ADSM-L

Re: [ADSM-L] syslog

2017-09-19 16:47:18
Subject: Re: [ADSM-L] syslog
From: Remco Post <remco.post AT GMAIL DOT COM>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Tue, 19 Sep 2017 22:46:08 +0200
Hi all,

for those of us who are interested, I haven’t been able to confirm, but IBM 
support told me the syslog facility is ’USER’, for better/easier filtering.

> On 24 Aug 2017, at 17:35, Shawn Drew <shawndo AT GMAIL DOT COM> wrote:
> 
> Right, when trying to figure this out I tried all the local facilities but 
> couldn't find the TSM messages. I gave up on the facilities when I found the 
> rsync syntax.
> 
> On Aug 24, 2017, 3:48 AM -0400, Remco Post <r.post AT plcs DOT nl>, wrote:
>> Hi Shawn,
>> 
>> great! thanks! This is really useful. I guess only IBM knows what syslog 
>> facility is being used…
>> 
>> 
>>> On 24 Aug 2017, at 02:29, Shawn Drew <shawndo AT GMAIL DOT COM> wrote:
>>> 
>>> I think this syntax is specific to rsyslog (which you probably have)
>>> When you put it in the conf, make sure it is above the line for the
>>> messages file
>>> 
>>> if $programname == 'dsmserv' and not ($msg contains 'REPORTING_ADMIN')
>>> and not ($msg contains 'ANR8592I') then /var/log/dsmserv.log
>>> & @splunkserver.intranet
>>> & ~
>>> 
>>> That is 3 lines, in case it wraps.
>>> Line 1) I am filtering out messages that are created by a specific
>>> data-collector service account (connects every 5 minutes) and a specific
>>> informational message. Make sure and setup logrotation for this log
>>> Line 2) Duplicate the log msg previously described and also send it to
>>> "splunkserver.intranet"
>>> Line 3) Any log already filtered, do not include in any further logging.
>>> This prevents TSM logs from also showing up in the messages file but
>>> needs to be before the messages line in the conf for this to work.
>>> 
>>> 
>>> This sends the message using the standard syslog protocol to
>>> "splunkserver.intranet". That server receives the message using the its
>>> own standard rsyslog installation (needs to be configured to receive
>>> syslog) Then splunk will monitor the messages file and load it into the
>>> index. You can then use splunk filters if you want to move it to a
>>> separate index or whatever. I have all the TSM/DataDomain stuff going
>>> into an isolated index. I think splunk can be configured to receive
>>> syslog messages directly but we don't do it that way (I don't run the
>>> splunk server)
>>> 
>>> 
>>> 
>>> On 8/23/2017 3:56 PM, Remco Post wrote:
>>>> Tell me more, please. I'm quite sure that there is Splunk in my future as 
>>>> well, can you share your syslog config?
>>>> 
>> 
>> --
>> 
>> Met vriendelijke groeten/Kind Regards,
>> 
>> Remco Post
>> r.post AT plcs DOT nl
>> +31 6 248 21 622



--

Met vriendelijke groeten/Kind Regards,

Remco Post
r.post AT plcs DOT nl
+31 6 248 21 622

<Prev in Thread] Current Thread [Next in Thread>

ADSM.ORG Privacy and Data Security by KimLaw, PLLC