> On 20 Sep 2017, at 09:23, Rainer Holzinger <[email protected]> > wrote: > > Hi Remco, > > I can confirm IBM's information. > SYSLOG records are coming in via syslog facility 'user' and severity > 'info’.
Hi Rainer, I’m now guessing all are of sev. info, not reflecting the severity within TSM… well, I guess there must always be something left to improve upon ;-) Thanks. > > Best regards, > Rainer > > > > Von: "Remco Post" <[email protected]> > An: [email protected] > Datum: 19.09.2017 22:47 > Betreff: Re: [ADSM-L] syslog > Gesendet von: "ADSM: Dist Stor Manager" <[email protected]> > > > > Hi all, > > for those of us who are interested, I haven’t been able to confirm, but > IBM support told me the syslog facility is ’USER’, for better/easier > filtering. > >> On 24 Aug 2017, at 17:35, Shawn Drew <[email protected]> wrote: >> >> Right, when trying to figure this out I tried all the local facilities > but couldn't find the TSM messages. I gave up on the facilities when I > found the rsync syntax. >> >> On Aug 24, 2017, 3:48 AM -0400, Remco Post <[email protected]>, wrote: >>> Hi Shawn, >>> >>> great! thanks! This is really useful. I guess only IBM knows what > syslog facility is being used… >>> >>> >>>> On 24 Aug 2017, at 02:29, Shawn Drew <[email protected]> wrote: >>>> >>>> I think this syntax is specific to rsyslog (which you probably have) >>>> When you put it in the conf, make sure it is above the line for the >>>> messages file >>>> >>>> if $programname == 'dsmserv' and not ($msg contains 'REPORTING_ADMIN') >>>> and not ($msg contains 'ANR8592I') then /var/log/dsmserv.log >>>> & @splunkserver.intranet >>>> & ~ >>>> >>>> That is 3 lines, in case it wraps. >>>> Line 1) I am filtering out messages that are created by a specific >>>> data-collector service account (connects every 5 minutes) and a > specific >>>> informational message. Make sure and setup logrotation for this log >>>> Line 2) Duplicate the log msg previously described and also send it to >>>> "splunkserver.intranet" >>>> Line 3) Any log already filtered, do not include in any further > logging. >>>> This prevents TSM logs from also showing up in the messages file but >>>> needs to be before the messages line in the conf for this to work. >>>> >>>> >>>> This sends the message using the standard syslog protocol to >>>> "splunkserver.intranet". That server receives the message using the > its >>>> own standard rsyslog installation (needs to be configured to receive >>>> syslog) Then splunk will monitor the messages file and load it into > the >>>> index. You can then use splunk filters if you want to move it to a >>>> separate index or whatever. I have all the TSM/DataDomain stuff going >>>> into an isolated index. I think splunk can be configured to receive >>>> syslog messages directly but we don't do it that way (I don't run the >>>> splunk server) >>>> >>>> >>>> >>>> On 8/23/2017 3:56 PM, Remco Post wrote: >>>>> Tell me more, please. I'm quite sure that there is Splunk in my > future as well, can you share your syslog config? >>>>> >>> >>> -- >>> >>> Met vriendelijke groeten/Kind Regards, >>> >>> Remco Post >>> [email protected] >>> +31 6 248 21 622 > > > > -- > > Met vriendelijke groeten/Kind Regards, > > Remco Post > [email protected] > +31 6 248 21 622 > > > > -- Met vriendelijke groeten/Kind Regards, Remco Post [email protected] +31 6 248 21 622
