Getting Data In

Why am I unable to monitor Apache logs with my current configuration?

wweiland
Contributor

Hi,

I'm trying to monitor some Apache logs and I can't seem to get the statement correct.

I'm trying to monitor "access_log.*" , "error_log.*" , access_log, error_log, and the gzs to go with them.

[monitor:///var/log/httpd]
whitelist=(\_log*$|\.log$|\_log*\.gz$)
blacklist= (mod\_jk\.log$|\.gz|catalina\.out$)
recursive = true
sourcetype=access_combined
disabled = 0
index = unix

Can someone point out my error?

0 Karma
1 Solution

wweiland
Contributor

There was a blacklist in another app that was finding its' way into this stanza.

View solution in original post

0 Karma

wweiland
Contributor

There was a blacklist in another app that was finding its' way into this stanza.

View solution in original post

0 Karma

somesoni2
Revered Legend

I would try like this

[monitor:///var/log/httpd]
 whitelist=(_log*$|\.log$|_log*\.gz$)
 recursive = true
 sourcetype=access_combined
 disabled = 0
 index = unix

Updated

[monitor:///var/log/httpd]
 whitelist=(access_log|error_log)
 recursive = true
 sourcetype=access_combined
 disabled = 0
 index = unix
0 Karma

wweiland
Contributor

No joy.

[monitor:///var/log/httpd]
_rcvbuf = 1572864
dedicatedIoThreads = 2
disabled = 0
enableSSL = 1
host = myhost
ignoreOlderThan = 14d
index = unix
maxSockets = 0
maxThreads = 0
port = 8088
recursive = true
sourcetype = access_combined
useDeploymentServer = 0
whitelist = (_log*$|\.log$|_log*\.gz$)
0 Karma

somesoni2
Revered Legend

Make sure to restart your forwarder (the whitelist isnot updated in btool output)

0 Karma

wweiland
Contributor

Still no joy. I've opened a ticket w/ Splunk and will hopefully post a fix in this thread.

0 Karma

wweiland
Contributor

That didn't work.

pwd
/var/log/httpd

-rw-r----- 1 root root 3122398 Feb 12 14:48 access_log.abcd

I have many files.abcd with different extensions.

/opt/splunkforwarder/bin/splunk list monitor

Monitored Files:
$SPLUNK_HOME/etc/splunk.version
/var/log
/var/log/clamav
/var/log/httpd

0 Karma

somesoni2
Revered Legend

Give the updated one a try.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!