Security

how to confgure splunk to monitor apache web server

vahabudeen
New Member

Hi all
I have installed Splunk Enterprise trial on a windows 7 machine to collect logs from my Apache server ,also installed Splunk universal forwarder on my Apache server (centos 6).how do i configure These two to monitor my apache web server.

Here is what i have done ...though it doesn't help
outputs.conf

[tcpout:Apache]
server=ApacheserevrIP:9997

inputs.conf

[monitor:/var/log/httpd/access_log]
sourcetype = access_log

Please direct me to the correct solution

Thanks in advance

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi vahabudeen,

first check that inputs.conf it should be like this:

[monitor:///var/log/httpd/access_log]

You missed some slashes there. Next, have you enabled receiving on your indexer? See docs http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Enableareceiver and last but not least make sure the forwarder is able to reach / communicate with the indexer on that port (firewalls, routing ....)

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi vahabudeen,

first check that inputs.conf it should be like this:

[monitor:///var/log/httpd/access_log]

You missed some slashes there. Next, have you enabled receiving on your indexer? See docs http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Enableareceiver and last but not least make sure the forwarder is able to reach / communicate with the indexer on that port (firewalls, routing ....)

hope this helps ...

cheers, MuS

View solution in original post

vahabudeen
New Member

Thanks MuS
Thanks for your response. I have modified input.conf based on your answer.i have enabled listening port for 9997 .then ????i am really new to splunk ,,those links are really confusing me,,please direct me to the steps where i can accomplish this with only required few steps i apologize if i done anything wrong..

Thanks in advance

0 Karma

MuS
SplunkTrust
SplunkTrust

Your step by step instruction is http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial Part3 and Part4 are essential, especially to new users.

But as small hint, search the index=main or sourcetype=access_logs on your indexer

0 Karma

vahabudeen
New Member

after configuration of universal forwarder to send logs to Splunk manager ,how can i verify whether it is received or not??
then only i would be able to move with "add data" and dashboard steps ,,isn't it??

0 Karma

MuS
SplunkTrust
SplunkTrust

on your indexer, check the index=_internal and/or fire this command on your forwarder $SPLUNK_HOME/bin/splunk list forward-server No need to add data because you already receive your logs from the forwarder; this would only be needed if your really want to add something else.

Open the search app and search for your events by running a basic first search like index=* sourcetype=access_logs and run it over all time to verify events are getting in. Next step would be to create a useful search and some fancy dashboard that fits your needs.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!