Re: Configuring Apache log data forwarding

compsavvystu · ‎06-10-2011

I have a linux web server (Ubuntu 10.04 x64) that I would like to forward apache log data from. I have installed the universal forwarder. How do I configure it to forward log data to my splunk server?

If this is well documented, I apologize. I'm having difficulty finding this info.

Thanks.

twinspop · ‎06-10-2011

Minimally, in /opt/splunkforwarder/etc/system/local

outputs.conf:

[tcpout:somelabel]
server=192.168.0.1:9997

inputs.conf:

[monitor:///path/yo/your/access_log]
sourcetype = access_log

On the receiving end, you'll need to activate a corresponding receiving port under Management -> Forwrding/Receiving. (In this case, and by default, 9997.)

lguinn2 · ‎06-10-2011

You can use a wild card, and that's better than a separate monitor stanza for each file. If you need something more sophisticated, you can add either a whitelist or a blacklist to the spec.

There is a new manual called "Getting Data In." Start here (http://www.splunk.com/base/Documentation/latest/Data/Configureyourinputs#Edit_inputs.conf) in the manual for help with inputs.conf

compsavvystu · ‎06-10-2011

for the monitor, can I specify a wildcard in the access_log path (like /path/to/*.log, or does a separate [monitor] line need to be specified for each access_log?

Configuring Apache log data forwarding

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life