Re: Configuring Apache log data forwarding

compsavvystu · ‎06-10-2011

I have a linux web server (Ubuntu 10.04 x64) that I would like to forward apache log data from. I have installed the universal forwarder. How do I configure it to forward log data to my splunk server?

If this is well documented, I apologize. I'm having difficulty finding this info.

Thanks.

twinspop · ‎06-10-2011

Minimally, in /opt/splunkforwarder/etc/system/local

outputs.conf:

[tcpout:somelabel]
server=192.168.0.1:9997

inputs.conf:

[monitor:///path/yo/your/access_log]
sourcetype = access_log

On the receiving end, you'll need to activate a corresponding receiving port under Management -> Forwrding/Receiving. (In this case, and by default, 9997.)

lguinn2 · ‎06-10-2011

You can use a wild card, and that's better than a separate monitor stanza for each file. If you need something more sophisticated, you can add either a whitelist or a blacklist to the spec.

There is a new manual called "Getting Data In." Start here (http://www.splunk.com/base/Documentation/latest/Data/Configureyourinputs#Edit_inputs.conf) in the manual for help with inputs.conf

compsavvystu · ‎06-10-2011

for the monitor, can I specify a wildcard in the access_log path (like /path/to/*.log, or does a separate [monitor] line need to be specified for each access_log?

Configuring Apache log data forwarding

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation