Table of Contents
Ever felt like you have no clue what’s really going on behind the scenes of your Drupal site? Things break, pages slow down, and errors pop up, but where do you even start looking?
That’s where Splunk comes in. Splunk helps you collect and make sense of logs—basically, the behind-the-scenes record of everything happening on your site. By connecting Splunk with Drupal, you get a clear view of your site’s activity, user behavior, and issues. It’s like switching from guesswork to having actual answers.
In this blog, we’ll walk you through how Drupal logging works, how Drupal development experts integrate with Splunk, and what you can do with Splunk. So, let’s get started.
Why Integrate Splunk with Drupal?
Integrating Splunk with Drupal allows you to gain real-time visibility into how your site is performing and behaving behind the scenes. It’s not just about error tracking; it’s about understanding user activity, spotting security threats, and optimizing your Drupal site’s performance, all from a centralized dashboard.
Here are some key benefits:
- Catch Errors Early: Instantly spot PHP notices, 404 errors, and backend issues.
- Monitor User Activity: Track logins, role changes, and suspicious behavior.
- Improve Performance: Identify slow pages, high load times, and traffic patterns.
- Enhance Security: Detect brute-force attempts, failed logins, or access violations.
- Centralized Monitoring: Combine Drupal logs with web server and system logs in one place.
With Splunk, your logs become meaningful, actionable insights – not just lines in a file.
How Logging Works in Drupal?
Drupal has a built-in system called Watchdog that records important events like errors, warnings, and user actions.
By default, Drupal logs these events to the Database, but it can also send them to the Syslog using the Syslog module, which is included in the core for Drupal 8 and newer. Syslog is often preferred for production sites because it’s faster, more efficient, and easier to integrate with external systems like Splunk.
Here’s a quick breakdown of log types you might see:
- Error logs: PHP warnings, exceptions
- User activity: Logins, password changes
- System events: Cron runs, cache clears
- Access issues: 403/404 errors
Once these logs are routed through Syslog or another supported method, Splunk can ingest and analyze them in real time – giving you a full picture of what’s happening on your site.
Drupal Splunk Integration Methods
There are several ways to connect Drupal with Splunk, depending on how much control or customization you need:
- Syslog + Splunk Universal Forwarder: The most common and straightforward approach. Drupal logs are written to system logs, and the Splunk Forwarder sends them to Splunk for indexing.
- HTTP Event Collector (HEC): Ideal for sending custom events directly from Drupal using HTTP requests. This allows structured, real-time event tracking (e.g., for commerce events or content updates).
- Direct API Integration: You can write custom Drupal modules or services to send data into Splunk via its REST API for more advanced use cases.
- Web Server Log Monitoring: Combine Drupal logs with Apache or Nginx access/error logs to get a complete view of site activity and performance.
Each method has its strengths, but starting with Syslog + Splunk Forwarder is the easiest and most production-ready option.
Need Help with Splunk Drupal Integration? We Can Help!
How to Send Drupal Logs to Splunk?
One of the easiest and most reliable ways to send your Drupal logs to Splunk is by using the Syslog module along with the Splunk Universal Forwarder (UF).
This method takes the logs that Drupal writes to your system’s log file and sends them over to Splunk, where you can search, visualize, and monitor them in real time.
Here’s how to get this integration working.
Prerequisites
Before starting, make sure you have:
- A Drupal 8 or newer site is up and running
- Admin access to your web server (you’ll need to configure system files)
- A Splunk instance (can be on your server or in the cloud)
- Optional but recommended: Splunk Universal Forwarder installed on the Drupal server
Step 1: Enable and Configure Syslog in Drupal
Drupal doesn’t send logs to external tools by default, so the first step is to switch its logging method:
- Go to your Drupal admin panel
- Navigate to Configuration → Development → Logging and Errors
- Set the Logging Method to Syslog
That’s it! Now, instead of keeping logs only inside the Drupal database, your site will start writing events to the system’s log files.
Step 2: Install and Configure Splunk Universal Forwarder
The Splunk Universal Forwarder is a lightweight agent that lives on your server and sends log data to Splunk.
If you haven’t already installed it, download it from Splunk’s official site and install it on the server where Drupal is running.
Once installed, run the following commands in your terminal:
./splunk add monitor /var/log/syslog -sourcetype drupal_syslog
./splunk set deploy-poll YOUR_SPLUNK_SERVER:8089
./splunk start
Here’s what these commands do:
- add monitor: Tells the forwarder to keep an eye on the Syslog file
- -sourcetype drupal_syslog: Labels the log data in Splunk so it’s easier to filter later
- set deploy-poll: Connects the forwarder to your central Splunk instance
- start: Boots up the Universal Forwarder so it can start sending data
Once done, check your Splunk dashboard to confirm the logs are coming in.
Step 3: Validate Logs in Splunk
Now head over to your Splunk dashboard (web interface) and search:
sourcetype="drupal_syslog"
You can also filter by index if you’ve set one.
If everything is working, you’ll start seeing real-time Drupal log entries like:
- PHP Notice: Undefined index
- User 12 logged in
- Node 33 updated by user admin
These are events straight from your Drupal site, now available inside Splunk for analysis.
What Can You Do with Drupal Data in Splunk?
Once your Drupal logs are in Splunk, the real power comes from how you use that data. From visual dashboards to smart alerts and custom event tracking, Splunk gives you tools to monitor, analyze, and react to what’s happening on your site.
Build Interactive Dashboards
Use Splunk’s built-in search and visualization tools to create real-time dashboards tailored to your Drupal site.
Examples of useful charts:
- Top 404 and 403 Errors: Identify broken links or unauthorized access attempts.
- User Login Activity: Track login frequency by role, username, or IP address.
- System Errors Over Time: View spikes in PHP errors or warnings.
Sample SPL search for 404s:
sourcetype="drupal_syslog" status=404 | stats count by uri
You can mix charts, tables, and filters to build an at-a-glance view of your site’s health.
Set Smart Alerts
Splunk lets you set up alerts that automatically notify you when something unusual happens.
Examples of helpful alerts:
- More than 10 failed login attempts from the same IP in 5 minutes
- High error rates within a short time window
- Admin role changes or suspicious user activity
You can send alert notifications via email, Slack, or even trigger webhooks or scripts — so your team is informed instantly.
Track Custom Events with HTTP Event Collector (HEC)
For more advanced use cases, you can send custom events from Drupal to Splunk using HEC. This is great for tracking specific actions like:
- Content being published or deleted
- Orders placed (if using Drupal Commerce)
- Custom module activity or API calls
Example code snippet (PHP with Guzzle):
$client = \Drupal::httpClient();
$client->post('https://splunk.example.com:8088/services/collector', [
'headers' => ['Authorization' => 'Splunk YOUR_HEC_TOKEN'],
'json' => ['event' => 'Node published by user admin'],
]);
This gives you fine-grained control over what you log and how it’s visualized or alerted in Splunk.
Want to Set Up Drupal Monitoring?
Let’s Summarize
Integrating Splunk with Drupal might sound technical, but once it’s set up, it makes a big difference. You get real-time visibility into what’s happening on your site without digging through files or guessing what went wrong.
From tracking errors to monitoring user activity, this setup helps you stay in control and catch issues early. Whether you’re managing one site or many, Splunk Drupal integration gives you the insights you need to keep things running smoothly.
If you need professional help with the integration or want more control over your Drupal site, consulting a Drupal development services provider would be the right decision.
