Splunk

We use splunk to manage all our logs. It runs on charon, and is fed logs from other machines via syslog-ng. Splunk can be access through a proxy on hermes (go to https://logs.ugcs.caltech.edu). Otherwise, we'd have no control over who had access to the logs since we don't have a version of splunk that does authorization.

Searching

You can search by entering a string to search for in the search bar. You can also set a time range- keep it conservative since searching more time takes longer. You can add the following fields to search for:

• host=<host>
• sourcetype=<sourcetype> (see below)

Source types

These source types have been defined for UGCS. You can search for a given source type by adding "sourcetype=<type>" to your search query.

• apache- an alias for apache_access and apache_error
  • apache_error: Apache error logs (.../local1.log)
  • apache_access: Apache access logs (.../local2.log)

• auth- auth.log and authpriv.log

• postfix_syslog: anything postfix (mail.log)

See Also

• Splunk_Saved_Searches
• Logging