Hi,
Running both Splunk server and Splunkforwarder on V6.0.2.
Both machine (web server and Splunk server) have their FW off.
After an "netstat -a" on both machine, I can see that there is a TCP connection established between my web server (port TCP 56xxx) and my Splunk server (port TCP 9997).
My inputs.conf is:
[monitor:///var/log/apache2/modsec_audit.log]
disabled = false
host = name_of_my_server
index = main
sourcetype = modsec_audit
On my Splunk server when going to: Search & Reporting/Search/Data Summary I only see one source (udp:514 -> my firewall) nothing else.
On hosts, I can see only my firewall .....
If I add in my inputs.conf one of my apache2 log, as example access.log, it will work like a charm ...
But not for my modsecurity log file .....
Any ideas ?
Thx
Hi,
WORKING !!!
I add to declare in "/opt/splunkforwarder/etc/system/default/props.conf"
[modsec_audit]
CHARSET = AUTO
NO_BINARY_CHECK = true
And in modsecurity.conf, I had to change this:
SecAuditLogType Concurrent (instead of Serial)
Thx martin for your help.
There is no Python interpreter included with Splunkforwarder ... And I cannot use the one provided with the system.
No on the server .... I have understood between line to do it on the forwarder 🙂
I do it now.
Is that on the forwarder?
For full status, visit:
https://127.0.0.1:8089/services/admin/inputstatus/TailingProcessor:FileStatus
Updated: Fri Mar 28 19:42:32 2014 (took 0.0 sec)
Have seen 2 dirs. (+0)
Finished with 19 tracked files. (+0)
Currently reading 4 files.
some open files (showing up to 5):
/opt/splunk/var/log/splunk/audit.log (100%)
/opt/splunk/var/log/splunk/web_access.log (100%)
/opt/splunk/var/log/splunk/metrics.log (100%)
/opt/splunk/var/log/splunk/splunkd_access.log (100%)
Ignoring 0 items.
Hum ....
Check the input's status on the forwarder: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/