Absent Member.
Absent Member.
490 views

IIS WEB SERVER LOGS

i have installed smart connector for collecting IIS logs on the ISS web server, the smart connector authenticate successfully on all the shares for the IIS logs, but on the ESM the logs are not received. I have manually run the share and the box i have installed the smart connector and it goes through, i can see log files on the share that are supposed to be pulled by the smart connector,  please help

Labels (1)
0 Likes
6 Replies
Absent Member.
Absent Member.

Have you been able to get a solution to this issue?

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

I have the same problem at the moment.

We have some IIS servers and connector server in a domain. Everything works in folders. I can see them. But smart connector fails to do its task. I have set permissions to that particular smart connector so that domain user could access it, and service is set to run as that user but I only get this:

[Thu May 29 07:46:47 EEST 2014] [INFO ] {Eps=0.0, Evts=10}

[Thu May 29 07:46:47 EEST 2014] [INFO ] {C=0, ET=Up, HT=Up, N=IIS Multi server,

S=4, T=0.0}

FATAL EXCEPTION:

java.lang.NullPointerException

        at com.arcsight.agent.dd.i.a(i.java:81)

        at com.arcsight.agent.util.r.run(r.java:320)

        at java.lang.Thread.run(Thread.java:680)

[Thu May 29 07:47:02 EEST 2014] [INFO ] Processing request from [127.0.0.1] for

service method [getSupportedAPIVersion]

[Thu May 29 07:47:02 EEST 2014] [INFO ] Processing request from [127.0.0.1] for

service method [getCounterSnapshot]

FATAL EXCEPTION:

java.lang.NullPointerException

        at com.arcsight.agent.dd.i.a(i.java:81)

        at com.arcsight.agent.util.r.run(r.java:320)

        at java.lang.Thread.run(Thread.java:680)

[Thu May 29 07:47:47 EEST 2014] [INFO ] {Eps=0.0, Evts=10}

[Thu May 29 07:47:47 EEST 2014] [INFO ] {C=0, ET=Up, HT=Up, N=IIS Multi server,

S=4, T=0.0}

FATAL EXCEPTION:

java.lang.NullPointerException

        at com.arcsight.agent.dd.i.a(i.java:81)

        at com.arcsight.agent.util.r.run(r.java:320)

        at java.lang.Thread.run(Thread.java:680)

[Thu May 29 07:48:02 EEST 2014] [INFO ] Processing request from [127.0.0.1] for

service method [getSupportedAPIVersion]

[Thu May 29 07:48:02 EEST 2014] [INFO ] Processing request from [127.0.0.1] for

service method [getCounterSnapshot]

FATAL EXCEPTION:

java.lang.NullPointerException

        at com.arcsight.agent.dd.i.a(i.java:81)

        at com.arcsight.agent.util.r.run(r.java:320)

        at java.lang.Thread.run(Thread.java:680)

I know that the logs are fine because I can do some "magic" with folder symlinking network mounts and stuff like that. But its not the way it should work.

0 Likes
Absent Member.
Absent Member.


A few suggestions / notes (recently did connectivity to IIS file, multiserver, and multisite):

1) Which version of IIS is running?  For the SmartConnector to "see" the files, in addition to setting the path to the files, there's a small update I needed to make in agent.properties file:

  • For multiserver and multisite, for the path to the W3SVC* directories, in the path for the SmartConnector, put up to the following - do not include the W3SVC dirs.  In this example, the W3SVC* directories are under LogFiles.  For example: C:\arcsight\sample_logs\LogFiles\
  • For multisite (if IIS files are 7.5), the default agent.properties file needs to be updated so logfile.name.prefix=u_ex (not just ex)
  • For multiserver, leave default encoding as UTF8 for all versions (no ANSI)

2) As a test, setup SmartConnector to run standalone first, and verify access to the log files when the SmartConnector is run manually.  (Mapped drives are not seen by service accounts, so full UNC needed, if using networked drives)

3) To verify processing of a single file, can use the IIS file option.  Map to any dir where file is located.  If processing set to Daily, file must be the current date (in format such as u_ex140528.log for an IIS 7.5 file - YYMMDD)

* With the file option, set the startatend value to false in the agent.property file to ensure you load the contents of the file for processing

-MacGyver

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

I found my problem. Logs can be read with a standalone IIS connector from remote share just fine. Problem arose when I tried to read logs with a multi server connector in a logroot that had more directories that W3SVC*.

0 Likes
Absent Member.
Absent Member.

Sounds good!  At the POC I was doing, I used "IIS MultiSite" to connect to the remote LogFiles dir (that contained both W3SVC# and FTPSVC# directories, and didn't run into any errors on connection and load).  Didn't try "IIS MultiServer" in that case, so will keep your note in mind.  Thank you!

0 Likes
Absent Member.
Absent Member.

I managed to get the solution.  The smart connector service was running using system account which didn't have permission to read logs on the remote servers. I used an account with remote login access to the ISS servers  and read permission on the IIS logs folder. This resolved my problem

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.