing of a single file, can use the IIS file option. Map to any dir where file is located. If processing set to Daily, file must be the current date (in format such as u_ex140528.log for an IIS 7.5 file - YYMMDD)

* With the file option, set the startatend value to false in the agent.property file to ensure you load the contents of the file for processing

-MacGyver

gediminas.margi1 · ‎2014-06-04

I found my problem. Logs can be read with a standalone IIS connector from remote share just fine. Problem arose when I tried to read logs with a multi server connector in a logroot that had more directories that W3SVC*.

paul.mac.carman1 · ‎2014-06-04

Sounds good! At the POC I was doing, I used "IIS MultiSite" to connect to the remote LogFiles dir (that contained both W3SVC# and FTPSVC# directories, and didn't run into any errors on connection and load). Didn't try "IIS MultiServer" in that case, so will keep your note in mind. Thank you!

bvuma_m · ‎2014-06-30

I managed to get the solution. The smart connector service was running using system account which didn't have permission to read logs on the remote servers. I used an account with remote login access to the ISS servers and read permission on the IIS logs folder. This resolved my problem

Smart Connector