4
edits
Changes
From SME Server
Jump to navigationJump to searchno edit summary
10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: '''./splunk list forwarder'''
10. At this point you can test to make sure the connection between SME and SPLUNK is working by running the command: '''./splunk list forwarder'''
Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-16).
Next you will need to add which logs files will be forwarded and processed by SPLUNK. Run the following commands for SME logs (Steps 11-17).
11. '''./splunk add monitor /var/log/messages -index main -sourcetype syslog'''
11. '''./splunk add monitor /var/log/messages -index main -sourcetype syslog'''
16. '''./splunk add monitor /var/log/boot.log -index main -sourcetype syslog'''
16. '''./splunk add monitor /var/log/boot.log -index main -sourcetype syslog'''
17. Restart to the SPLUNK server to commit all changes: '''./splunk restart'''
17. '''./splunk add monitor /var/log/yum/yum.log -index main -sourcetype syslog'''
18. Restart to the SPLUNK server to commit all changes: '''./splunk restart'''
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
Within a few moments if you should begin to see SYSLOG updates to your SPLUNK server from SME over port 9997.
==Deployment considerations==
==Deployment considerations==
If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-16 with:<br>
If you would like to seperate the data being collected from SME on your SPLUNK server, you can create a new index, ie: SME and replace the commands on lines 11-17 with:<br>
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>
'''./splunk add monitor /''<pathtologs>''/ -index sme -sourcetype syslog'''<br>
then you can create a report/filter or dashboard on the keyword "SME"
then you can create a report/filter or dashboard on the keyword "SME"
==Cleaning Data Indexes==
==Cleaning Data Indexes==
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
If you need to clear data that is being collected by SPLUNK from SME you can run the following command:<br>
''on your SPLUNK server'': '''splunk clean evendata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)
''on your SPLUNK server'': '''splunk clean eventdata -index ''<indexname>'''''<br>(where ''<indexname>'' is main, or sme, etc.)
(or command: splunk clean eventdata "indexname")
[[category:howto]]
[[category:howto]]
