Splunk® Supported Add-ons

Splunk Add-on for Apache Web Server

Download manual as PDF

Download topic as PDF

Configure the Apache Web Server to send logs to Splunk Add-on for Apache Web Server

To make sure you have all the required fields present in apache access_log, you need to customize the log format in the apache httpd.conf file.

1. Open the httpd.conf in the Apache Web Server installation folder $APACHE_HOME/etc/apache/httpd.conf

Note: Default location of httpd.conf could be different from different platforms.

2. Look for the statement <IfModule log_config_module>, and replace the whole block with the following stanza.

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %v %l %u %{local}p %t \"%r\" \"%q\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O %D" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    # CustomLog "logs/access_log" common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    CustomLog "logs/access_log" combined
</IfModule>

3. Restart Apache Web Server.

If the log format in Apache Web Server is configured correctly, you will receive the log files look like

###SRC_IP### ###SITE### - ###USER### 80 [03/May/2016:12:59:05 -0700] "GET /server-status?auto HTTP/1.1" "?auto" 200 871 "-" "###USER_AGENT###" 146 1024 1253
PREVIOUS
Install the Splunk Add-on for Apache Web Server
  NEXT
Configure monitor inputs for the Splunk Add-on for Apache Web Server

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

Thanks Beatus. The extra space has been deleted

Rwang splunk, Splunker
April 2, 2017

For the logio_module section, there appears to be an extra space in the log format:
"LogFormat "%h %l" between %h and %l.

Beatus
March 29, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters