Hi Remco, I can confirm IBM's information. SYSLOG records are coming in via syslog facility 'user' and severity 'info'.
Best regards, Rainer Von: "Remco Post" <remco.p...@gmail.com> An: ADSM-L@VM.MARIST.EDU Datum: 19.09.2017 22:47 Betreff: Re: [ADSM-L] syslog Gesendet von: "ADSM: Dist Stor Manager" <ADSM-L@VM.MARIST.EDU> Hi all, for those of us who are interested, I haven’t been able to confirm, but IBM support told me the syslog facility is ’USER’, for better/easier filtering. > On 24 Aug 2017, at 17:35, Shawn Drew <shaw...@gmail.com> wrote: > > Right, when trying to figure this out I tried all the local facilities but couldn't find the TSM messages. I gave up on the facilities when I found the rsync syntax. > > On Aug 24, 2017, 3:48 AM -0400, Remco Post <r.p...@plcs.nl>, wrote: >> Hi Shawn, >> >> great! thanks! This is really useful. I guess only IBM knows what syslog facility is being used… >> >> >>> On 24 Aug 2017, at 02:29, Shawn Drew <shaw...@gmail.com> wrote: >>> >>> I think this syntax is specific to rsyslog (which you probably have) >>> When you put it in the conf, make sure it is above the line for the >>> messages file >>> >>> if $programname == 'dsmserv' and not ($msg contains 'REPORTING_ADMIN') >>> and not ($msg contains 'ANR8592I') then /var/log/dsmserv.log >>> & @splunkserver.intranet >>> & ~ >>> >>> That is 3 lines, in case it wraps. >>> Line 1) I am filtering out messages that are created by a specific >>> data-collector service account (connects every 5 minutes) and a specific >>> informational message. Make sure and setup logrotation for this log >>> Line 2) Duplicate the log msg previously described and also send it to >>> "splunkserver.intranet" >>> Line 3) Any log already filtered, do not include in any further logging. >>> This prevents TSM logs from also showing up in the messages file but >>> needs to be before the messages line in the conf for this to work. >>> >>> >>> This sends the message using the standard syslog protocol to >>> "splunkserver.intranet". That server receives the message using the its >>> own standard rsyslog installation (needs to be configured to receive >>> syslog) Then splunk will monitor the messages file and load it into the >>> index. You can then use splunk filters if you want to move it to a >>> separate index or whatever. I have all the TSM/DataDomain stuff going >>> into an isolated index. I think splunk can be configured to receive >>> syslog messages directly but we don't do it that way (I don't run the >>> splunk server) >>> >>> >>> >>> On 8/23/2017 3:56 PM, Remco Post wrote: >>>> Tell me more, please. I'm quite sure that there is Splunk in my future as well, can you share your syslog config? >>>> >> >> -- >> >> Met vriendelijke groeten/Kind Regards, >> >> Remco Post >> r.p...@plcs.nl >> +31 6 248 21 622 -- Met vriendelijke groeten/Kind Regards, Remco Post r.p...@plcs.nl +31 6 248 21 622