Difference between revisions of "SYSLOG Forwarding"

From SME Server
Jump to: navigation, search
Line 24: Line 24:
 
10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: '''./splunk list forwarder'''
 
10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: '''./splunk list forwarder'''
  
Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-16).
+
Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-17).
  
 
11. '''./splunk add monitor /var/log/messages -index main -sourcetype syslog'''
 
11. '''./splunk add monitor /var/log/messages -index main -sourcetype syslog'''
Line 38: Line 38:
 
16. '''./splunk add monitor /var/log/boot.log -index main -sourcetype syslog'''
 
16. '''./splunk add monitor /var/log/boot.log -index main -sourcetype syslog'''
  
17. Restart to the SPLUNK server to commit all changes: '''./splunk restart'''
+
17. '''./splunk add monitor /var/log/yum/yum.log -index main -sourcetype syslog'''
 +
 
 +
18. Restart to the SPLUNK server to commit all changes: '''./splunk restart'''
  
 
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
 
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
  
 
==Deployment considerations==
 
==Deployment considerations==
If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-16 with:<br>  
+
If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-17 with:<br>  
 
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>  
 
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>  
 
then you can create a report/filter or dashboard on the keyword "SME"
 
then you can create a report/filter or dashboard on the keyword "SME"
Line 49: Line 51:
 
==Cleaning Data Indexes==
 
==Cleaning Data Indexes==
 
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
 
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
''on your SPLUNK server'': '''splunk clean evendata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)
+
''on your SPLUNK server'': '''splunk clean eventdata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)
 +
(or command: splunk clean eventdata "indexname")
 
[[category:howto]]
 
[[category:howto]]

Revision as of 14:19, 13 June 2014

Forwarding Log Information from SME to a SYSLOG Collector (SPLUNK)

If you would like to be able to collect and monitor your SME server using SYSLOG, the following mini Howto shows how you can enable your SME to Forward Event Log information to an external SYSLOG Collector like SPLUNK. Please note that this Howto assumes you have a running SPLUNK server (v6.xx) in your infrastructure with ports 514 and 9997 enabled. Visit http://www.splunk.com for more product information and installation documentation.

1. Download SPLUNK Universal Forwarder from: http://www.splunk.com/download?r=header or direct download (you will need to establish a SPLUNK account, if you don't already have one -- you cannot WGET this file): http://www.splunk.com/page/download_track?file=6.1.1/splunk/linux/splunk-6.1.1-207789-linux-2.6-x86_64.rpm&platform=Linux&architecture=x86_64&version=6.1.1&product=splunk&typed=release&name=linux_installer&d=pro

2. Upload the SPLUNK .rpm package to your SME server via SFTP/FTP to /tmp

3. ssh to your SME server

4. cd /tmp

5. rpm -ivh splunk-6.1.1-207789-linux-2.6-x86_64.rpm (latest version as of this post)

6. cd /opt/splunkforwarder/bin

7. Enable boot-start init script: ./splunk enable boot-start

8. Start Splunk Forwarder service: ./splunk start

9. Enable Forwarding: ./splunk add forward-server <splunk-server-ip-or-hostname.domain>:9997

10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: ./splunk list forwarder

Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-17).

11. ./splunk add monitor /var/log/messages -index main -sourcetype syslog

12. ./splunk add monitor /var/log/secure -index main -sourcetype syslog

13. ./splunk add monitor /var/log/cron -index main -sourcetype syslog

14. ./splunk add monitor /var/log/maillog -index main -sourcetype syslog

15. ./splunk add monitor /var/log/spooler -index main -sourcetype syslog

16. ./splunk add monitor /var/log/boot.log -index main -sourcetype syslog

17. ./splunk add monitor /var/log/yum/yum.log -index main -sourcetype syslog

18. Restart to the SPLUNK server to commit all changes: ./splunk restart

Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.

Deployment considerations

If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-17 with:
./splunk add monitor /<pathtologs>/ -index sme -sourcetype syslog
then you can create a report/filter or dashboard on the keyword "SME"

Cleaning Data Indexes

If you need to clear data that is being collected by SPLUNK from SME you can run the following command:
on your SPLUNK server: splunk clean eventdata -index <indexname>
(where <indexname> is main, or sme, etc.) (or command: splunk clean eventdata "indexname")