Return-Path: 
 <cloudstack-users-return-1716-apmail-incubator-cloudstack-users-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-cloudstack-users-archive@minotaur.apache.org
Delivered-To: apmail-incubator-cloudstack-users-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 1C476DA0F
	for <apmail-incubator-cloudstack-users-archive@minotaur.apache.org>;
 Thu, 18 Oct 2012 12:59:54 +0000 (UTC)
Received: (qmail 95606 invoked by uid 500); 18 Oct 2012 12:59:53 -0000
Delivered-To: apmail-incubator-cloudstack-users-archive@incubator.apache.org
Received: (qmail 95312 invoked by uid 500); 18 Oct 2012 12:59:50 -0000
Mailing-List: contact cloudstack-users-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:cloudstack-users-help@incubator.apache.org>
List-Unsubscribe: <mailto:cloudstack-users-unsubscribe@incubator.apache.org>
List-Post: <mailto:cloudstack-users@incubator.apache.org>
List-Id: <cloudstack-users.incubator.apache.org>
Reply-To: cloudstack-users@incubator.apache.org
Delivered-To: mailing list cloudstack-users@incubator.apache.org
Received: (qmail 95275 invoked by uid 99); 18 Oct 2012 12:59:49 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Oct 2012 12:59:49 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [216.32.180.12] (HELO va3outboundpool.messaging.microsoft.com)
 (216.32.180.12)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 18 Oct 2012 12:59:43 +0000
Received: from mail228-va3-R.bigfish.com (10.7.14.235) by
 VA3EHSOBE004.bigfish.com (10.7.40.24) with Microsoft SMTP Server id
 14.1.225.23; Thu, 18 Oct 2012 12:59:21 +0000
Received: from mail228-va3 (localhost [127.0.0.1])	by
 mail228-va3-R.bigfish.com (Postfix) with ESMTP id 44DE5CC01A4	for
 <cloudstack-users@incubator.apache.org>; Thu, 18 Oct 2012 12:59:21 +0000
 (UTC)
X-Forefront-Antispam-Report: 
 CIP:157.56.248.213;KIP:(null);UIP:(null);IPV:NLI;H:AMXPRD0610HT004.eurprd06.prod.outlook.com;RD:none;EFVD:NLI
X-SpamScore: -11
X-BigFish: 
 VPS-11(zz542M4015I328cMzz1d18h1202h1d1ah1d2ahzz17326ah8275bh8275dhz2dh2a8h668h839h944hd25hf0ah107ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1155h)
Received: from mail228-va3 (localhost.localdomain [127.0.0.1]) by mail228-va3
 (MessageSwitch) id 1350565157729316_28372; Thu, 18 Oct 2012 12:59:17 +0000
 (UTC)
Received: from VA3EHSMHS011.bigfish.com (unknown [10.7.14.250])	by
 mail228-va3.bigfish.com (Postfix) with ESMTP id B01175400F9	for
 <cloudstack-users@incubator.apache.org>; Thu, 18 Oct 2012 12:59:17 +0000
 (UTC)
Received: from AMXPRD0610HT004.eurprd06.prod.outlook.com (157.56.248.213) by
 VA3EHSMHS011.bigfish.com (10.7.99.21) with Microsoft SMTP Server (TLS) id
 14.1.225.23; Thu, 18 Oct 2012 12:59:15 +0000
Received: from AMXPRD0610MB388.eurprd06.prod.outlook.com ([169.254.7.59]) by
 AMXPRD0610HT004.eurprd06.prod.outlook.com ([10.255.58.39]) with mapi id
 14.16.0224.004; Thu, 18 Oct 2012 12:59:14 +0000
From: Tamas Monos <tamasm@veber.co.uk>
To: "cloudstack-users@incubator.apache.org"
	<cloudstack-users@incubator.apache.org>
Subject: RE: Splunk
Thread-Topic: Splunk
Thread-Index: Ac2sjmI0FOm/UljRTu6WAW2F8WAEqwAoMD1w
Date: Thu, 18 Oct 2012 12:59:13 +0000
Message-ID: 
 <CE854734D1A2D941BA87A532AA5DB06433B555E8@AMXPRD0610MB388.eurprd06.prod.outlook.com>
References: <CCA43B70.966E%matt.mullins@citrix.com>
In-Reply-To: <CCA43B70.966E%matt.mullins@citrix.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [217.168.19.152]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: veber.co.uk
X-Virus-Checked: Checked by ClamAV on apache.org

Hi,

You could use syslog-ng on your management servers.
Set up a file source for syslog-ng (eg.):
file("/var/log/managementserver.log" program_override("CS-Manager1: "));

Then set up a remote destination (eg.):
destination d_tls {
    tcp("splunk.myserver.com" port(516)
    tls( ca_dir("/opt/syslog-ng/etc/ca.d")
    key_file("/opt/syslog-ng/etc/key.d/syslog.key")
    cert_file("/opt/syslog-ng/etc/cert.d/syslog.crt"))
    );

Then tell syslog-ng what to do (eg.):
log {
source(s_local);
destination(d_messages);
destination(d_tls);
}

On the splunk box you should have another syslog-ng running if you want TLS=
 and redirect it into splunk from there otherwise just point it at your spl=
unk listener.
Hope this helps.

Regards

Tamas Monos                                               DDI         +44(0=
)2034687012
Chief Technical                                             Office    +44(0=
)2034687000
Veber: The Hosting Specialists               Fax         +44(0)871 522 7057
http://www.veber.co.uk

Follow us on Twitter: www.twitter.com/veberhost
Follow us on Facebook: www.facebook.com/veberhost


-----Original Message-----
From: Mathias Mullins [mailto:mathias.mullins@citrix.com]=20
Sent: 17 October 2012 18:40
To: cloudstack-users@incubator.apache.org
Subject: Splunk

We are trying to setup Splunk to do log parsing for a cluster of 4 manageme=
nt servers. Does someone have some experience on this or some script settin=
gs that have been effective with them?

Thanks,
Matt