Hi all,
for those of us who are interested, I haven’t been able to confirm, but IBM
support told me the syslog facility is ’USER’, for better/easier filtering.
> On 24 Aug 2017, at 17:35, Shawn Drew <shawndo AT GMAIL DOT COM> wrote:
>
> Right, when trying to figure this out I tried all the local facilities but
> couldn't find the TSM messages. I gave up on the facilities when I found the
> rsync syntax.
>
> On Aug 24, 2017, 3:48 AM -0400, Remco Post <r.post AT plcs DOT nl>, wrote:
>> Hi Shawn,
>>
>> great! thanks! This is really useful. I guess only IBM knows what syslog
>> facility is being used…
>>
>>
>>> On 24 Aug 2017, at 02:29, Shawn Drew <shawndo AT GMAIL DOT COM> wrote:
>>>
>>> I think this syntax is specific to rsyslog (which you probably have)
>>> When you put it in the conf, make sure it is above the line for the
>>> messages file
>>>
>>> if $programname == 'dsmserv' and not ($msg contains 'REPORTING_ADMIN')
>>> and not ($msg contains 'ANR8592I') then /var/log/dsmserv.log
>>> & @splunkserver.intranet
>>> & ~
>>>
>>> That is 3 lines, in case it wraps.
>>> Line 1) I am filtering out messages that are created by a specific
>>> data-collector service account (connects every 5 minutes) and a specific
>>> informational message. Make sure and setup logrotation for this log
>>> Line 2) Duplicate the log msg previously described and also send it to
>>> "splunkserver.intranet"
>>> Line 3) Any log already filtered, do not include in any further logging.
>>> This prevents TSM logs from also showing up in the messages file but
>>> needs to be before the messages line in the conf for this to work.
>>>
>>>
>>> This sends the message using the standard syslog protocol to
>>> "splunkserver.intranet". That server receives the message using the its
>>> own standard rsyslog installation (needs to be configured to receive
>>> syslog) Then splunk will monitor the messages file and load it into the
>>> index. You can then use splunk filters if you want to move it to a
>>> separate index or whatever. I have all the TSM/DataDomain stuff going
>>> into an isolated index. I think splunk can be configured to receive
>>> syslog messages directly but we don't do it that way (I don't run the
>>> splunk server)
>>>
>>>
>>>
>>> On 8/23/2017 3:56 PM, Remco Post wrote:
>>>> Tell me more, please. I'm quite sure that there is Splunk in my future as
>>>> well, can you share your syslog config?
>>>>
>>
>> --
>>
>> Met vriendelijke groeten/Kind Regards,
>>
>> Remco Post
>> r.post AT plcs DOT nl
>> +31 6 248 21 622
--
Met vriendelijke groeten/Kind Regards,
Remco Post
r.post AT plcs DOT nl
+31 6 248 21 622
|