Skip to main content
 
 
 
Splunk Lantern

Web server data

 

Web servers are the backend application behind every website that delivers all content seen by browser clients. Web servers access static HTML pages and run application scripts in a variety of languages that generate dynamic content and call other applications, such as middleware. Web servers can vary widely, and can include:

  • Java – J2EE. Java is the most popular programming language due to its versatility, relative ease of use and rich ecosystem of developer tools. Via the J2EE platform, which includes APIs, protocols, SDKs and object modules, Java is widely used for enterprise apps including web applets, middle-tier business logic and graphic front ends. Java is also used for native Android mobile apps.
  • Apache. Apache is one of the oldest and most-used web servers on the internet, powering millions of enterprise, government and public sites. Apache keeps detailed records of every transaction: every time a browser requests a webpage, Apache logs capture multiple datapoints about the request.

Web server data includes items such as the time, remote IP address, browser type, and page requested. It also includes various error conditions, such as a request for a missing file or attempts to access a file without appropriate permissions. These logs are critical in debugging both web application and server problems, but are also used to generate traffic statistics, track user behavior, and flag security attacks, such as attempted unauthorized entry or DDoS.

Web servers can be used internally by custom applications and commercial products as well, such as internal knowledge systems or source code systems (SCMs). SCM tools are used to build, package, and deploy software. SCM tools allow software developers to simultaneously work on software code and then merge updates to the codebase upon completion. These systems contain the entire codebase for internally developed tools as well as a company's commercial products. Logs from SCM tools provide detailed information on when and by whom code is created, accessed, updated, and deleted.

In the Common Information Model, web server data is typically mapped to the Web Data model.

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for Splunk security products 

Explore the Splunk Security Content site to see what detections you can run in Splunk Enterprise Security with web data.