Web Server Module configurations
Configure the ITSI Web Server Module to connect your web server data to your Splunk platform deployment.
Module entity roles
See the below table to identify the roles that the Web Server Module assigns to entities:
ITSI Module | ITSI Role |
---|---|
ITSI Web Server Module | web_server |
Install Supported Technologies
Install your ITSI supported technologies onto your deployment using the reference table below.
Technology Name | Installation link | Search Heads | Indexers | Forwarders |
---|---|---|---|---|
Splunk Add-on for Apache Web Server | Installation guide | x | x | |
Splunk Add-on for Microsoft IIS | Installation guide | x | x |
See About installing Splunk add-ons to learn how to install a Splunk add-on in the following deployment scenarios.
Configure the Splunk Add-on for Apache Web Server to collect data and send to your Splunk deployment
Enable entity detection for the Splunk Add-on for Apache Web Server
- Create a VirtualHost for each port number that is being listened on, and a
- Add a server name in order to associate an application with the content being served over that port/vhost.
Example of virtual host:
Listen 80 Listen 81 .. .. Listen 84 .. .. <VirtualHost *:80 *:81> ServerName test.box.splunk.com </VirtualHost> <VirtualHost *:84> ServerName another.test.box.splunk.com </VirtualHost>
Configure receipt of data through Splunk web
- On Splunk web, navigate to Settings > Data inputs > Files & directories.
- Under Files & directories, select New.
- Click Browse and select the access_log and error_log files from the location of where your log files are stored for each web server. (Example: /var/log/apache2 or /var/log/httpd).
- Select the Continuously Monitor button.
- Click Next
- Select the
apache:access
source type. - Click Next
- Click Review
- Verify your settings, and click Submit
- Repeat the above steps to collect
apache:error
source type data.
Configure receipt of data through your .conf file
- Create a new inputs.conf in your local Splunk platform directory.
- Add the following stanzas to your local inputs.conf file:
[monitor:///var/log/httpd/access_log] sourcetype=apache:access disabled = 0 [monitor:///var/log/httpd/error_log] sourcetype=apache:error disabled = 0
- Restart your Splunk platform forwarder.
Learn More about Apache web server configuration
Note: The location of httpd.conf can be different, depending on your deployment platform. See the Apache deployment instructions for more information.
Configure the Splunk Add-on for Microsoft IIS to collect data and send to your Splunk deployment
Install the advanced logging module on your Microsoft IIS server
IIS configuration requires the use of advanced logging. Installation and configuration of the advanced logging module on the target server is needed to collect your data. For more information, see Install advanced logging module on your host server on the IIS website.
Retrieve the advanced log field information from Microsoft IIS
- Copy the transforms.conf file from
$SPLUNK_HOME/etc/apps/TA-microsoft_iis/default/
to$SPLUNK_HOME/etc/apps/TA-microsoft_iis/local/
. - Open the Advanced Logging module in the IIS Manager and click view log files.
- Within each log file you want ITSI to ingest, copy the fields you want included in the Web Server access logs.
Example:
#Software: IIS Advanced Logging Module #Version 1.0 #Start-Date: 2016-06-09 20:02:35.773 #Fields: sc-win32-status W3WP-PrivateBytes cs-username cs(User-Agent) cs-uri-stem cs-uri-query time-local TimeTakenMS sc-substatus sc-status s-sitename s-ip s-port s-computername RequestsPerSecond cs(Referer) s-proxy cs-version c-protocol cs-method cs(Host) date date-local CPU-Utilization cs(Cookie) s-contentpath c-ip sc-bytes cs-bytes 0 - - "Mozilla/5.0 (Macintosh; Intel Mac OS x 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" /iisstart.htm - 13:02:35.336 7 0 304 "SITE1" 0 - - "Mozilla/5.0 (Macintosh; Intel Mac OS x 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" / - 13:02:35.336 9 0 200 "SITE1" 10.141.50.1 0 - - "Mozilla/5.0 (Macintosh; Intel Mac OS x 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" /iisstart.htm - 13:02:37.323 0 0 304 "SITE1" 0 - - "Mozilla/5.0 (Macintosh; Intel Mac OS x 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36" / - 13:02:37.323 0 0 200 "SITE1" 10.141.50.1
- Navigate to the transforms.conf file in the
$SPLUNK_HOME/etc/apps/TA-microsoft_iis/local/
directory. - Inside the transforms.conf file, paste all the fields from the advanced log file into the transforms.conf file of your local folder.
Example:
[auto_kv_for_iis_default] DELIMS = " " FIELDS = sc-win32-status W3WP-PrivateBytes cs-username cs(User-Agent) cs-uri-stem cs-uri-query time-local TimeTakenMS sc-substatus sc-status s-sitename s-ip s-port s-computername RequestsPerSecond cs(Referer) s-proxy cs-version c-protocol cs-method cs(Host) date date-local CPU-Utilization cs(Cookie) s-contentpath c-ip sc-bytes cs-bytes [iis_action_lookup] filename = iis_action_lookup.csv
- Save and exit.
Configure receipt of data through Splunk web
- On Splunk web, navigate to Settings > Data inputs > Files & directories.
- Find the location of where your log files are stored, and select the log file or the directory containing log files.
- Select the Continuously Monitor button.
- Click Next.
- Click Browse and select the
ms:iis:auto
sourcetype, and select Next. - Click Review.
- Verify your settings, and click Submit.
Configure through your .conf file
- Create an inputs.conf file in the
$SPLUNK_HOME/etc/apps/TA-microsoft_iis/local/
directory. - Inside the inputs.conf file, create a file input monitor with the following information:
[monitor:C:\inetpub\logs\AdvancedLogs] disabled = false sourcetype = ms:iis:auto
- Save and Exit.
- Restart your Splunk platform instance.
Verify Data Collection
Verify that the add-ons in your deployment are installed and configured correctly by checking the add-on's indices, sources or source types.
Add-on | Data verification search |
---|---|
Apache Web Server | tag=web tag=inventory tag=activity sourcetype=apache:access OR tag=web tag=inventory tag=activity sourcetype=apache:error
|
Microsoft IIS | tag=web tag=inventory tag=activity sourcetype=ms:iis:auto OR tag=web tag=inventory tag=activity sourcetype=ms:iis:default
|
Enable entity discovery
Enable entity discovery for the module to automatically discover entities for which relevant data has been collected. See Enable the automatic entity discovery search.
Learn More
See Installing add-ons in the Splunk Add-ons guide to learn how to install a Splunk add-on in the following deployment scenarios:
About the Web Server Module | Web Server Module KPIs and thresholds |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1
Feedback submitted, thanks!