4
edits
Changes
From SME Server
Jump to navigationJump to searchno edit summary
Line 24:
Line 24:
+
10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: '''./splunk list forwarder'''
10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: '''./splunk list forwarder'''
−Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-16).
+Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-17).
11. '''./splunk add monitor /var/log/messages -index main -sourcetype syslog'''
11. '''./splunk add monitor /var/log/messages -index main -sourcetype syslog'''
Line 38:
Line 38:
16. '''./splunk add monitor /var/log/boot.log -index main -sourcetype syslog'''
16. '''./splunk add monitor /var/log/boot.log -index main -sourcetype syslog'''
−17. Restart to the SPLUNK server to commit all changes: '''./splunk restart'''
+17. '''./splunk add monitor /var/log/yum/yum.log -index main -sourcetype syslog'''
+18. Restart to the SPLUNK server to commit all changes: '''./splunk restart'''
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
==Deployment considerations==
==Deployment considerations==
−If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-16 with:<br>
+If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-17 with:<br>
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>
then you can create a report/filter or dashboard on the keyword "SME"
then you can create a report/filter or dashboard on the keyword "SME"
Line 49:
Line 51:
==Cleaning Data Indexes==
==Cleaning Data Indexes==
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
−''on your SPLUNK server'': '''splunk clean evendata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)
+''on your SPLUNK server'': '''splunk clean eventdata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)
+(or command: splunk clean eventdata "indexname")
[[category:howto]]
[[category:howto]]
