You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Mathias Mullins <ma...@citrix.com> on 2012/10/17 19:39:44 UTC
Splunk
We are trying to setup Splunk to do log parsing for a cluster of 4 management servers. Does someone have some experience on this or some script settings that have been effective with them?
Thanks,
Matt
RE: Splunk
Posted by Tamas Monos <ta...@veber.co.uk>.
Hi,
You could use syslog-ng on your management servers.
Set up a file source for syslog-ng (eg.):
file("/var/log/managementserver.log" program_override("CS-Manager1: "));
Then set up a remote destination (eg.):
destination d_tls {
tcp("splunk.myserver.com" port(516)
tls( ca_dir("/opt/syslog-ng/etc/ca.d")
key_file("/opt/syslog-ng/etc/key.d/syslog.key")
cert_file("/opt/syslog-ng/etc/cert.d/syslog.crt"))
);
Then tell syslog-ng what to do (eg.):
log {
source(s_local);
destination(d_messages);
destination(d_tls);
}
On the splunk box you should have another syslog-ng running if you want TLS and redirect it into splunk from there otherwise just point it at your splunk listener.
Hope this helps.
Regards
Tamas Monos DDI +44(0)2034687012
Chief Technical Office +44(0)2034687000
Veber: The Hosting Specialists Fax +44(0)871 522 7057
http://www.veber.co.uk
Follow us on Twitter: www.twitter.com/veberhost
Follow us on Facebook: www.facebook.com/veberhost
-----Original Message-----
From: Mathias Mullins [mailto:mathias.mullins@citrix.com]
Sent: 17 October 2012 18:40
To: cloudstack-users@incubator.apache.org
Subject: Splunk
We are trying to setup Splunk to do log parsing for a cluster of 4 management servers. Does someone have some experience on this or some script settings that have been effective with them?
Thanks,
Matt
Re: Splunk
Posted by Matty Courtney <ma...@citrix.com>.
Matt,
I'd begin by alerting on any of the following terms (taken from the
Troubleshooting section of the Install Guide) and then filtering the noise
from the relevant.
Terms: 'exception|unable|fail|invalid|leak|invalid|warn'
Regards,
Matty Courtney
CloudPlatform Implementation Engineer, Worldwide Cloud Services
T +61 409 312 329
matty.courtney@citrix.com
Powering mobile work styles and cloud services
On 18/10/12 9:03 PM, "Mathias Mullins" <ma...@citrix.com> wrote:
>Caleb,
>
>You're spot on. Trying to figure out the alerts and how to set them up.
>
>Thanks,
>Matt Mullins
>CloudPlatform Implementation Engineer
>Worldwide Cloud Services Citrix System, Inc.
>+1 (407) 920-1107 Office/Cell Phone
>matt.mullins@citrix.com
>
>
>
>
>On 10/18/12 11:30 AM, "Caleb Call" <ca...@me.com> wrote:
>
>>What exactly do you mean log parsing? We have our logs going in to
>>splunk, which wasn't any different than adding any other log in to
>>splunk. Do you mean setting up alerts around the logs?
>>
>>
>>On Oct 17, 2012, at 11:39 AM, Mathias Mullins
>><ma...@citrix.com> wrote:
>>
>>> We are trying to setup Splunk to do log parsing for a cluster of 4
>>>management servers. Does someone have some experience on this or some
>>>script settings that have been effective with them?
>>>
>>> Thanks,
>>> Matt
>>
>
Re: Splunk
Posted by Mathias Mullins <ma...@citrix.com>.
Caleb,
You're spot on. Trying to figure out the alerts and how to set them up.
Thanks,
Matt Mullins
CloudPlatform Implementation Engineer
Worldwide Cloud Services Citrix System, Inc.
+1 (407) 920-1107 Office/Cell Phone
matt.mullins@citrix.com
On 10/18/12 11:30 AM, "Caleb Call" <ca...@me.com> wrote:
>What exactly do you mean log parsing? We have our logs going in to
>splunk, which wasn't any different than adding any other log in to
>splunk. Do you mean setting up alerts around the logs?
>
>
>On Oct 17, 2012, at 11:39 AM, Mathias Mullins
><ma...@citrix.com> wrote:
>
>> We are trying to setup Splunk to do log parsing for a cluster of 4
>>management servers. Does someone have some experience on this or some
>>script settings that have been effective with them?
>>
>> Thanks,
>> Matt
>
Re: Splunk
Posted by Caleb Call <ca...@me.com>.
What exactly do you mean log parsing? We have our logs going in to splunk, which wasn't any different than adding any other log in to splunk. Do you mean setting up alerts around the logs?
On Oct 17, 2012, at 11:39 AM, Mathias Mullins <ma...@citrix.com> wrote:
> We are trying to setup Splunk to do log parsing for a cluster of 4 management servers. Does someone have some experience on this or some script settings that have been effective with them?
>
> Thanks,
> Matt