Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is there Missing data from logs?

SBadams
Loves-to-Learn Lots
‎08-24-2023 01:01 PM

Hello, I have an issue with web and syslog indexes not being logged properly. I believe that I will need to change the settings of the Spunk Forwarders and I need help with modifying the UF configs so that I can correct the data that needs to be logged. We have a deployment server set up and I think this is probably the route to go. What does the process look like for doing this?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-25-2023 03:01 AM

Ok. Your question is so general that it can't be answered reasonably. It's as if you asked "my car is not working properly, what should I do?".

There are several key pieces of information missing here.

1. How are you ingesting your logs? (UFs installed on the source hosts in case of web logs or syslog-pushed logs? In case of syslogs - are they being pushed directly to the UFs or do you have any intermediate receiver? And so on)

2. What kinds of logs do you have? From what solutions, in what format? What are your settings for those sourcetypes?

3. How do you know they are not indexed properly?

And deployment server is just a tool to manage configs on UFs but the configs themselves must be done properly in the first place (and a lot of those settings are not configurable on UFs but on indexers).

So there's much more to it than meets the eye.

0 Karma
Reply

SBadams
Loves-to-Learn Lots
‎09-05-2023 01:27 PM

We have hundreds of servers in the environment running IIS. All servers have different logging levels set for IIS which causes different results in Splunk when searching our web index. We are looking for a solution to level set the logging level for IIS so we can build proper detections. Note - we also have this issue with apache logs. But we can concentrate on IIS for this. 

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-05-2023 10:34 PM

OK. So firstly, you need to make sure you get your logging configured consistently across your whole environment (unless you really want it to be set differently on some servers).

Then you need to ingest the files properly. There is an add-on for IIS logs - https://splunkbase.splunk.com/app/3185 Install it, configure inputs as described in the docs (also verify that your IIS logging is configured properly according to the docs), then check if all the files are getting indexed properly.

 

0 Karma
Reply

SBadams
Loves-to-Learn Lots
‎09-07-2023 12:54 PM

The goal of this project is to create consistent logging across all servers in the environment. What tools exist on Splunk to achieve this? We are already ingesting existing logs properly.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-07-2023 02:17 PM

It's not up to Splunk to configure your logging. Typically if you download an add-on from splunkbase it has a docs page which describes how to configure source to produce relevant logs.

0 Karma
Reply

SBadams
Loves-to-Learn Lots
‎09-12-2023 01:19 PM

Would changing each server's iis logging settings using a GPO be the recommended option for solving this issue?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-12-2023 10:44 PM

The Add-on docs provide docs how the single IIS should be configured so that it logs the proper data.

How to deploy that configuration in your environment is something you have to consult with your admins and check with your local policies. We can't tell you if in your case GPO will be the appropriate solution. It might be (I'm not sure if you can configure those settings with GPO) but there can be other ways to do it (for example if you used any third party automation solution you could use that instead of deploying settings via GPO.

The reqiurements for the Add-on regarding IIS configuration are described here - https://docs.splunk.com/Documentation/AddOns/released/MSIIS/Hardwareandsoftwarerequirements#Microsof... but how to apply them properly is up to you and your infrastructure team.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-25-2023 01:11 AM

Hi @SBadams,

your question is really very vague!

you should share some additional info:

  • what do you mean with missing data: are arrived and now stopped to arrive or never arrived?
  • logs are incomplete?
  • are qyou speaking of syslogs or logs from a Forwarder?
  • which kind of logs?
  • logs are correctly parsed (with special attention to the timestamp)?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...