topic Re: Splunk Add-on for IBM WebSphere Application Server: How to configure the add-on to read from syslog server where rsyslog has forwarded the files? in All Apps and Add-ons

Splunk Add-on for IBM WebSphere Application Server: How to configure the add-on to read from syslog server where rsyslog has forwarded the files?

john_glasscock — Mon, 13 Feb 2017 19:22:13 GMT

The Websphere admin has rsyslog the files over to a syslog server. I am having issues configuring the Splunk Add-on for IBM WebSphere Application Server to pull the log files from the directory. Normally, I would just setup a monitor stanza, but this Add-on doesn't seem to like it. Any help would be appreciated.

Thanks

Re: Splunk Add-on for IBM WebSphere Application Server: How to configure the add-on to read from syslog server where rsyslog has forwarded the files?

goodsellt — Mon, 13 Feb 2017 21:14:54 GMT

Since the addon probably is expecting the native log file lines and you're probably getting a syslog header attached to your lines, you'll likely to do something like this:
- Create a dummy sourcetype like "ibm-websphere-syslog" and monitor your rsyslog files with that.
- In the dummy sourcetype, setup a props and transforms so that it seds out the syslog header, then transforms the line to the "proper" ibm websphere sourcetype from the addon.
- Verify that your data is being properly parsed as the real sourcetype and the fields expected from the addon are appearing.

You could also redo the props.conf and transforms.conf statements to account for your syslog header and throw them in the local dir of the addon.

Re: Splunk Add-on for IBM WebSphere Application Server: How to configure the add-on to read from syslog server where rsyslog has forwarded the files?

aaraneta_splunk — Mon, 20 Mar 2017 00:40:58 GMT

@john.glasscock - Did the answer provided by goodsellt help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!