Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help with Apache log format filtering. I want to be able to filter on the first item (remote hostname) to weedout..

SamHTexas
Builder
‎09-07-2021 02:25 PM

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

 

From ? Here is how those fields break down:

%h

Remote hostname (i.e., who's asking?)

%l

Remote logname (if defined)

%u

Remote user (if authenticated)

%t

Time request was received

%r

first line of the request

%>s

Final status (200, 404, etc)

%b

Size of the response in bytes

%{Referer}

How did this user get here?

%{User-Agent}

What browser is the user using?

so that we can I want to be able to filter on the first item (remote hostname) so I can weed out known scanners, but every time I try to do something with that field it gets deleted.

 

Can I translate the Apache log format into something splunk can handle?

Thank u a million in advance.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-07-2021 03:09 PM

Hi. What I did for Apache log was to use the CustomLog

Specify the fields that you want the data to be extracted into

remotehost=%h     status=%b ..

And then when your logs get ingested the fields named remotehost, status etc will have the values already. You don't have to worry about positional or extractions etc. The keyword=value pairs will get extracted by Splunk.

 

 

Reply

SamHTexas
Builder
‎09-07-2021 08:02 PM

I appreciate your response. Would you point me to where I learn further about custom logs usage in Splunk when you can please. Meanwhile I will look further in Splunk.com, Thank u very much again for your time.

Tags (1)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-08-2021 10:13 AM

https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#customlog

So you have to change the configs on Apache. The above has an example

# CustomLog with explicit format string
CustomLog "logs/access_log" "%h %l %u %t \"%r\" %>s %b"

 Instead you would have something like

CustomLog "logs/access_log" "%{%Y-%m-%d %H:%M:%S %z}t %{%z}t" remotehost=%h status=%b"

And then your access log would just have the date at the start of the event. The date would include the timezone (always include that) followed by remotehost=<hostname> status=<status value>

0 Karma
Reply

SamHTexas
Builder
‎09-08-2021 11:52 AM

I thank u again. Are these config changes done by the Apache team or the Splunk team? I appreciate your time.

Tags (1)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-14-2021 01:11 PM

Hi. These are changes for Apache so would be done by the Apache team.

You are configuring Apache to change the log formatting. 

The Apache team makes the configuration changes, restart Apache and then the logs are in a different/better format.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...