Hi Shawn, great! thanks! This is really useful. I guess only IBM knows what syslog facility is being used…
> On 24 Aug 2017, at 02:29, Shawn Drew <shaw...@gmail.com> wrote: > > I think this syntax is specific to rsyslog (which you probably have) > When you put it in the conf, make sure it is above the line for the > messages file > > if $programname == 'dsmserv' and not ($msg contains 'REPORTING_ADMIN') > and not ($msg contains 'ANR8592I') then /var/log/dsmserv.log > & @splunkserver.intranet > & ~ > > That is 3 lines, in case it wraps. > Line 1) I am filtering out messages that are created by a specific > data-collector service account (connects every 5 minutes) and a specific > informational message. Make sure and setup logrotation for this log > Line 2) Duplicate the log msg previously described and also send it to > "splunkserver.intranet" > Line 3) Any log already filtered, do not include in any further logging. > This prevents TSM logs from also showing up in the messages file but > needs to be before the messages line in the conf for this to work. > > > This sends the message using the standard syslog protocol to > "splunkserver.intranet". That server receives the message using the its > own standard rsyslog installation (needs to be configured to receive > syslog) Then splunk will monitor the messages file and load it into the > index. You can then use splunk filters if you want to move it to a > separate index or whatever. I have all the TSM/DataDomain stuff going > into an isolated index. I think splunk can be configured to receive > syslog messages directly but we don't do it that way (I don't run the > splunk server) > > > > On 8/23/2017 3:56 PM, Remco Post wrote: >> Tell me more, please. I'm quite sure that there is Splunk in my future as >> well, can you share your syslog config? >> -- Met vriendelijke groeten/Kind Regards, Remco Post r.p...@plcs.nl +31 6 248 21 622