Class 6 Lab 2 ‐ Log Parsing - Justin-Boyd/CIT-Class GitHub Wiki

Task: Parse Apache Logs in Splunk

Step 1

  • Start your Ubuntu machine, click Activities to search for the terminal, and open it.

Step 2

  • Use the command sudo /opt/splunk/bin/splunk start to start the Splunk daemon.

Step 3

  • Use the command sudo apt update to update the repository before installation.

Step 4

  • Use the command sudo apt install apache2 -y to install the Apache web server.

Step 5

  • Use the command sudo systemctl start apache2 to start the Apache service.

Step 6

  • Use the command sudo systemctl status apache2 to view the Apache status and verify that it is active.

Step 7

  • Click the Firefox icon in the left panel, and browse to localhost.
  • Note that Apache’s webpage is displayed.

Step 8

  • Browse to localhost/random and access a non-existing page to generate the 404 HTTP error code and logs.
  • Note: The Hypertext Transfer Protocol (HTTP) 404 is an HTTP error code (response code), which means that the page is not found.

Step 9

  • Open a new tab in the browser and browse to 127.0.0.1:8000.
  • Sign in with username admin and password Aa123456.

Step 10

  • Click Search & Reporting.

Step 11

  • Use the query source = “/var/log/apache2/access.log” to search for Apache logs.
  • Note the logged activity to access the server.

Step 12

  • Click the arrow icon (>) in the first log to expand it.

Step 13

  • Click Event Actions and select Extract Fields.

Step 14

  • Select the Regular Expression method and click Next

Step 15

  • Highlight the IP address 127.0.0.1 to open a floating configuration window.

Step 16

  • Write ip_addr in Field Name, and click Add Extraction.

Step 17

  • Highlight the time and date information, and name it date_time.

Step 18

  • Highlight GET and name it method.

Step 19

  • Highlight /random and name it request_url.

Step 20

  • Highlight HTTP/1.1 and name it protocol.

Step 21

  • Highlight 404 and name it status_code.

Step 22

  • Highlight the last text part and name it user_agent.

Step 23

  • Note that the preview provides colored name codes based on the extractions, and click Next.

Step 24

  • In the Validation page, click Next

Step 25

  • Click Finish to save the configuration.

Step 26

  • In the URL of a new tab, enter localhost/random again to generate additional error logs.

Step 27

  • Return to the search page in Splunk, and search for status_code = 404.

Step 28

  • Expand the first log and note the updated fields.