Forums: SplunkGeneral: AIX 5.3 /var/adm/ras/errlog file monitoring

Hello -

I have installed the AIX 3.5.6 version of Splunk and the corresponding Splunk for Unix application on an AIX 5.3 machine, however, I am not sure what the best way is to monitor the /var/adm/ras/errlog file on the AIX machine. This is a binary file so a simple tail type operation will not work.

Basically, I want to track all messages added to this default log file.

Has anyone tackled this problem? Seems like it would be a common thing for all people monitoring AIX machines.

If I am just missing something obvious, I apologize. I am very new to the platform.

Thanks!

Splunk can't index binary data, but you can use the AIX errpt command to either send the error report to a text file (which Splunk can read with the "monitor" input), or to a named pipe (which Splunk can read with the "fifo" input). There's an option on errpt that lets it output text concurrently with messages being written to the binary file.

Thanks for the information. That is what I had feared. Looks like 'll have to dive into errpt further.

I understand the text file option. I have not tried a named pipe option before. Ideally, I would like to collect the data without taking up additional file storage space on the system by using a text file. Not sure if named pipes is the way to go with that or not.

Cheers!

Even if you write to a file, it doesn't have to use much space. You only need to have enough of the file on disk for Splunk to read it, plus a safety margin (probably only about 30 minutes worth or the last 10 or so entries, whichever is larger), and then you can roll and delete the rest.

I wrote a Perl script that will output any errors in the error log from the past five minutes. I then wrote a custom scripted input to call that script every 5 minutes. If there's a new entry in the error log, it will index it. Seems to do the job. The beauty of it is that you can give it its own sourcetype ("errpt").