All Apps and Add-ons

What is the benefit of Splunk Add-on for Apache Web Access if it monitors the same source as Splunk Add-on for Unix and Linux?

bayman
Path Finder

I am a new Splunk user and have Splunk Add-on for Unix and Linux installed which is set to monitor /var/log on my Apache web server. I have the following questions I'm hoping to better understand:

  1. What value does installing Splunk Add-on for Apache Web Server have if /var/log/apache log files are already monitored by Splunk_TA_nix?

  2. Will logs from /var/log/apache be duplicated since both apps are creating different sourcetypes?

0 Karma
1 Solution

sjohnson_splunk
Splunk Employee
Splunk Employee

I don't believe you have to worry about any duplication. The Splunk_TA_nix app does monitor the /var/log directory but is pretty specific what it picks up (also note it is disabled by default):

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)
index=os
disabled = 1

Are the apache logs actually in /var/log or are they in a lower level subdirectory (httpd)? The monitor stanza above will not recurse down another level.

FYI - if there are multiple inputs.conf that end up monitoring the same file, only 1 will actually win. The precedence is the app that has the name with the lowest ASCII sort order will win.

View solution in original post

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

I don't believe you have to worry about any duplication. The Splunk_TA_nix app does monitor the /var/log directory but is pretty specific what it picks up (also note it is disabled by default):

[monitor:///var/log]
whitelist=(.log|log$|messages|secure|auth|mesg$|cron$|acpid$|.out)
blacklist=(lastlog|anaconda.syslog)
index=os
disabled = 1

Are the apache logs actually in /var/log or are they in a lower level subdirectory (httpd)? The monitor stanza above will not recurse down another level.

FYI - if there are multiple inputs.conf that end up monitoring the same file, only 1 will actually win. The precedence is the app that has the name with the lowest ASCII sort order will win.

0 Karma

bayman
Path Finder

The apache logs are actually in /var/log/apache2/access.log. I actually enabled monitoring of the the /var/log on the Splunk_TA_nix app. Should I disable it if I am using the Splunk Add-on for Apache Web Access to monitor /var/log/apache2/access.log? I still would like syslog to be monitored.

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

Leave it on. You probably should always be monitoring the messages and secure logs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...