All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the benefit of Splunk Add-on for Apache Web Access if it monitors the same source as Splunk Add-on for Unix and Linux?

bayman
Path Finder
‎01-04-2017 09:58 AM

I am a new Splunk user and have Splunk Add-on for Unix and Linux installed which is set to monitor /var/log on my Apache web server. I have the following questions I'm hoping to better understand:

  1. What value does installing Splunk Add-on for Apache Web Server have if /var/log/apache log files are already monitored by Splunk_TA_nix?

  2. Will logs from /var/log/apache be duplicated since both apps are creating different sourcetypes?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sjohnson_splunk
Splunk Employee
Splunk Employee
‎01-04-2017 01:06 PM

I don't believe you have to worry about any duplication. The Splunk_TA_nix app does monitor the /var/log directory but is pretty specific what it picks up (also note it is disabled by default):

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)
index=os
disabled = 1

Are the apache logs actually in /var/log or are they in a lower level subdirectory (httpd)? The monitor stanza above will not recurse down another level.

FYI - if there are multiple inputs.conf that end up monitoring the same file, only 1 will actually win. The precedence is the app that has the name with the lowest ASCII sort order will win.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sjohnson_splunk
Splunk Employee
Splunk Employee
‎01-04-2017 01:06 PM

I don't believe you have to worry about any duplication. The Splunk_TA_nix app does monitor the /var/log directory but is pretty specific what it picks up (also note it is disabled by default):

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)
index=os
disabled = 1

Are the apache logs actually in /var/log or are they in a lower level subdirectory (httpd)? The monitor stanza above will not recurse down another level.

FYI - if there are multiple inputs.conf that end up monitoring the same file, only 1 will actually win. The precedence is the app that has the name with the lowest ASCII sort order will win.

0 Karma
Reply
Solved! Jump to solution

bayman
Path Finder
‎01-04-2017 01:42 PM

The apache logs are actually in /var/log/apache2/access.log. I actually enabled monitoring of the the /var/log on the Splunk_TA_nix app. Should I disable it if I am using the Splunk Add-on for Apache Web Access to monitor /var/log/apache2/access.log? I still would like syslog to be monitored.

0 Karma
Reply
Solved! Jump to solution

sjohnson_splunk
Splunk Employee
Splunk Employee
‎01-04-2017 02:12 PM

Leave it on. You probably should always be monitoring the messages and secure logs.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...