we are collecting the logs to splunk indexer via rsyslog,we've got quite a number of unix serves monitored in this fashion and it is all working well
Now I want to include Websphere application logs into rsyslog so that splunk can pick it up from there do you have any recommended way of doing this or can you let me know how to achieve this please?
One method is to install a Splunk Forwarder on the WAS machines and use the Splunk Forwarder Add-on for WebSphere Application Server app. This allows you to easily parse the logs for the right fields in Splunk.
If you need to continue using rsyslog only and not a Splunk Forwarder on the machine, you can enable SYSLOG output for most Websphere products. Set these to send to localhost or directly to the Splunk Indexer.
With a little looking, I've found that some Websphere products can send a subset of data via syslog natively, but most of the time it only can output to files on disk directory. In this case, use the Text File Input Module for rsyslog to configure the daemon to read your Websphere log files and send them along.
Hi..This worked for me..thanks for your help
we've included the file name we want to monitor in syslog conf and via syslog we are sending to a shared drive where splunk forwarders are installed and from there indexed to splunk indexer.It is working but the log is not getting indexed after logroate is done at 4.00am it losts the track of the new log file getting generated .Is there a way to sort this out?