topic Re: how to confgure splunk to monitor apache web server in Security

how to confgure splunk to monitor apache web server

vahabudeen — Wed, 17 Dec 2014 06:55:22 GMT

Hi all
I have installed Splunk Enterprise trial on a windows 7 machine to collect logs from my Apache server ,also installed Splunk universal forwarder on my Apache server (centos 6).how do i configure These two to monitor my apache web server.

Here is what i have done ...though it doesn't help
outputs.conf

[tcpout:Apache]
server=ApacheserevrIP:9997

inputs.conf

[monitor:/var/log/httpd/access_log]
sourcetype = access_log

Please direct me to the correct solution

Thanks in advance

Re: how to confgure splunk to monitor apache web server

MuS — Wed, 17 Dec 2014 07:09:09 GMT

Hi vahabudeen,

first check that inputs.conf it should be like this:

[monitor:///var/log/httpd/access_log]

You missed some slashes there. Next, have you enabled receiving on your indexer? See docs http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Enableareceiver and last but not least make sure the forwarder is able to reach / communicate with the indexer on that port (firewalls, routing ....)

hope this helps ...

cheers, MuS

Re: how to confgure splunk to monitor apache web server

vahabudeen — Wed, 17 Dec 2014 07:33:49 GMT

Thanks MuS
Thanks for your response. I have modified input.conf based on your answer.i have enabled listening port for 9997 .then ????i am really new to splunk ,,those links are really confusing me,,please direct me to the steps where i can accomplish this with only required few steps i apologize if i done anything wrong..

Thanks in advance

Re: how to confgure splunk to monitor apache web server

MuS — Wed, 17 Dec 2014 07:39:45 GMT

Your step by step instruction is http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial Part3 and Part4 are essential, especially to new users.

But as small hint, search the index=main or sourcetype=access_logs on your indexer

Re: how to confgure splunk to monitor apache web server

vahabudeen — Wed, 17 Dec 2014 08:49:22 GMT

after configuration of universal forwarder to send logs to Splunk manager ,how can i verify whether it is received or not??
then only i would be able to move with "add data" and dashboard steps ,,isn't it??

Re: how to confgure splunk to monitor apache web server

MuS — Wed, 17 Dec 2014 08:59:57 GMT

on your indexer, check the index=_internal and/or fire this command on your forwarder $SPLUNK_HOME/bin/splunk list forward-server No need to add data because you already receive your logs from the forwarder; this would only be needed if your really want to add something else.

Open the search app and search for your events by running a basic first search like index=* sourcetype=access_logs and run it over all time to verify events are getting in. Next step would be to create a useful search and some fancy dashboard that fits your needs.