All Apps and Add-ons

rsyslog for websphere application server

splunker_123
Path Finder

Hi

we are collecting the logs to splunk indexer via rsyslog,we've got quite a number of unix serves monitored in this fashion and it is all working well
Now I want to include Websphere application logs into rsyslog so that splunk can pick it up from there do you have any recommended way of doing this or can you let me know how to achieve this please?
Cheers

1 Solution

jtrucks
Splunk Employee
Splunk Employee

One method is to install a Splunk Forwarder on the WAS machines and use the Splunk Forwarder Add-on for WebSphere Application Server app. This allows you to easily parse the logs for the right fields in Splunk.

If you need to continue using rsyslog only and not a Splunk Forwarder on the machine, you can enable SYSLOG output for most Websphere products. Set these to send to localhost or directly to the Splunk Indexer.

With a little looking, I've found that some Websphere products can send a subset of data via syslog natively, but most of the time it only can output to files on disk directory. In this case, use the Text File Input Module for rsyslog to configure the daemon to read your Websphere log files and send them along.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks
Splunk Employee
Splunk Employee

One method is to install a Splunk Forwarder on the WAS machines and use the Splunk Forwarder Add-on for WebSphere Application Server app. This allows you to easily parse the logs for the right fields in Splunk.

If you need to continue using rsyslog only and not a Splunk Forwarder on the machine, you can enable SYSLOG output for most Websphere products. Set these to send to localhost or directly to the Splunk Indexer.

With a little looking, I've found that some Websphere products can send a subset of data via syslog natively, but most of the time it only can output to files on disk directory. In this case, use the Text File Input Module for rsyslog to configure the daemon to read your Websphere log files and send them along.

--
Jesse Trucks
Minister of Magic

splunker_123
Path Finder

Hi..This worked for me..thanks for your help

we've included the file name we want to monitor in syslog conf and via syslog we are sending to a shared drive where splunk forwarders are installed and from there indexed to splunk indexer.It is working but the log is not getting indexed after logroate is done at 4.00am it losts the track of the new log file getting generated .Is there a way to sort this out?

0 Karma

splunker_123
Path Finder

Thanks for your reply I will try that and let you know:)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...