I am a complete noob and I need help configuring two forwarders using a deployment server:
Forwarder A
Need to monitor index.log from 3 apache directories /opt/log/www* << Do I need a whitelist or blacklist here? If so, need help there too.
Need them to go to index=www
Need to label host as webA webB and webC
Forwarder B
Need to monitor denied.log from /opt/log/syslog << Do I need a whitelist or blacklist here? If so, need help there too.
Need to monitor allowed.log from /opt/log/syslog
Need them to go to index=firewall
Need to label host as firewall1
Thank you
Hm, that config would not do what you want. Do you have 3 virtual hosts/websites under /opt/log/www
, and like to use that site-name as host
?
Normally the host gets specified in the inputs.conf
[default]
stanza, and would be equal to the hostname, or dns-name. This setting would then be active for all files and directories that are being monitored on that host. This is a Good Thing, since it allows you to easily correlate events from different sources on a host, like logon/logoff, service restarts, application logs etc etc.
There are cases where you want to rewrite the host
value, which would be perfectly legitimate (and even desirable) when you, e.g. have a forwarder installed on a syslog server. In that case you would want to to make it appear as if the events have a host
value of the originating host, and not the syslog server.
Then you could put either of these under your [monitor:///blah/blah]
;
host_segment =
n
host_regex = some regex
e.g. if you want the fourth path element in /opt/log/www/xyz/blah.log
to become the hostname for this file, you'd set host_segment=4
and the host value will be xyz
.
See docs on inputs.conf for these matters.
docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Hope this helps,
Kristian
Hm, that config would not do what you want. Do you have 3 virtual hosts/websites under /opt/log/www
, and like to use that site-name as host
?
Normally the host gets specified in the inputs.conf
[default]
stanza, and would be equal to the hostname, or dns-name. This setting would then be active for all files and directories that are being monitored on that host. This is a Good Thing, since it allows you to easily correlate events from different sources on a host, like logon/logoff, service restarts, application logs etc etc.
There are cases where you want to rewrite the host
value, which would be perfectly legitimate (and even desirable) when you, e.g. have a forwarder installed on a syslog server. In that case you would want to to make it appear as if the events have a host
value of the originating host, and not the syslog server.
Then you could put either of these under your [monitor:///blah/blah]
;
host_segment =
n
host_regex = some regex
e.g. if you want the fourth path element in /opt/log/www/xyz/blah.log
to become the hostname for this file, you'd set host_segment=4
and the host value will be xyz
.
See docs on inputs.conf for these matters.
docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Hope this helps,
Kristian
yes, from over here, that looks like a reasonable config.
But just try it out. and be sure to create the www-index first. That won't happen automatically.
@kristian.kolb
I have several virtual hosts under /opt/log/
webA
webB
webC
They all have access.log that I need to index, would this be correct inputs.conf?
[monitor:///opt/log/www*]
sourcetype = apache
index=www
host_segment=3
whitelist = access.log$
@Ayn
I apologize for being vague. I appreciate any insight you can offer.
This is what I have for inputs.conf so far, which I am not clear how to whitelist/blacklist
[monitor:///opt/log/www]
sourcetype = apache
index=www
host=webA
host=webB
host=webC
[monitor:///opt/log/syslog]
sourcetype = firewall
index=www
host=firewall1
I haven't even started serverclass.conf yet since I am not sure the little progress I have so far will work.
Have you started with reading the docs so that you can tell us more about where specifically in the process you got stuck? Or are you by any chance throwing your whole scenario out there and expect the Splunkbase community to do all the work for you?