Configure Splunk recommended fields in Splunk add-on for Tomcat
Splunk best practice is to utilize the tomcat:access:splunk:log source type in order for logs to be CIM-compliant.
In order to utilize this source type, you must follow these steps to disable Tomcat add-on inputs.
- File monitor input for the
tomcat:access:logsourcetype: Settings > Data Inputs > Files & directories > input fortomcat:access:logsourcetype > Disable - dumpAllThreads: Settings > Data Inputs > Splunk Add-on for Tomcat > dumpAllThreads > Disable
- Open the back-end access to your tomcat server.
- Stop the tomcat server.
- Navigate to $CATALINA_HOME/conf/ and open the
server.xmlin a text editor. - Search for the line
org.apache.catalina.valves.AccessLogValvein the file. - Update the
prefixandpatternkeys as below:prefix="localhost_access_log_splunk" suffix=".txt"
pattern="%t, x_forwarded_for="%{X-Forwarded-For}i", remote_ip="%a", remote_host="%h", server="%v", server_port=%p, user="%u", http_method=%m, uri_path="%U", uri_query="%q", status=%s, bytes_sent=%b, response_time=%F, http_content_type="%{Content-Type}o", http_user_agent="%{User-Agent}i", http_referrer="%{Referer}i", url="%{Host}i%U%q"" - Save the
server.xmlfile. - Start the tomcat server.
- Reconfigure the add-on and check the checkbox for "Enable data collection from Tomcat log files".
- Enable the dumpAllThread input.
Optionally, you can configure the Tomcat server to authenticate the User, since the tomcat:access:log:splunk source type supports user field mapping. You can follow the steps mentioned in the documentation for Tomcat.
Last modified on 06 September, 2024
| Upgrade the Splunk Add-on for Tomcat | Lookups for the Splunk Add-on for Tomcat |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!