Changes

From SME Server
Jump to navigationJump to search
1,238 bytes added ,  11:08, 20 September 2014
m
Added forwarding to remote host from forums
Line 1: Line 1: −
==Forwarding Log Information from SME to a SYSLOG Collector (SPLUNK)==
+
==SME8.x==
 +
====Fowarding syslog stream tot a remote host====
 +
Create the following a custom template directory:
 +
mkdir -p /etc/e-smith/templates-custom/etc/syslog.conf
 +
and copy the existing template fragments to this new custom template directory:
 +
/etc/e-smith/templates/etc/syslog.conf/auth
 +
/etc/e-smith/templates/etc/syslog.conf/authpriv
 +
/etc/e-smith/templates/etc/syslog.conf/daemon
 +
/etc/e-smith/templates/etc/syslog.conf/kern
 +
/etc/e-smith/templates/etc/syslog.conf/syslog
 +
you may copy any available template fragment for which you would like to send the syslog messages to the remote host.
    +
then modify the the copied template fragment in the custom dirctory as follows:
 +
authpriv.*                                      @192.168.1.170
 +
where 192.168.1.170 is the IP address of the remote host. Obviously this is an example and you should use the IP address of your real syslog collecting server.
 +
 +
The new template needs to be expanded by:
 +
expand-template /etc/syslog.conf
 +
 +
 +
And restart syslog:
 +
service syslog condrestart
 +
From here on, all syslog messages will be send to the remote host over port 514
 +
 +
 +
 +
 +
====Forwarding syslog stream to a collector====
 +
Syslog information can also be send to a special agent on a remote host (e.g. Splunk, Logrythm)
 +
 +
=====Syslog forwarding for Splunk=====
 
If you would like to be able to collect and monitor your SME server using '''SYSLOG''', the following mini '''Howto''' shows how you can enable your SME to Forward Event Log information to an external '''SYSLOG''' Collector like SPLUNK.
 
If you would like to be able to collect and monitor your SME server using '''SYSLOG''', the following mini '''Howto''' shows how you can enable your SME to Forward Event Log information to an external '''SYSLOG''' Collector like SPLUNK.
 
Please note that this '''Howto''' assumes you have a running SPLUNK server (v6.xx) in your infrastructure with ports 514 and 9997 enabled. Visit http://www.splunk.com for more product information and installation documentation.  
 
Please note that this '''Howto''' assumes you have a running SPLUNK server (v6.xx) in your infrastructure with ports 514 and 9997 enabled. Visit http://www.splunk.com for more product information and installation documentation.  
Line 44: Line 73:  
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
 
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
   −
==Deployment considerations==
+
=====Deployment considerations=====
 
If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-17 with:<br>  
 
If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-17 with:<br>  
 
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>  
 
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>  
 
then you can create a report/filter or dashboard on the keyword "SME"
 
then you can create a report/filter or dashboard on the keyword "SME"
   −
==Cleaning Data Indexes==
+
=====Cleaning Data Indexes=====
 
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
 
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
 
''on your SPLUNK server'': '''splunk clean eventdata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)  
 
''on your SPLUNK server'': '''splunk clean eventdata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)  
 
(or command: splunk clean eventdata ''<indexname>'')
 
(or command: splunk clean eventdata ''<indexname>'')
 
[[category:howto]]
 
[[category:howto]]

Navigation menu