topic Re: NAS logs integrating to Splunk in Monitoring Splunk

NAS logs integrating to Splunk

vid1 — Tue, 20 Aug 2024 14:19:49 GMT

we need a NAS logs integration to splunk but i dont know how to integrate .We have SC4s container. can anyone help on this

Re: NAS logs integrating to Splunk

gcusello — Tue, 20 Aug 2024 14:41:51 GMT

Hi @vid1 ,

what's your NAS technology? is there ad Add-On for it in apps.splunk.com?

if yes, install it on the Forwarder and on the Search Head.

Ciao.

Giuseppe

Re: NAS logs integrating to Splunk

vid1 — Tue, 20 Aug 2024 14:52:47 GMT

NAS (powerscale storage logs) we need syslog configuration in HF .how to config syslog in our hf

Re: NAS logs integrating to Splunk

gcusello — Tue, 20 Aug 2024 14:58:07 GMT

Hi @vid1 ,

check if the Dell PowerScale Add-On for Splunk (https://splunkbase.splunk.com/app/2689) is the correct one for you.

Otherwise you have to create your own custom add-on.

Ciao.

Giuseppe

Re: NAS logs integrating to Splunk

vid1 — Tue, 20 Aug 2024 15:00:21 GMT

that add on as not working .we can logs collect from syslog server but i don't know how to configure

Re: NAS logs integrating to Splunk

gcusello — Tue, 20 Aug 2024 15:14:21 GMT

Hi @vid1 ,

are you speaking of output configuration on NAS or syslog input Configuration on SC4S?

About NAS, I cannot help you, you should search in the NAS Management menu.

About SC4S, I don't like it, I prefer to configure rsyslog (or syslog-ng) for receiving and then inputs on UF.

Ciao.

Giuseppe

Re: NAS logs integrating to Splunk

vid1 — Tue, 20 Aug 2024 15:16:40 GMT

Yes, i need configuration rsyslog or syslog-ng on the Linux server

Re: NAS logs integrating to Splunk

gcusello — Tue, 20 Aug 2024 15:27:49 GMT

Hi @vid1 ,

you have to configure three items in /etc/rsyslog.conf:

in the MODULES section:

module(load="imudp") # needs to be done just once

module(load="imtcp") # needs to be done just once

depending on the protocol you're using.

then, in TEMPLATES section:

template(name="tmpl-paloalto" type="string" string="/var/log/remote/%fromhost%/paloalto/%HOSTNAME%/paloalto_%$YEAR%-%$MONTH%-%$DAY%_%$HOUR%.log")

this string must be modified based on the path and the name of the files that must be written.

At least the rule to implement:

ruleset(name="writeRemoteData" queue.type="fixedArray" queue.size="250000" queue.dequeueBatchSize="4096" queue.workerThreads="4" queue.workerThreadMinimumMessages="60000") { # network - paloalto if $HOSTNAME == "10.10.10.10" then { action(type="omfile" ioBufferSize="64k" flushOnTXEnd="off" asyncWriting="on" dynafile="tmpl-paloalto" DirCreateMode="0770" FileCreateMode="0660" template="fmt_default") stop }

this is the most important and difficoult part to implement, because you have to implement all your rules.

Ciao.

Giuseppe