Deployment Architecture

Configure forwarders from deployment server

splunkingsplun1
Explorer

I am a complete noob and I need help configuring two forwarders using a deployment server:

Forwarder A

Need to monitor index.log from 3 apache directories /opt/log/www* << Do I need a whitelist or blacklist here? If so, need help there too.

Need them to go to index=www

Need to label host as webA webB and webC

Forwarder B

Need to monitor denied.log from /opt/log/syslog << Do I need a whitelist or blacklist here? If so, need help there too.

Need to monitor allowed.log from /opt/log/syslog

Need them to go to index=firewall

Need to label host as firewall1

Thank you

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Hm, that config would not do what you want. Do you have 3 virtual hosts/websites under /opt/log/www, and like to use that site-name as host?

Normally the host gets specified in the inputs.conf [default] stanza, and would be equal to the hostname, or dns-name. This setting would then be active for all files and directories that are being monitored on that host. This is a Good Thing, since it allows you to easily correlate events from different sources on a host, like logon/logoff, service restarts, application logs etc etc.

There are cases where you want to rewrite the host value, which would be perfectly legitimate (and even desirable) when you, e.g. have a forwarder installed on a syslog server. In that case you would want to to make it appear as if the events have a host value of the originating host, and not the syslog server.

Then you could put either of these under your [monitor:///blah/blah];

host_segment = n
host_regex = some regex

e.g. if you want the fourth path element in /opt/log/www/xyz/blah.log to become the hostname for this file, you'd set host_segment=4 and the host value will be xyz.

See docs on inputs.conf for these matters.

docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Hope this helps,

Kristian

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

Hm, that config would not do what you want. Do you have 3 virtual hosts/websites under /opt/log/www, and like to use that site-name as host?

Normally the host gets specified in the inputs.conf [default] stanza, and would be equal to the hostname, or dns-name. This setting would then be active for all files and directories that are being monitored on that host. This is a Good Thing, since it allows you to easily correlate events from different sources on a host, like logon/logoff, service restarts, application logs etc etc.

There are cases where you want to rewrite the host value, which would be perfectly legitimate (and even desirable) when you, e.g. have a forwarder installed on a syslog server. In that case you would want to to make it appear as if the events have a host value of the originating host, and not the syslog server.

Then you could put either of these under your [monitor:///blah/blah];

host_segment = n
host_regex = some regex

e.g. if you want the fourth path element in /opt/log/www/xyz/blah.log to become the hostname for this file, you'd set host_segment=4 and the host value will be xyz.

See docs on inputs.conf for these matters.

docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

Hope this helps,

Kristian

0 Karma

kristian_kolb
Ultra Champion

yes, from over here, that looks like a reasonable config.

But just try it out. and be sure to create the www-index first. That won't happen automatically.

0 Karma

splunkingsplun1
Explorer

@kristian.kolb

I have several virtual hosts under /opt/log/
webA
webB
webC

They all have access.log that I need to index, would this be correct inputs.conf?

[monitor:///opt/log/www*]
sourcetype = apache
index=www
host_segment=3
whitelist = access.log$

0 Karma

splunkingsplun1
Explorer

@Ayn

I apologize for being vague. I appreciate any insight you can offer.

This is what I have for inputs.conf so far, which I am not clear how to whitelist/blacklist

[monitor:///opt/log/www]
sourcetype = apache
index=www
host=webA
host=webB
host=webC

[monitor:///opt/log/syslog]
sourcetype = firewall
index=www
host=firewall1

I haven't even started serverclass.conf yet since I am not sure the little progress I have so far will work.

0 Karma

Ayn
Legend

Have you started with reading the docs so that you can tell us more about where specifically in the process you got stuck? Or are you by any chance throwing your whole scenario out there and expect the Splunkbase community to do all the work for you?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...