You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cloudstack.apache.org by Mathias Mullins <ma...@citrix.com> on 2012/10/17 19:39:44 UTC

Splunk

We are trying to setup Splunk to do log parsing for a cluster of 4 management servers. Does someone have some experience on this or some script settings that have been effective with them?

Thanks,
Matt

RE: Splunk

Posted by Tamas Monos <ta...@veber.co.uk>.

Hi,

You could use syslog-ng on your management servers.
Set up a file source for syslog-ng (eg.):
file("/var/log/managementserver.log" program_override("CS-Manager1: "));

Then set up a remote destination (eg.):
destination d_tls {
    tcp("splunk.myserver.com" port(516)
    tls( ca_dir("/opt/syslog-ng/etc/ca.d")
    key_file("/opt/syslog-ng/etc/key.d/syslog.key")
    cert_file("/opt/syslog-ng/etc/cert.d/syslog.crt"))
    );

Then tell syslog-ng what to do (eg.):
log {
source(s_local);
destination(d_messages);
destination(d_tls);
}

On the splunk box you should have another syslog-ng running if you want TLS and redirect it into splunk from there otherwise just point it at your splunk listener.
Hope this helps.

Regards

Tamas Monos                                               DDI         +44(0)2034687012
Chief Technical                                             Office    +44(0)2034687000
Veber: The Hosting Specialists               Fax         +44(0)871 522 7057
http://www.veber.co.uk

Follow us on Twitter: www.twitter.com/veberhost
Follow us on Facebook: www.facebook.com/veberhost


-----Original Message-----
From: Mathias Mullins [mailto:mathias.mullins@citrix.com] 
Sent: 17 October 2012 18:40
To: cloudstack-users@incubator.apache.org
Subject: Splunk

We are trying to setup Splunk to do log parsing for a cluster of 4 management servers. Does someone have some experience on this or some script settings that have been effective with them?

Thanks,
Matt

Re: Splunk

Posted by Matty Courtney <ma...@citrix.com>.

Matt,

I'd begin by alerting on any of the following terms (taken from the
Troubleshooting section of the Install Guide) and then filtering the noise
from the relevant.

Terms: 'exception|unable|fail|invalid|leak|invalid|warn'

Regards,

Matty Courtney
CloudPlatform Implementation Engineer, Worldwide Cloud Services
T +61 409 312 329
matty.courtney@citrix.com



Powering mobile work styles and cloud services




On 18/10/12 9:03 PM, "Mathias Mullins" <ma...@citrix.com> wrote:

>Caleb, 
>
>You're spot on. Trying to figure out the alerts and how to set them up.
>
>Thanks,
>Matt Mullins
>CloudPlatform Implementation Engineer
>Worldwide Cloud Services  Citrix System, Inc.
>+1 (407) 920-1107  Office/Cell Phone
>matt.mullins@citrix.com
>
>
>
>
>On 10/18/12 11:30 AM, "Caleb Call" <ca...@me.com> wrote:
>
>>What exactly do you mean log parsing?  We have our logs going in to
>>splunk, which wasn't any different than adding any other log in to
>>splunk.  Do you mean setting up alerts around the logs?
>>
>>
>>On Oct 17, 2012, at 11:39 AM, Mathias Mullins
>><ma...@citrix.com> wrote:
>>
>>> We are trying to setup Splunk to do log parsing for a cluster of 4
>>>management servers. Does someone have some experience on this or some
>>>script settings that have been effective with them?
>>> 
>>> Thanks,
>>> Matt
>>
>

Re: Splunk

Posted by Mathias Mullins <ma...@citrix.com>.

Caleb, 

You're spot on. Trying to figure out the alerts and how to set them up.

Thanks,
Matt Mullins
CloudPlatform Implementation Engineer
Worldwide Cloud Services  Citrix System, Inc.
+1 (407) 920-1107  Office/Cell Phone
matt.mullins@citrix.com




On 10/18/12 11:30 AM, "Caleb Call" <ca...@me.com> wrote:

>What exactly do you mean log parsing?  We have our logs going in to
>splunk, which wasn't any different than adding any other log in to
>splunk.  Do you mean setting up alerts around the logs?
>
>
>On Oct 17, 2012, at 11:39 AM, Mathias Mullins
><ma...@citrix.com> wrote:
>
>> We are trying to setup Splunk to do log parsing for a cluster of 4
>>management servers. Does someone have some experience on this or some
>>script settings that have been effective with them?
>> 
>> Thanks,
>> Matt
>

Re: Splunk

Posted by Caleb Call <ca...@me.com>.

What exactly do you mean log parsing?  We have our logs going in to splunk, which wasn't any different than adding any other log in to splunk.  Do you mean setting up alerts around the logs?  

On Oct 17, 2012, at 11:39 AM, Mathias Mullins <ma...@citrix.com> wrote:

> We are trying to setup Splunk to do log parsing for a cluster of 4 management servers. Does someone have some experience on this or some script settings that have been effective with them?
> 
> Thanks,
> Matt