Splunk® Supported Add-ons

Splunk Add-on for HAProxy

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs for the Splunk Add-on for HAProxy

There are two ways to capture the syslog data from HAProxy.

1. Create a file monitor input to monitor the syslog file generated by the HAProxy server or to monitor the files on a syslog aggregator.

2. Create a TCP or UDP input to capture the data sent on the port you have configured in HAProxy.

Note: For information about timestamp processing options for syslog events, see Syslog and timestamps in Splunk Add-ons.

Monitor input

To configure the Splunk platform to monitor the syslog file generated by the HAProxy server, you can use either Splunk Web to create the monitor input or configure inputs.conf directly. If you use a syslog aggregator, you can create a file monitor input to monitor the files generated by the aggregator.

Configure Monitoring through Splunk Web

Configure a file monitoring input on your data collection node for the HAProxy syslog file.

  1. Log into Splunk Web.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field.
  5. Navigate to the syslog file generated by the HAProxy server (for example, /var/log/haproxy.log) and click Next.
  6. On the Input Settings page, next to Source type, click Select. In the Select Source Type dropdown, select Network & Security, then one of the following depending on your HAProxy syslog configuration:
  7. haproxy:splunk:http
  8. haproxy:http
  9. haproxy:tcp
  10. haproxy:clf:http
  11. haproxy:default
    1. Click Review.
    2. After you review the information, click Submit.

    Configure inputs.conf

    You can create an inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

    1. Using a text editor, create a file named inputs.conf in the local folder of the add-on:
      • $SPLUNK_HOME/etc/apps/Splunk_TA_haproxy/local on Unix based systems.
      • %SPLUNK_HOME%\etc\apps\Splunk_TA_haproxy\local on Windows systems.
    2. Add the following stanza and lines, replacing <path> with the actual path to the syslog file (for example, /var/log/haproxy.log) and replacing <log format> with the format you specified in the HAProxy configuration, either splunk:http, tcp, http, clf:http or default. 
      [monitor://<path>]
sourcetype=haproxy:<log format>
disabled = 0
    3. Save the file.
    4. Restart the Splunk platform in order for the new input to take effect.

    TCP/UDP input

    In the Splunk platform node handling data collection, configure the TCP/UDP input to match your configurations in HAProxy and set your source type to haproxy:splunk:http, haproxy:tcp, haproxy:http, haproxy:clf:http or haproxy:default, depending upon your HAProxy syslog configuration. The CIM mapping and dashboard panels are dependent on this source type.

    For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see Get data from TCP and UDP ports in the Getting Data In manual.

    Validate data collection

    After you configure the input, run this search to check that you are ingesting the expected data:

    sourcetype=haproxy:*

    Last modified on 21 July, 2021
    PREVIOUS
    Configure HAProxy to send syslog data     		  NEXT
    Lookups for the Splunk Add-on for HAProxy

    This documentation applies to the following versions of Splunk® Supported Add-ons: released

    Was this documentation topic helpful?


    You must be logged into splunk.com in order to post comments. Log in now.

    Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

    0 out of 1000 Characters