Problem with FileBeat and Windows Server 2012 R2

Hi All,
I have a problem with FileBeat and Windows Server 2012 R2

I use FileBeat to read remote IIS logs from 4 webservers; in the windows event viewer's I have this error:

{Delayed Write Failed} Windows was unable to save all the data for the file \webserver1\d$\inetpub\logs\LogFiles\W3SVC32\u_ex170911.log; the data has been lost. This error was returned by the server on which the file exists. Please try to save this file elsewhere.

I have those errrors from all webservers. My Elastic stack version (Elastic, Kibana, Logstash, FileBeat) is 5.5.2 but I have errors also with past versions.

Which could be the problem? Does Filebeat support UNC paths?

Thanks in advance for support
Best regards,
Jack

To me this error sounds like IIS is failing to write to that UNC path (could that be a network issue?). What role does Filebeat play in that error?

Filebeat should read logs from a local disk. https://www.elastic.co/guide/en/beats/filebeat/current/faq.html#filebeat-network-volumes

Hi, thanks for reply!

IIS writes logs on local machine (D:\inetpub\logs ecc.), Filebeat reads IIS logs from webservers with unc path.

This is a piece of my filebeat's configuration:

-input_type: log
paths:
- \wb01\d$\inetpub\logs\LogFiles**.log
- \wb02\d$\inetpub\logs\LogFiles**.log
- \wb03\d$\inetpub\logs\LogFiles**.log
- \wb04\d$\inetpub\logs\LogFiles**.log
document_type: log
fields:
type: iis

I don't know if this warning on event viewer is a problem, but I would not want to miss any data from IIS logs...

Regards,
Jack

Thanks for clarifying. I recommend running a Filebeat instance that reads directly from D: on each webserver.

Thanks for reply

I could run 4 separate instance but I'd prefer to mantain one single instance. Could it be an issue of Elastic stack or it's more probably an issue of my Server?

I have this error from one month, before everything worked all correctly

I haven't seen that error before and I'm not sure what is causing it or if it is Filebeat related. Grabbing all of the data associated with the event log record from the event log could provide additional clues as to the source of the problem. As I understand it those events are be logged on the IIS hosts where Filebeat is not running? Maybe there's an issue with the network file server having the file open while IIS is writing/rotating the logs.

But regardless, having FIlebeat read logs from a network share is not recommended because it's unreliable. And you said, "I would not want to miss any data from IIS logs". So please consider running an instance per host.

Hi,
those events occurs on a separate machine where Filebeat running (no IIS is installed on it). Filebeat grab event from other 4 machines with IIS (webservers).

But regardless, I will try to rethink my log system and move filebeat on webservers

Thanks for support :slight_smile:

Best regards,
Jack

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.