I would like to use the EMC Isilon Add-on for Splunk Enterprise, but I don't want the add-onto query my device for any logs.
I am currently sending the Isilon logs to a folder on the Splunk forwarder through Syslog. I created a local folder in the add-on folder and create an inputs.conf file with the following information;
[monitor://C:\logs\Isilon]
disable = false
sourcetype = EMC:Isilon:rest
I do receive logs, but the parsed fields are minimal. Basically it passes host, index, event type, sourcetype, line count, and the basics, probably about 10 fields altogether. I believe there are more fields to be parsed, but because of the changes I have made, I have bypassed the script so I feel that's why more fields aren't being parsed.
Does anyone know the app properly and can tell me what to do to get the other fields parsed just as the app was intended?
Thanks,
Hi,
You are right.Fields in your syslog event are not parsed because you bypassed the script. How to parse the syslog largely depends on syslog type.I am assuming events are not coming in key=value pair here otherwise splunk would have parsed them automatically.
If you want to parse the syslog manually, you need to extract the required fields in props.conf.There are some other features as well in props.conf which might come handy for syslog parsing. Below is the link for sample props.conf:
http://docs.splunk.com/Documentation/Splunk/6.1/Admin/propsconf
Thanks,
Pankaj
Hi,
You are right.Fields in your syslog event are not parsed because you bypassed the script. How to parse the syslog largely depends on syslog type.I am assuming events are not coming in key=value pair here otherwise splunk would have parsed them automatically.
If you want to parse the syslog manually, you need to extract the required fields in props.conf.There are some other features as well in props.conf which might come handy for syslog parsing. Below is the link for sample props.conf:
http://docs.splunk.com/Documentation/Splunk/6.1/Admin/propsconf
Thanks,
Pankaj
Hi,
We have added new dashboard for syslog and Audit logs latest EMC Isilon app. TA is also updated to receive Isilon syslogs on port 514.
You can download the latest isilon app and add-on (version 2.0) from the splunkbase and test the syslog integration in your environment.
Thanks,
Pankaj
Hi Folks,
Good day!
We've also similar scenario in our env. We do configured both audit_config and audit_protocol with heavy forwarder Ip in isilon /etc/mcp/override/syslog.config. we can see few system logs ,but not share operation logs ( like delete file ,rename file etc) ...Anyone has any insights on the same. Thanks