I am looking for advice / suggestions / guidance in relation to gathering logs from my Solaris instances running an EDRM s/w (Livelink).
I have the following setup:
- Splunk server (Windows 2003 R2)
- EDRM system (all Solaris 10 servers)
I am new to Splunk and cannot see how I go about capturing my logs. I have an add-on from our s/w supplier written to logs for specific log types from the application instances, but from the looks of it, the only way I can get the logs from my Solaris boxes to my Windows box where Splunk sits is by using a forwarder?
I would appreciate any advice or knowledge from anyone who has already done this. Worth noting I may have issues with installing the forwarder within our environments internally, hence, why I ask the question.
Configure syslog on your servers to send whatever logs you need over syslog to the Splunk server. I'm sure this process is documented in the Solaris docs. You could, if necessary, probably set up one of those servers as a collector to funnel all this traffic through, although that's probably more work than it's worth.
This will also involve setting up a syslog server (I think Kiwi makes a free version for Windows that may work for you - they used to, anyway) on your Splunk server. Configure it to receive syslog on 514 and drop the incoming data into files based on hostname. Have Splunk read those directly off disk.
You might need to configure your application to log to local syslog. That's an application specific question you can probably research with the livelink folks?
Thanks for your reply. Unfortunately, even though your answer makes total sense, I am very restricted internally as to what I can install/do in our environment, but you have kind of answered my question. I think the only way forward for me, and the one I will probably get the ok for is to install the Splunk forwarder on the Solaris boxes and use that to forward the logs.
Thanks again for taking the time to reply ..
If you do not want to install a forwarder, no problem.
You may want to write a shell script to copy and replicate log files on your server (You may want to use script using SFTP/FTP)
I wouldn't suggest receiving Syslog using port 514 simply because when you take your indexer down for patching, you'll lost the data. Hope that makes sense (That again depends on how critical is your data)