Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help with Apache log format filtering. I want to be able to filter on the first item (remote hostname) to weedout..

SamHTexas
Builder
‎09-07-2021 02:25 PM

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

 

From ? Here is how those fields break down:

%h

Remote hostname (i.e., who's asking?)

%l

Remote logname (if defined)

%u

Remote user (if authenticated)

%t

Time request was received

%r

first line of the request

%>s

Final status (200, 404, etc)

%b

Size of the response in bytes

%{Referer}

How did this user get here?

%{User-Agent}

What browser is the user using?

so that we can I want to be able to filter on the first item (remote hostname) so I can weed out known scanners, but every time I try to do something with that field it gets deleted.

 

Can I translate the Apache log format into something splunk can handle?

Thank u a million in advance.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-07-2021 03:09 PM

Hi. What I did for Apache log was to use the CustomLog

Specify the fields that you want the data to be extracted into

remotehost=%h     status=%b ..

And then when your logs get ingested the fields named remotehost, status etc will have the values already. You don't have to worry about positional or extractions etc. The keyword=value pairs will get extracted by Splunk.

 

 

Reply

SamHTexas
Builder
‎09-07-2021 08:02 PM

I appreciate your response. Would you point me to where I learn further about custom logs usage in Splunk when you can please. Meanwhile I will look further in Splunk.com, Thank u very much again for your time.

Tags (1)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-08-2021 10:13 AM

https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#customlog

So you have to change the configs on Apache. The above has an example

# CustomLog with explicit format string
CustomLog "logs/access_log" "%h %l %u %t \"%r\" %>s %b"

 Instead you would have something like

CustomLog "logs/access_log" "%{%Y-%m-%d %H:%M:%S %z}t %{%z}t" remotehost=%h status=%b"

And then your access log would just have the date at the start of the event. The date would include the timezone (always include that) followed by remotehost=<hostname> status=<status value>

0 Karma
Reply

SamHTexas
Builder
‎09-08-2021 11:52 AM

I thank u again. Are these config changes done by the Apache team or the Splunk team? I appreciate your time.

Tags (1)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎09-14-2021 01:11 PM

Hi. These are changes for Apache so would be done by the Apache team.

You are configuring Apache to change the log formatting. 

The Apache team makes the configuration changes, restart Apache and then the logs are in a different/better format.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...