I am looking for advice / suggestions / guidance in relation to gathering logs from my Solaris instances running an EDRM s/w (Livelink).
I have the following setup:
- Splunk server (Windows 2003 R2)
- EDRM system (all Solaris 10 servers)
I am new to Splunk and cannot see how I go about capturing my logs. I have an add-on from our s/w supplier written to logs for specific log types from the application instances, but from the looks of it, the only way I can get the logs from my Solaris boxes to my Windows box where Splunk sits is by using a forwarder?
I would appreciate any advice or knowledge from anyone who has already done this. Worth noting I may have issues with installing the forwarder within our environments internally, hence, why I ask the question.
If you do not want to install a forwarder, no problem.
You may want to write a shell script to copy and replicate log files on your server (You may want to use script using SFTP/FTP)
I wouldn't suggest receiving Syslog using port 514 simply because when you take your indexer down for patching, you'll lost the data. Hope that makes sense (That again depends on how critical is your data)
Configure syslog on your servers to send whatever logs you need over syslog to the Splunk server. I'm sure this process is documented in the Solaris docs. You could, if necessary, probably set up one of those servers as a collector to funnel all this traffic through, although that's probably more work than it's worth.
This will also involve setting up a syslog server (I think Kiwi makes a free version for Windows that may work for you - they used to, anyway) on your Splunk server. Configure it to receive syslog on 514 and drop the incoming data into files based on hostname. Have Splunk read those directly off disk.
You might need to configure your application to log to local syslog. That's an application specific question you can probably research with the livelink folks?
Thanks for your reply. Unfortunately, even though your answer makes total sense, I am very restricted internally as to what I can install/do in our environment, but you have kind of answered my question. I think the only way forward for me, and the one I will probably get the ok for is to install the Splunk forwarder on the Solaris boxes and use that to forward the logs.
Thanks again for taking the time to reply ..
I have installed splunk UF V8.1.3 on Solaris sparc server V11.5.we are not getting any log from those servers apart from _internal logs.
we did below checks.
1.connection fine- telnet happening connected
2.splunkd log -connected to hf and refusing in few seconds.
3.directory path is fine in input.conf file.
4.nothing found in HF audit log.
5.checked firewall logs showing server rest and client reset.
6.debug log collected and share with support team no root cause found.
Can you please help on this?
What could be the issue here or I am missing something here.
You will probably get better responses if you open a new question with your problem.
The question was probably asked fine, it's only that you need your own set of answers to this and that will happen by asking the question as a question instead of as a comment to this 6 year old thread.
So, copy all that out, and start up a new "Ask a Question" and I'll bet you'll get some great answers!