Hi @vid1 ,

check if the Dell PowerScale Add-On for Splunk (https://splunkbase.splunk.com/app/2689) is the correct one for you.

Otherwise you have to create your own custom add-on.

Ciao.

Giuseppe

that add on as not working .we can logs collect from syslog server  but i don't know how to configure 

Hi @vid1 ,

are you speaking of output configuration on NAS or syslog input Configuration on SC4S?

About NAS, I cannot help you, you should search in the NAS Management menu.

About SC4S, I don't like it, I prefer to configure rsyslog (or syslog-ng) for receiving and then inputs on UF.

Ciao.

Giuseppe

Yes, i need configuration rsyslog or syslog-ng on the Linux server

Hi @vid1 ,

you have to configure three items in /etc/rsyslog.conf:

in the MODULES section:

module(load="imudp") # needs to be done just once

or 

module(load="imtcp") # needs to be done just once

depending on the protocol you're using.

then, in TEMPLATES  section:

template(name="tmpl-paloalto" type="string" string="/var/log/remote/%fromhost%/paloalto/%HOSTNAME%/paloalto_%$YEAR%-%$MONTH%-%$DAY%_%$HOUR%.log")

this string must be modified based on the path and the name of the files that must be written.

At least the rule to implement:

ruleset(name="writeRemoteData" queue.type="fixedArray" queue.size="250000" queue.dequeueBatchSize="4096" queue.workerThreads="4" queue.workerThreadMinimumMessages="60000")
{
  # network - paloalto
  if $HOSTNAME == "10.10.10.10" then {
    action(type="omfile" ioBufferSize="64k" flushOnTXEnd="off" asyncWriting="on" dynafile="tmpl-paloalto" DirCreateMode="0770" FileCreateMode="0660" template="fmt_default") stop
  }

this is the most important and difficoult part to implement, because you have to implement all your rules.

Ciao.

Giuseppe