Enhancing your logging capabilities with Splunk

Now lets point our setup to index from “/var/log/”.
Select “Continuously index data from a file or directory this Splunk instance can access”.
Also under “Full path to your data” enter “/var/log/” without the quotes

See screen shot

 

Should everything have gone smoothly, you should now be presented with a “Success” window stating that your data is now being indexed by Splunk.

See screen shot

 

Congratulations, your Splunk setup is now complete. Provided you have clients already pointing to your Syslog server, you can now start to search for logs.

 

Searching for Data

In this setup, I have the client “rhel-client.example.com” pointing to my syslog server.

Lets say for example, I wanted to see the last thing that was installed on my client. I can search for the hostname and yum. This will present me with the latest information from that specific host and what packages were installed.

See screen shot

 

In the above example, you can see that Apache (httpd) and the surrounding dependencies have been installed on the host “rhel-client.example.com“. This is obviously a very simple example of a search, but you can play around and get a feel for how the search all fits together. If I had a server farm of 50 servers and wanted to see what was installed over the past 24 hours, I could also achieve this same search simply by changing the search criteria.

As we have pointed Splunk to index any file in /var/log/, all you need to ensure is that you have configured Syslog correctly in order to log the data you wish to receive. This could be anything from Linux logs from other servers, but could also include hardware devices like Cisco, HP, Dell, and all other forms of technology. If the client can transmit logs via Syslog, then Splunk will pick if up.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>