Splunk
From UGCS
(Difference between revisions)
(Splunk moved to Splunk purchase) |
(→See Also) |
||
| (One intermediate revision by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | We use [http://www.splunk.com/ splunk] to manage all our logs. It runs on charon, and is fed [[Logging|logs]] from other machines via syslog-ng. Splunk can be access through a proxy on hermes (go to https://logs.ugcs.caltech.edu). Otherwise, we'd have no control over who had access to the logs since we don't have a version of splunk that does authorization. | |
| + | |||
| + | ==Searching== | ||
| + | You can search by entering a string to search for in the search bar. You can also set a time range- keep it conservative since searching more time takes longer. You can add the following fields to search for: | ||
| + | |||
| + | * host=<host> | ||
| + | * sourcetype=<sourcetype> (see below) | ||
| + | |||
| + | |||
| + | ==Source types== | ||
| + | These source types have been defined for UGCS. You can search for a given source type by adding "sourcetype=<type>" to your search query. | ||
| + | |||
| + | * apache- an alias for apache_access and apache_error | ||
| + | ** apache_error: Apache error logs (.../local1.log) | ||
| + | ** apache_access: Apache access logs (.../local2.log) | ||
| + | |||
| + | * auth- auth.log and authpriv.log | ||
| + | |||
| + | * postfix_syslog: anything postfix (mail.log) | ||
| + | |||
| + | |||
| + | ==See Also== | ||
| + | * [[Splunk_Saved_Searches]] | ||
| + | * [[Logging]] | ||
| + | * [[Alerts]] | ||
| + | |||
| + | [[Category:Sysadmin_Documentation]] | ||
Latest revision as of 09:20, 26 May 2009
We use splunk to manage all our logs. It runs on charon, and is fed logs from other machines via syslog-ng. Splunk can be access through a proxy on hermes (go to https://logs.ugcs.caltech.edu). Otherwise, we'd have no control over who had access to the logs since we don't have a version of splunk that does authorization.
Searching
You can search by entering a string to search for in the search bar. You can also set a time range- keep it conservative since searching more time takes longer. You can add the following fields to search for:
- host=<host>
- sourcetype=<sourcetype> (see below)
Source types
These source types have been defined for UGCS. You can search for a given source type by adding "sourcetype=<type>" to your search query.
- apache- an alias for apache_access and apache_error
- apache_error: Apache error logs (.../local1.log)
- apache_access: Apache access logs (.../local2.log)
- auth- auth.log and authpriv.log
- postfix_syslog: anything postfix (mail.log)
