Getting Data In

Configuring Apache log data forwarding

Engager

I have a linux web server (Ubuntu 10.04 x64) that I would like to forward apache log data from. I have installed the universal forwarder. How do I configure it to forward log data to my splunk server?

If this is well documented, I apologize. I'm having difficulty finding this info.

Thanks.

Influencer

Minimally, in /opt/splunkforwarder/etc/system/local

outputs.conf:

[tcpout:somelabel]
server=192.168.0.1:9997

inputs.conf:

[monitor:///path/yo/your/access_log]
sourcetype = access_log

On the receiving end, you'll need to activate a corresponding receiving port under Management -> Forwrding/Receiving. (In this case, and by default, 9997.)

Legend

You can use a wild card, and that's better than a separate monitor stanza for each file. If you need something more sophisticated, you can add either a whitelist or a blacklist to the spec.

There is a new manual called "Getting Data In." Start here (http://www.splunk.com/base/Documentation/latest/Data/Configureyourinputs#Edit_inputs.conf) in the manual for help with inputs.conf

0 Karma

Engager

for the monitor, can I specify a wildcard in the accesslog path (like /path/to/*.log, or does a separate [monitor] line need to be specified for each accesslog?

0 Karma