Topic
  • 6 replies
  • Latest Post - ‏2015-07-23T00:24:32Z by Ramsyee
Chris.Z
Chris.Z
54 Posts

Pinned topic DataPower and Splunk

‏2013-06-10T20:08:13Z |

Does anyone have SPLUNK monitoring their datapower devices?  If so, how do you integrate it?  SYSLOG?  TCP/UDP port?  What is the best way to do this?  I would like to run some tests to see if it's worth our company buying a splunk license.  I am also going to be looking into WAMC monitoring tool.  But SPLUNK just looks like it has such a nice interface, and you know upper management always like the pretty pictures for showing results.

  • dave_mo
    dave_mo
    18 Posts

    Re: DataPower and Splunk

    ‏2013-06-10T20:58:53Z  

    We don't "monitor" with Splunk, but we played with it for AAA logging and error logging for troubleshooting purposes.  I suppose the use cases could be expanded for monitoring, but that wasn't why we wanted to use Splunk for.  We drove what is logged via xsl:message and formatted the strings based on name/value pairs for whatever we wanted to capture to make the searching/reporting based on those pairs super easy in Splunk.

    We tried direct syslog to Splunk via TCP and UDP and both worked.  We also tried writing to a syslog file off the appliances (to a Linux server) and using the Splunk forwarder on the Linux server to send the entries from the syslog file to Splunk.  We liked the latter scenario a bit more since the forwarder has the capabilities of buffering any entries that can't be written if Splunk is down, then when the indexer comes back, sending the buffered entries and knowing where it left off to continue on.  Of course if DP can't write to syslog because of network issues or if the syslog server is down, then its a moot point.  We planned on accepting that risk though.  Our company is still in the Splunk procurement process, so we're holding off on solidfying our logging approach until the deal goes through

    Hope this helps.

  • Chris.Z
    Chris.Z
    54 Posts

    Re: DataPower and Splunk

    ‏2013-06-17T19:58:17Z  

    We need to setup syslog before we can start testing this.  Does anyone have any suggestions for either setting up syslog or incorporating syslog and splunk?  Maybe "beware or this" or "make sure you do this" type thing?

     

    Thanks.

  • HermannSW
    HermannSW
    4733 Posts

    Re: DataPower and Splunk

    ‏2013-06-18T06:56:22Z  
    • Chris.Z
    • ‏2013-06-17T19:58:17Z

    We need to setup syslog before we can start testing this.  Does anyone have any suggestions for either setting up syslog or incorporating syslog and splunk?  Maybe "beware or this" or "make sure you do this" type thing?

     

    Thanks.

    With DataPower you can define log targets of different types.

    The "syslog*" target types are (from WebGUI online help):

    • syslog

      Forwards log entries using UDP to a remote syslog daemon. The local address, remote address, remote port, syslog facility can be set. The processing rate can be limited.

    • syslog-tcp

      Forwards log entries using TCP to a remote syslog daemon. The local address, remote address, remote port, syslog facility can be set. An SSL connection to the syslog host can be created. The processing rate can be limited.

    • syslog-ng (deprecated)

      Deprecated. Use syslog-tcp.


    This seems to be the related Splung documentation:

    http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP
    http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP


    I did never use Splunk, so cannot help with lessons learned.

     

    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

  • otones
    otones
    1 Post

    Re: DataPower and Splunk

    ‏2013-08-26T12:01:56Z  

    Hi Chris,

    We don't use Splunk but we are implementing Alienvault OSSIM to collect Datapower events and I suggest you:

    First use the last Datapower version (6.X): As we know in previous version logs reported by syslog (any kind) or snmp report different information for each events. For instance using snmp we get the DP Domain name and Message ID but these fields are not send by syslog.

    We understand that apart of the protocol specific information used to send the information, the rest of the log must contain the same information.

    IBM has told us that this is due to a design limitation and seems that for syslog-tcp almost the message id is now incluided.

    We have not been able to test because we have to upgrade the version but start using syslog-tcp in the last version.

    Good luck,

    José

  • Mahesh198
    Mahesh198
    23 Posts

    Re: DataPower and Splunk

    ‏2015-07-22T20:48:58Z  
    • HermannSW
    • ‏2013-06-18T06:56:22Z

    With DataPower you can define log targets of different types.

    The "syslog*" target types are (from WebGUI online help):

    • syslog

      Forwards log entries using UDP to a remote syslog daemon. The local address, remote address, remote port, syslog facility can be set. The processing rate can be limited.

    • syslog-tcp

      Forwards log entries using TCP to a remote syslog daemon. The local address, remote address, remote port, syslog facility can be set. An SSL connection to the syslog host can be created. The processing rate can be limited.

    • syslog-ng (deprecated)

      Deprecated. Use syslog-tcp.


    This seems to be the related Splung documentation:

    http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogTCP
    http://docs.splunk.com/Documentation/Splunk/latest/Data/SyslogUDP


    I did never use Splunk, so cannot help with lessons learned.

     

    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

    Herman,

    Can we get datapower device backups using syslogs and save it on a remote server? We have syslog running on Linux. Currently, we are using NFS to get the backups every day and save the zip file in a remote location.

    Appreciate your help!

     

    Thanks,

    Mahesh

  • Ramsyee
    Ramsyee
    129 Posts

    Re: DataPower and Splunk

    ‏2015-07-23T00:24:32Z  


    Hi Chris.Z,

    I would definitely recommend for going with Splunk. Currently all our devices using syslog format connected to splunk enterprise for  monitoring and send alerts to corresponding support teams...etc.

    Earlier we had Wily and other old monitoring tools which we was not as friendly as Splunk is. I would suggest download a Trail version of Splunk and connect to DP and check it out.

    thanks