I am not sure how to edit the syslog.conf file on my netapp filer. I repalced adminhost with the IP address of the splunk server, but when I do a search, nothing comes up. I tried to search filername and same; nothing. How do I know if the syslog is actually going to send data over? I rebooted to try to send some sort of trap.. NOthing shows up
Can the syslog forward the Netapp filer cifs logs to centralized syslog server?
We have an amazing brand new release of Splunk App for NetApp Data ONTAP. Download it here: http://apps.splunk.com/app/1293/
Key new capabilities include:
Do you know exactly what version of syslog it uses?
Generally speaking (massive generalisation there 😄 ) the following command at the top of the syslog.conf file (which I am assuming may work due to the name of the file) will forward all data out of the default port of 514 (assuming this is the default).
*.* @splunk.server.ip.adddress
Most syslog servers support adding the :PORT to the end, but hopefully it will just use port 514. Then on splunk you need to configure it to listen on UDP port 514 ala;
http://docs.splunk.com/Documentation/Splunk/4.2.3/Data/Configureyourinputs
The syslog server will probably need a restart after a conf change, if thats no good then let us know what exact version it is and we can change things up slightly 🙂
So if you add the line I had in my answer it should forward it out correctly.
Make sure that after the blah.blah and the @IP you use a tab as it appears it won't be happy without, and if the text above isn't commented out then just delete it to be safe.
Also ensure that the port is open on the indexer side and nothing inbetween is going to potentially block the traffic 🙂
this is the syslog conf file; I am using the IP so name resolution shouldn't be an issue. Port 514 is open on the storage device.
cmdsaudit.auditlog @10.11.85.237