Configure Splunk recommended fields in Splunk add-on for Tomcat¶

Splunk best practice is to utilize the tomcat:access:splunk:log source type in order for logs to be CIM-compliant.

In order to utilize this source type, you must follow these steps to deactivate Tomcat add-on inputs.

File monitor input for the tomcat:access:log sourcetype: Settings > Data Inputs > Files & directories > input for tomcat:access:log sourcetype > Disable
dumpAllThreads: Settings > Data Inputs > Splunk Add-on for Tomcat > dumpAllThreads > Disable

Open the back-end access to your tomcat server.
Stop the tomcat server.
Navigate to $CATALINA_HOME/conf/ and open the server.xml in a text editor.
Search for the line org.apache.catalina.valves.AccessLogValve in the file.

Update the prefix and pattern keys as follows:

prefix="localhost_access_log_splunk" suffix=".txt"

pattern="%t, x_forwarded_for=&quot;%{X-Forwarded-For}i&quot;, remote_ip=&quot;%a&quot;, remote_host=&quot;%h&quot;, server=&quot;%v&quot;, server_port=%p, user=&quot;%u&quot;, http_method=%m, uri_path=&quot;%U&quot;, uri_query=&quot;%q&quot;, status=%s,  bytes_sent=%b, response_time=%F, http_content_type=&quot;%{Content-Type}o&quot;, http_user_agent=&quot;%{User-Agent}i&quot;, http_referrer=&quot;%{Referer}i&quot;, url=&quot;%{Host}i%U%q&quot;"

Save the server.xml file.
Start the tomcat server.
Reconfigure the add-on and check the checkbox for “Enable data collection from Tomcat log files”.
Activate the dumpAllThread input.

Optionally, you can configure the Tomcat server to authenticate the User, since the tomcat:access:log:splunk source type supports user field mapping. You can follow the steps mentioned in the documentation for Tomcat at https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Configuring_Manager_Application_Access.