All Apps and Add-ons

rsyslog for websphere application server

splunker_123
Path Finder

Hi

we are collecting the logs to splunk indexer via rsyslog,we've got quite a number of unix serves monitored in this fashion and it is all working well
Now I want to include Websphere application logs into rsyslog so that splunk can pick it up from there do you have any recommended way of doing this or can you let me know how to achieve this please?
Cheers

1 Solution

jtrucks
Splunk Employee
Splunk Employee

One method is to install a Splunk Forwarder on the WAS machines and use the Splunk Forwarder Add-on for WebSphere Application Server app. This allows you to easily parse the logs for the right fields in Splunk.

If you need to continue using rsyslog only and not a Splunk Forwarder on the machine, you can enable SYSLOG output for most Websphere products. Set these to send to localhost or directly to the Splunk Indexer.

With a little looking, I've found that some Websphere products can send a subset of data via syslog natively, but most of the time it only can output to files on disk directory. In this case, use the Text File Input Module for rsyslog to configure the daemon to read your Websphere log files and send them along.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks
Splunk Employee
Splunk Employee

One method is to install a Splunk Forwarder on the WAS machines and use the Splunk Forwarder Add-on for WebSphere Application Server app. This allows you to easily parse the logs for the right fields in Splunk.

If you need to continue using rsyslog only and not a Splunk Forwarder on the machine, you can enable SYSLOG output for most Websphere products. Set these to send to localhost or directly to the Splunk Indexer.

With a little looking, I've found that some Websphere products can send a subset of data via syslog natively, but most of the time it only can output to files on disk directory. In this case, use the Text File Input Module for rsyslog to configure the daemon to read your Websphere log files and send them along.

--
Jesse Trucks
Minister of Magic

splunker_123
Path Finder

Hi..This worked for me..thanks for your help

we've included the file name we want to monitor in syslog conf and via syslog we are sending to a shared drive where splunk forwarders are installed and from there indexed to splunk indexer.It is working but the log is not getting indexed after logroate is done at 4.00am it losts the track of the new log file getting generated .Is there a way to sort this out?

0 Karma

splunker_123
Path Finder

Thanks for your reply I will try that and let you know:)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...