Changes

From SME Server
Jump to navigationJump to search
135 bytes added ,  14:19, 13 June 2014
no edit summary
Line 24: Line 24:  
10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: '''./splunk list forwarder'''
 
10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: '''./splunk list forwarder'''
   −
Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-16).
+
Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-17).
    
11. '''./splunk add monitor /var/log/messages -index main -sourcetype syslog'''
 
11. '''./splunk add monitor /var/log/messages -index main -sourcetype syslog'''
Line 38: Line 38:  
16. '''./splunk add monitor /var/log/boot.log -index main -sourcetype syslog'''
 
16. '''./splunk add monitor /var/log/boot.log -index main -sourcetype syslog'''
   −
17. Restart to the SPLUNK server to commit all changes: '''./splunk restart'''
+
17. '''./splunk add monitor /var/log/yum/yum.log -index main -sourcetype syslog'''
 +
 
 +
18. Restart to the SPLUNK server to commit all changes: '''./splunk restart'''
    
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
 
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
    
==Deployment considerations==
 
==Deployment considerations==
If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-16 with:<br>  
+
If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-17 with:<br>  
 
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>  
 
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>  
 
then you can create a report/filter or dashboard on the keyword "SME"
 
then you can create a report/filter or dashboard on the keyword "SME"
Line 49: Line 51:  
==Cleaning Data Indexes==
 
==Cleaning Data Indexes==
 
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
 
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
''on your SPLUNK server'': '''splunk clean evendata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)
+
''on your SPLUNK server'': '''splunk clean eventdata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)
 +
(or command: splunk clean eventdata "indexname")
 
[[category:howto]]
 
[[category:howto]]
4

edits

Navigation menu