All Apps and Add-ons

SPLunk for apachelogs monitoring

chaga
New Member

Hello all,

Could anyone please let me know how to install splunk add on for apache webserver and configure step by step apache logs for monitoring?

0 Karma

gcusello
Legend

Hi @chaga,

At first you should check if you're receiving logs from that server running the search

index=_internal host=<your_host>

If you have'n logs there's no connection between UF and Indexer, if instead you have logs there's a problem in Add-on settings.

In the first case, check the connection using telnet from the terget server:

telnet Indexer_IP 9997

if it isn't ok you have to check the firewall routes between target and Indexer, if it's ok, check if in outputs.con you have the correct Indexer ip address.

If instead you are receiving internal logs but not apache logs, check at first the permissions on these files (what's the user owner of splunkd process?)
Then how do you installed Add-on on target server?
did you restarted Universal Forwarder after copying and untarring Add-on?

Then see in input.con of the Add-on if in all the stanzas there's disable=0

Ciao.
Giuseppe

0 Karma

chaga
New Member

Can anyone tell me which ports should listen on Splunk server and on the Target server (Client)

0 Karma

chaga
New Member

Am so confused, Indexer is the one which you give while adding the path to monitor right. for ex:
./splunk add monitor /var/log/apache2/access.log -index apache -sourcetype access_log

what is called indexer? should we configure indexer as separate server?

0 Karma

gcusello
Legend

Sorry, I'll try to be more clear:
you spoke of a Universal Forwarder, that's on the target server to monitor.
it should send logs to a Splunk server (called Indexer) that should be on a separate server and contains all the logs and search on them; I think (if I'm wrong, please correct me!) you have a single Splunk stand-alone server and not a distributed architecture is it correct?
So if you have a stand-alone server Indexer is your stand-alone server.

At first you have to check if your Splunk server receives logs from the Universal forwarder, to do this run a search on Splunk:

index=_internal host=<your_host>

if you haven't logs, you have to perform some checks:

  • do you enabled receiving on Splunk server ? [Settings -- Forwarding and Receiving -- Configure Receiving -- New Receiving Port]
  • are firewall routes between Universal Forwarder and Splunk server open? telnet ip_splunk_server 9997

if it isn't ok you have to check the firewall routes between target and Indexer on port 9997, if it's ok, check if in $SPLUNK_HOME/etc/system/local/outputs.conf of Universal Forwarder you have the correct Splunk server ip address.

If instead you are receiving internal logs but not apache logs, check at first the permissions on these files (what's the user owner of splunkd process on UF?)
Then how do you installed Add-on on UF, which user you used? has the grants to read files?
at the end did you restarted Universal Forwarder after copying and untarring Add-on?

Then see in $SPLUNK_HOME/etc/apps/splunk-apache-addon/local/input.conf or $SPLUNK_HOME/etc/apps/splunk-apache-addon/default/input.conf of the Add-on if in all the stanzas there's disable=0

Ciao.
Giuseppe

0 Karma

chaga
New Member

Thanks for the clear explanation.
Yes you are right i have a splunk stand-alone server. when i search using index=_internal host= it doesnot show host.

I guess telnet is the problem telnet doesnot work from the target server. I have added a firewall rule on Splunk server and forward server but still it doesnot work. Any idea on this?

iptables -A INPUT -p tcp -m tcp --dport 9997 -j ACCEPT

But when i run /opt/splunkforwarder/bin/splunk list monitor, it shows
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log/apache2/access.log
/var/log/apache2/error.log
var/log/apache2

I am not sure whats the problem

0 Karma

chaga
New Member

I have installed add on for apache log and configured it on splunk web also the inputs.conf on the universal forwarder. but the logs are not getting forwarded. can anyone help

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you enabled Receiving on your indexer(s)? Have you configured the UF to send logs to the indexer(s)?
Do you see logs from the UF in index=_internal?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>