- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to modify the inputs for the EMC Isilon Add-on...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to use the EMC Isilon Add-on for Splunk Enterprise, but I don't want the add-onto query my device for any logs.
I am currently sending the Isilon logs to a folder on the Splunk forwarder through Syslog. I created a local folder in the add-on folder and create an inputs.conf file with the following information;
[monitor://C:\logs\Isilon]
disable = false
sourcetype = EMC:Isilon:rest
I do receive logs, but the parsed fields are minimal. Basically it passes host, index, event type, sourcetype, line count, and the basics, probably about 10 fields altogether. I believe there are more fields to be parsed, but because of the changes I have made, I have bypassed the script so I feel that's why more fields aren't being parsed.
Does anyone know the app properly and can tell me what to do to get the other fields parsed just as the app was intended?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You are right.Fields in your syslog event are not parsed because you bypassed the script. How to parse the syslog largely depends on syslog type.I am assuming events are not coming in key=value pair here otherwise splunk would have parsed them automatically.
If you want to parse the syslog manually, you need to extract the required fields in props.conf.There are some other features as well in props.conf which might come handy for syslog parsing. Below is the link for sample props.conf:
http://docs.splunk.com/Documentation/Splunk/6.1/Admin/propsconf
Thanks,
Pankaj
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You are right.Fields in your syslog event are not parsed because you bypassed the script. How to parse the syslog largely depends on syslog type.I am assuming events are not coming in key=value pair here otherwise splunk would have parsed them automatically.
If you want to parse the syslog manually, you need to extract the required fields in props.conf.There are some other features as well in props.conf which might come handy for syslog parsing. Below is the link for sample props.conf:
http://docs.splunk.com/Documentation/Splunk/6.1/Admin/propsconf
Thanks,
Pankaj
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We have added new dashboard for syslog and Audit logs latest EMC Isilon app. TA is also updated to receive Isilon syslogs on port 514.
You can download the latest isilon app and add-on (version 2.0) from the splunkbase and test the syslog integration in your environment.
Thanks,
Pankaj
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Folks,
Good day!
We've also similar scenario in our env. We do configured both audit_config and audit_protocol with heavy forwarder Ip in isilon /etc/mcp/override/syslog.config. we can see few system logs ,but not share operation logs ( like delete file ,rename file etc) ...Anyone has any insights on the same. Thanks
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
