Splunk® Supported Add-ons

Splunk Add-on for Apache Web Server

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure monitor inputs for the Splunk Add-on for Apache Web Server

The Splunk Add-on for Apache Web Server collects data through file monitoring. After installing the add-on, you need to configure the platform to monitor the access and error log file generated by Apache Web Server. You can user either Splunk Web to create the monitor input or edit the inputs.conf directly.

Configure monitoring input through Splunk Web

Configure file monitoring inputs on your data collection node for the Apache Web Server access and error log file.

Configure access log input

Configure file monitoring inputs on your data collection node for the Apache Web Server access log file.

  1. Log into Splunk Web.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field.
  5. Navigate to the access log file generated by the Apache Web Server and click Next.

    The default location of the access log file may vary from different system, The default location of access log usually is /var/log/apache/access.log or /var/log/apache2/access.log, but your path may differ.

  6. On the Input Settings page, next to Source type, click Select. In the Select Source Type drop-down, select Web, then apache:access:kv or apache:access:json or apache:access:combined, and apache:error, or type these source types in the search field.
  7. Users can select the apache:access:json formatting option only after completing the apache:access:json formatting configuration steps from the Configure log formatting on the Apache Web Server using httpd.conf topic in this manual.

  8. Click Review.
  9. After you review the information, click Submit.

Configure error log inputs

Configure file monitoring inputs on your data collection node for the Apache Web Server error log file.

  1. Log into Splunk Web.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field.
  5. Navigate to the error log file generated by the Apache Web Server and click Next.

    The default location of the error log file may vary from different system, The default location of error log usually is /var/log/apache/error.log or /var/log/apache2/error.log, but your path may differ. And Apache Web Server may have multiple access logs and error logs, you can add an asterisk wildcard at the end of file name to retreive all log data.

  6. On the Input Settings page, next to Source type, click Select. In the Select Source Type drop-down, select Web, then apache:access:kv or apache:access:json, and apache:error, or type these source types in the search field.
  7. Users can select the apache:access:json formatting option only after completing the apache:access:json formatting configuration steps from the Configure log formatting on the Apache Web Server using httpd.conf topic in this manual.

  8. Click Review.
  9. After you review the information, click Submit.

Configure monitoring input through inputs.conf

You can create an inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

  1. Using a text editor, create a file named inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_apache/local folder.
  2. Add the following stanza and lines, replacing <path> with the actual path to access log and error log, and save the file.
    Note: You can add an asterisk wildcard at the end of the file name to retrieve all log data.

    [monitor://<path>]
    sourcetype=apache:error
    disabled = 0
    [monitor://<path>]
    sourcetype=apache:access:kv
    disabled = 0
    
  3. Users can select the apache:access:combined option for the default out-of-the-box events. For the apache:access:json formatting option, users can only select this after completing the apache:access:json formatting configuration steps in enhanced log formatting on the Apache Web Server using httpd.conf.

  4. Restart the Splunk platform for the new input to take effect.
Last modified on 15 June, 2022
PREVIOUS
Configure enhanced log formatting on the Apache Web Server using httpd.conf
  NEXT
Troubleshoot the Splunk Add-on for Apache Web Server

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters