Splunk® Supported Add-ons

Splunk Add-on for NGINX

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure monitor inputs for the Splunk Add-on for NGINX

Install and configure a forwarder on your NGINX server to monitor the access and error log files generated by the NGINX server. You can use either Splunk Web to create the monitor input or configure inputs.conf directly.

Configure monitoring through Splunk Web

If you have access to Splunk Web on your forwarder:

  1. Log in to Splunk Web.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field.
  5. Navigate to the log file generated by the NGINX server and click Next.
  6. On the Input Settings page, click the Source type drop-down box and then type nginx in the filter field and select one of the following source types depending on your access log format:
    • nginx:plus:access: the predefined combined format
    • nginx:plus:kv: the custom key-value pair format
    • nginx:plus:error: NGINX error log
    • nginx:app:protect: NGINX App Protect Security log
  1. Click Next.
  2. Click Review.
  3. After you review the information, click Submit.
  4. Repeat the above steps if you want to ingest more log files.

After you finish configuring inputs, run one or more of the following searches to check that you are ingesting the data that you expect.

sourcetype=nginx:plus:access

sourcetype=nginx:plus:kv

sourcetype=nginx:plus:error

sourcetype=nginx:app:protect

Configure inputs.conf

You can create an inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

  1. Using a text editor, create a file named inputs.conf in the local folder of the add-on:
    • $SPLUNK_HOME/etc/apps/Splunk_TA_nginx/local in Unix-based environments.
    • %SPLUNK_HOME%\etc\apps\Splunk_TA_nginx\local in Windows-based environments.
  2. Add the following stanzas that match the log formats you want to collect, replacing <path> with the actual path to the log file.
    • NGINX access log in the predefined combined format
    • [monitor:///<path>]
      disabled = false
      sourcetype = nginx:plus:access
      
    • NGINX access log in the custom key-value pair format
    • [monitor:///<path>]
      disabled = false
      sourcetype = nginx:plus:kv
      
    • NGINX error log
    • [monitor:///<path>]
      disabled = false
      sourcetype = nginx:plus:error
      
    • NGINX App Protect security log
    • [monitor:///<path>]
      disabled = false
      sourcetype = nginx:app:protect
      
  3. Save the file.
  4. Restart the forwarder in order for the new input to take effect.
  5. Run one or more of the following searches to check that you are ingesting the data that you expect.

    sourcetype=nginx:plus:access

    sourcetype=nginx:plus:kv

    sourcetype=nginx:plus:error

    sourcetype=nginx:app:protect

Last modified on 19 December, 2023
PREVIOUS
Configure NGINX logging and monitoring
  NEXT
Configure NGINX status API input

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters