Recently I had a SharePoint installation that stopped writing log files without any clear reason. Restarting the timer service or the whole server did not solve the problem. The only thing I noticed was this entry in the event viewer:
Tracing Service failed to create the trace log file at location specified in SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\15.0\WSS\LogDir. Error 0x0: The operation completed successfully. . Traces will be written to the following directory: C:\Users\SVCSPD~3\AppData\Local\Temp\.
Something seemed to be wrong with the log directory but the folder and its permissions looked totally normal. So I opened the Monitoring Settings (Central Admin -> Monitoring -> Configure diagnostic logging), change the path of the trace log to c:\temp and back to its normal location. As soon as I saved the second change, log files started appearing again.
Logstash is a great tool to transform the information stored in unstructured log files into a structured format. When using it on a Windows machine there are several things you should pay attention to (and which are not 100% documented).
Let’s say you want to use a file input and specify it in this way:
path => ["C:\Logs\*.logs"]
When you run Logstash nothing happens and your files are not processed.
The reason for that is pretty simple: Logstash doesn’t like the \ and because of that it does not recognise the path properly. So simply change the config to look like this:
path => ["C:/Logs/*.logs"]
Always use / in Logstash configs and you will easily get around this problem. The problem is also known to the Logstash community (see this bug) but there is no fix in place yet.
The mechanism for detecting which files have been written and which log entries are new is also not working correctly on Windows (see this bug here). The link also contains information on how to get around this problem.