The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkGeneral: Centralizing syslog on Solaris

Previous Topic: Start/Stop splunk under RedHat  |   Next Topic: Custom DateTime, Sybase Logs


Posts 1–2 of 2
1
posted by: Joseph Reeves  |  posts
date: May 9, 2006
permalink

Hey guys,

Just read a pretty good article written by benr on Centralizing syslog on Solaris. Since it seems like a lot of you folks out there are running on Solaris, I thought it might be worth posting the link:
http://www.cuddletech.com/blog/pivot/entry.php?id=642

I still think that syslog-ng is the superior solution, but this at least gives you an alternative if you're in an environment where you can't change out your syslog software easily.

cheers,
Joe

2
posted by: donypie  |  posts
date: May 9, 2006
permalink

Hi Joe,

I used this technique to centralize all Solaris logs to a Linux RedHat central server where Syslog-ng is running.
From this Syslog-ng, I send the events to :
the very good splunk :


destination splunk {
pipe("/var/log/splunk.pipe"
template("$FULLDATE $HOST $PRIORITY $MESSAGE\n"));
};
and to a Mysql server with :

destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO logs_$YEAR$MONTH$DAY
(host, facility, priority, level, tag, datetime, program, msg)
VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC',
'$PROGRAM', '$MSG' );\n") template-escape(yes));
};
So, our solution is based on :

Nagios for monitoring;
php-syslog-ng based on Mysql to have an event Gui Console;
Splunk for problem analyzing and debug;

Kind regards.
Pierre.