Does anyone have SPLUNK monitoring their datapower devices? If so, how do you integrate it? SYSLOG? TCP/UDP port? What is the best way to do this? I would like to run some tests to see if it's worth our company buying a splunk license. I am also going to be looking into WAMC monitoring tool. But SPLUNK just looks like it has such a nice interface, and you know upper management always like the pretty pictures for showing results.
dave_mo 110000FW9Q18 Posts
Re: DataPower and Splunk2013-06-10T20:58:53ZThis is the accepted answer. This is the accepted answer.
We don't "monitor" with Splunk, but we played with it for AAA logging and error logging for troubleshooting purposes. I suppose the use cases could be expanded for monitoring, but that wasn't why we wanted to use Splunk for. We drove what is logged via xsl:message and formatted the strings based on name/value pairs for whatever we wanted to capture to make the searching/reporting based on those pairs super easy in Splunk.
We tried direct syslog to Splunk via TCP and UDP and both worked. We also tried writing to a syslog file off the appliances (to a Linux server) and using the Splunk forwarder on the Linux server to send the entries from the syslog file to Splunk. We liked the latter scenario a bit more since the forwarder has the capabilities of buffering any entries that can't be written if Splunk is down, then when the indexer comes back, sending the buffered entries and knowing where it left off to continue on. Of course if DP can't write to syslog because of network issues or if the syslog server is down, then its a moot point. We planned on accepting that risk though. Our company is still in the Splunk procurement process, so we're holding off on solidfying our logging approach until the deal goes through
Hope this helps.
Chris.Z 270005TU1766 Posts
Re: DataPower and Splunk2013-06-17T19:58:17ZThis is the accepted answer. This is the accepted answer.
We need to setup syslog before we can start testing this. Does anyone have any suggestions for either setting up syslog or incorporating syslog and splunk? Maybe "beware or this" or "make sure you do this" type thing?
HermannSW 2700006U545829 Posts
Re: DataPower and Splunk2013-06-18T06:56:22ZThis is the accepted answer. This is the accepted answer.
- Chris.Z 270005TU17
With DataPower you can define log targets of different types.
The "syslog*" target types are (from WebGUI online help):
Forwards log entries using UDP to a remote syslog daemon. The local address, remote address, remote port, syslog facility can be set. The processing rate can be limited.
Forwards log entries using TCP to a remote syslog daemon. The local address, remote address, remote port, syslog facility can be set. An SSL connection to the syslog host can be created. The processing rate can be limited.
Deprecated. Use syslog-tcp.
This seems to be the related Splung documentation:
I did never use Splunk, so cannot help with lessons learned.
otones 0100003GP11 Post
Re: DataPower and Splunk2013-08-26T12:01:56ZThis is the accepted answer. This is the accepted answer.
We don't use Splunk but we are implementing Alienvault OSSIM to collect Datapower events and I suggest you:
First use the last Datapower version (6.X): As we know in previous version logs reported by syslog (any kind) or snmp report different information for each events. For instance using snmp we get the DP Domain name and Message ID but these fields are not send by syslog.
We understand that apart of the protocol specific information used to send the information, the rest of the log must contain the same information.
IBM has told us that this is due to a design limitation and seems that for syslog-tcp almost the message id is now incluided.
We have not been able to test because we have to upgrade the version but start using syslog-tcp in the last version.
Mahesh198 2700067GFK23 Posts
Re: DataPower and Splunk2015-07-22T20:48:58ZThis is the accepted answer. This is the accepted answer.
- HermannSW 2700006U54
Can we get datapower device backups using syslogs and save it on a remote server? We have syslog running on Linux. Currently, we are using NFS to get the backups every day and save the zip file in a remote location.
Appreciate your help!
Ramsyee 270003BRTH130 Posts
Re: DataPower and Splunk2015-07-23T00:24:32ZThis is the accepted answer. This is the accepted answer.
I would definitely recommend for going with Splunk. Currently all our devices using syslog format connected to splunk enterprise for monitoring and send alerts to corresponding support teams...etc.
Earlier we had Wily and other old monitoring tools which we was not as friendly as Splunk is. I would suggest download a Trail version of Splunk and connect to DP and check it out.
luvl 27000489KT3 Posts
Re: DataPower and Splunk2016-01-14T17:31:59ZThis is the accepted answer. This is the accepted answer.
- Ramsyee 270003BRTH
We are also planning to integrate splunk with Datapower. Is it possible for you to share any document that can help us to finish a setup with trial version.