Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

modsecurity / Source doesn't show up

thierryit
Path Finder
‎03-28-2014 09:25 AM

Hi,

Running both Splunk server and Splunkforwarder on V6.0.2.
Both machine (web server and Splunk server) have their FW off.
After an "netstat -a" on both machine, I can see that there is a TCP connection established between my web server (port TCP 56xxx) and my Splunk server (port TCP 9997).
My inputs.conf is:

[monitor:///var/log/apache2/modsec_audit.log]
disabled = false
host = name_of_my_server
index = main
sourcetype = modsec_audit

On my Splunk server when going to: Search & Reporting/Search/Data Summary I only see one source (udp:514 -> my firewall) nothing else.
On hosts, I can see only my firewall .....

If I add in my inputs.conf one of my apache2 log, as example access.log, it will work like a charm ...
But not for my modsecurity log file .....

Any ideas ?

Thx

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thierryit
Path Finder
‎03-29-2014 10:08 PM

Hi,

WORKING !!!

I add to declare in "/opt/splunkforwarder/etc/system/default/props.conf"

[modsec_audit]
CHARSET = AUTO
NO_BINARY_CHECK = true

And in modsecurity.conf, I had to change this:
SecAuditLogType Concurrent (instead of Serial)

Thx martin for your help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

thierryit
Path Finder
‎03-28-2014 11:43 AM

There is no Python interpreter included with Splunkforwarder ... And I cannot use the one provided with the system.

0 Karma
Reply
Solved! Jump to solution

thierryit
Path Finder
‎03-28-2014 10:52 AM

No on the server .... I have understood between line to do it on the forwarder 🙂
I do it now.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-28-2014 10:44 AM

Is that on the forwarder?

0 Karma
Reply
Solved! Jump to solution

thierryit
Path Finder
‎03-28-2014 10:43 AM

For full status, visit:
https://127.0.0.1:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Updated: Fri Mar 28 19:42:32 2014 (took 0.0 sec)
Have seen 2 dirs. (+0)
Finished with 19 tracked files. (+0)

Currently reading 4 files.
some open files (showing up to 5):
/opt/splunk/var/log/splunk/audit.log (100%)
/opt/splunk/var/log/splunk/web_access.log (100%)
/opt/splunk/var/log/splunk/metrics.log (100%)
/opt/splunk/var/log/splunk/splunkd_access.log (100%)

Ignoring 0 items.

Hum ....

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-28-2014 10:36 AM

Check the input's status on the forwarder: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...