Skip to content

Configure monitor inputs for the Splunk Add-on for NGINX

Install and configure a forwarder on your NGINX server to monitor the access and error log files generated by the NGINX server. You can use either Splunk Web to create the monitor input or configure inputs.conf directly.

Configure monitoring through Splunk Web

If you have access to Splunk Web on your forwarder:

  1. Log in to Splunk Web.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field.
  5. Navigate to the log file generated by the NGINX server and click Next.

  6. On the Input Settings page, click the Source type drop-down box and then enter nginx in the filter field and select one of the following source types depending on your access log format:

    • nginx:plus:access: the predefined combined format
    • nginx:plus:kv: the custom key-value pair format
    • nginx:plus:error: NGINX error log
    • nginx:app:protect: NGINX App Protect Security log

  7. Click Next.

  8. Click Review.
  9. After you review the information, click Submit.
  10. Repeat the above steps if you want to ingest more log files.

After you finish configuring inputs, run one or more of the following searches to check that you are ingesting the data that you expect:

sourcetype=nginx:plus:access

sourcetype=nginx:plus:kv

sourcetype=nginx:plus:error

sourcetype=nginx:app:protect

Configure inputs.conf

You can create an inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

  1. Using a text editor, create a file named inputs.conf in the local folder of the add-on:
  • $SPLUNK_HOME/etc/apps/Splunk_TA_nginx/local in Unix-based environments.
  • %SPLUNK_HOME%\etc\apps\Splunk_TA_nginx\local in Windows-based environments.
  1. Add the following stanzas that match the log formats you want to collect, replacing <path> with the actual path to the log file:

  • NGINX access log in the predefined combined format

    [monitor:///<path>]
disabled = false
sourcetype = nginx:plus:access

  • NGINX access log in the custom key-value pair format

    [monitor:///<path>]
disabled = false
sourcetype = nginx:plus:kv

  • NGINX error log

    [monitor:///<path>]
disabled = false
sourcetype = nginx:plus:error

  • NGINX App Protect security log

    [monitor:///<path>]
disabled = false
sourcetype = nginx:app:protect
  1. Save the file.
  2. Restart the forwarder in order for the new input to take effect.

  3. Run one or more of the following searches to check that you are ingesting the data that you expect:

    sourcetype=nginx:plus:access

    sourcetype=nginx:plus:kv

    sourcetype=nginx:plus:error

    sourcetype=nginx:app:protect