Solved: Re: Proper input.conf setup - Apache Tomcat

scott778 · ‎05-12-2014

Hello,

I'm trying to find out why only one sourcetype (the last one) is being monitored. Could someone please tell me how to configure input.conf? I'd like to capture some apache/tomcat logs and set different sourcetypes. When I let splunk automatically set sourcetypes it appends the dates to the sourcetype field.

[default]
host = NDV-MWWEB01

[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = catalina.*
sourcetype = catalina

[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = localhost.(.*)
sourcetype = localhostApache

[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = localhost_(.*)
sourcetype = localhostApacheAccess

[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = tomcat7.0.42-stderr(.*)
sourcetype = stderrApache

[monitor://C:\Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs]
disabled = false
index = test
whitelist = tomcat7.0.42-stdout(.*)
sourcetype = stdoutApache

somesoni2 · ‎05-12-2014

Move your whilelist filter to monitor stanza. Splunk expects only one monitor stanza per path (and you're putting 5 with same monitoring path). Change your monitoring stanza like this

[default] 
host = NDV-MWWEB01

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\catalina.*] 
disabled = false 
index = test 
sourcetype = catalina

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\localhost.*] 
disabled = false 
index = test 
sourcetype = localhostApache

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\localhost_*] 
disabled = false 
index = test 
sourcetype = localhostApacheAccess

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\tomcat7.0.42-stderr*] 
disabled = false 
index = test 
sourcetype = stderrApache

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\tomcat7.0.42-stdout*] 
disabled = false 
index = test 
sourcetype = stdoutApache

View solution in original post

somesoni2 · ‎05-12-2014

Move your whilelist filter to monitor stanza. Splunk expects only one monitor stanza per path (and you're putting 5 with same monitoring path). Change your monitoring stanza like this

[default] 
host = NDV-MWWEB01

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\catalina.*] 
disabled = false 
index = test 
sourcetype = catalina

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\localhost.*] 
disabled = false 
index = test 
sourcetype = localhostApache

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\localhost_*] 
disabled = false 
index = test 
sourcetype = localhostApacheAccess

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\tomcat7.0.42-stderr*] 
disabled = false 
index = test 
sourcetype = stderrApache

[monitor://C:Program Files\Apache Software Foundation\Tomcat 7.0_Tomcat7.0.42\logs\tomcat7.0.42-stdout*] 
disabled = false 
index = test 
sourcetype = stdoutApache

scott778 · ‎05-13-2014

Thank you very much, this did the trick.

Proper input.conf setup - Apache Tomcat

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!