Splunk® IT Service Intelligence

Modules

This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

Web Server Module configurations

Configure the ITSI Web Server Module to connect your web server data to your Splunk platform deployment.

Module entity roles

See the below table to identify the roles that the Web Server Module assigns to entities:

ITSI Module ITSI Role
ITSI Web Server Module web_server

Install Supported Technologies

Install your ITSI supported technologies onto your deployment using the reference table below.

Technology Name Installation link Search Heads Indexers Forwarders
Splunk Add-on for Apache Web Server Installation guide x x
Splunk Add-on for Microsoft IIS Installation guide x x

See About installing Splunk add-ons to learn how to install a Splunk add-on in the following deployment scenarios.

Configure the Splunk Add-on for Apache Web Server to collect data and send to your Splunk deployment

Enable entity detection for the Splunk Add-on for Apache Web Server

  1. Create a VirtualHost for each port number that is being listened on, and a
  2. Add a server name in order to associate an application with the content being served over that port/vhost.

Example of virtual host:

Listen 80
Listen 81
..
..
Listen 84
..
..
<VirtualHost *:80 *:81>
  ServerName test.box.splunk.com
</VirtualHost>
  
<VirtualHost *:84>
  ServerName another.test.box.splunk.com
</VirtualHost>

Configure receipt of data through Splunk web

  1. On Splunk web, navigate to Settings > Data inputs > Files & directories.
  2. Under Files & directories, select New.
  3. Click Browse and select the access_log and error_log files from the location of where your log files are stored for each web server. (Example: /var/log/apache2 or /var/log/httpd).
  4. Select the Continuously Monitor button.
  5. Click Next
  6. Select the apache:access source type.
  7. Click Next
  8. Click Review
  9. Verify your settings, and click Submit
  10. Repeat the above steps to collect apache:error source type data.

Configure receipt of data through your .conf file

  1. Create a new inputs.conf in your local Splunk platform directory.
  2. Add the following stanzas to your local inputs.conf file:
    [monitor:///var/log/httpd/access_log]
    sourcetype=apache:access
    disabled = 0
    
    [monitor:///var/log/httpd/error_log]
    sourcetype=apache:error
    disabled = 0
    
  3. Restart your Splunk platform forwarder.

Learn More about Apache web server configuration

Note: The location of httpd.conf can be different, depending on your deployment platform. See the Apache deployment instructions for more information.

Configure the Splunk Add-on for Microsoft IIS to collect data and send to your Splunk deployment

Install the advanced logging module on your Microsoft IIS server

IIS configuration requires the use of advanced logging. Installation and configuration of the advanced logging module on the target server is needed to collect your data. For more information, see Install advanced logging module on your host server on the IIS website.

Retrieve the advanced log field information from Microsoft IIS

  1. Copy the transforms.conf file from $SPLUNK_HOME/etc/apps/TA-microsoft_iis/default/ to $SPLUNK_HOME/etc/apps/TA-microsoft_iis/local/ .
  2. Open the Advanced Logging module in the IIS Manager and click view log files.
  3. Within each log file you want ITSI to ingest, copy the fields you want included in the Web Server access logs. Example:
    #Software: IIS Advanced Logging Module
    #Version 1.0
    #Start-Date: 2016-06-09 20:02:35.773
    #Fields:  sc-win32-status W3WP-PrivateBytes cs-username cs(User-Agent) cs-uri-stem cs-uri-query time-local TimeTakenMS sc-substatus sc-status s-sitename s-ip s-port s-computername RequestsPerSecond cs(Referer) s-proxy cs-version c-protocol cs-method cs(Host) date date-local CPU-Utilization cs(Cookie) s-contentpath c-ip sc-bytes cs-bytes
    0 - - "Mozilla/5.0 (Macintosh; Intel Mac OS x 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" /iisstart.htm - 13:02:35.336 7 0 304 "SITE1"
    0 - - "Mozilla/5.0 (Macintosh; Intel Mac OS x 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" / - 13:02:35.336 9 0 200 "SITE1" 10.141.50.1
    0 - - "Mozilla/5.0 (Macintosh; Intel Mac OS x 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" /iisstart.htm - 13:02:37.323 0 0 304 "SITE1"
    0 - - "Mozilla/5.0 (Macintosh; Intel Mac OS x 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" / - 13:02:37.323 0 0 200 "SITE1" 10.141.50.1
    
  4. Navigate to the transforms.conf file in the $SPLUNK_HOME/etc/apps/TA-microsoft_iis/local/ directory.
  5. Inside the transforms.conf file, paste all the fields from the advanced log file into the transforms.conf file of your local folder. Example:
    [auto_kv_for_iis_default]
    DELIMS = " "
    FIELDS = sc-win32-status W3WP-PrivateBytes cs-username cs(User-Agent) cs-uri-stem cs-uri-query time-local TimeTakenMS sc-substatus sc-status s-sitename s-ip s-port s-computername RequestsPerSecond cs(Referer) s-proxy cs-version c-protocol cs-method cs(Host) date date-local CPU-Utilization cs(Cookie) s-contentpath c-ip sc-bytes cs-bytes
    
    [iis_action_lookup]
    filename = iis_action_lookup.csv
    
  6. Save and exit.

Configure receipt of data through Splunk web

  1. On Splunk web, navigate to Settings > Data inputs > Files & directories.
  2. Find the location of where your log files are stored, and select the log file or the directory containing log files.
  3. Select the Continuously Monitor button.
  4. Click Next.
  5. Click Browse and select the ms:iis:auto sourcetype, and select Next.
  6. Click Review.
  7. Verify your settings, and click Submit.

Configure through your .conf file

  1. Create an inputs.conf file in the $SPLUNK_HOME/etc/apps/TA-microsoft_iis/local/ directory.
  2. Inside the inputs.conf file, create a file input monitor with the following information:
    [monitor:C:\inetpub\logs\AdvancedLogs]
    disabled = false
    sourcetype = ms:iis:auto
    
  3. Save and Exit.
  4. Restart your Splunk platform instance.

Verify Data Collection

Verify that the add-ons in your deployment are installed and configured correctly by checking the add-on's indices, sources or source types.

Add-on Data verification search
Apache Web Server tag=web tag=inventory tag=activity sourcetype=apache:access OR tag=web tag=inventory tag=activity sourcetype=apache:error
Microsoft IIS tag=web tag=inventory tag=activity sourcetype=ms:iis:auto OR tag=web tag=inventory tag=activity sourcetype=ms:iis:default

Enable entity discovery

Enable entity discovery for the module to automatically discover entities for which relevant data has been collected. See Enable the automatic entity discovery search.

Learn More

See Installing add-ons in the Splunk Add-ons guide to learn how to install a Splunk add-on in the following deployment scenarios:

Last modified on 28 April, 2023
About the Web Server Module   Web Server Module KPIs and thresholds

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters