can you please help me understand how to send system audit log to syslog server.
I am new to splunk and trying to understand how to basically access AS400 from splunk.,Can someone please help me on how we can send the system audit log to a syslog server .....
@garapathis,
This question is over 3 years old, and is unlikely to attract sufficient attention to answer any question you may have. I suggest submitting a new question.
If your IBM I system is at newer releases, V7.2 or V7.3 and fairly current on PTF's you can send the system audit log to a syslog server.
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Update...
and the QHST history log:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Update...
If your IBM i is at newer releases, V7.2 or V7.3 and fairly current on PTF's you can send the system audit log to a syslog server.
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Update...
and the QHST history log:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/IBM%20i%20Technology%20Update...
The best answer to this question I have seen is to use a third-party application that runs on the iSeries and converts the iSeries data to Syslog in key value pairs - Splunk then ingests this Syslog data. Since it is Key Value paired Splunk easily ingests the data and provides a near to real time integration.
Realistically, you are looking at anywhere between 5 to 30 seconds of log delay due to queuing from the iSeries systems. However, even with this delay you gain hours of speed over a direct database export every 8 hours or so - it also impacts your Splunk license a lot less.
Hi,
Can this help?
Thanks!!
Hi,
Thanks. I tried that but no i can't data in 😕