I have a prospect that uses Splunk for RCA - apparently it has the ability to search a lot of data (logs, databases, etc.) very quickly. Their preferred method of integration is via Syslog events. So, two questions:
1. Has anyone integrated Nimsoft alarms into Splunk before?
2. Is anyone aware of a method to generate a Syslog format event from a Nimsoft alarm?
Well, I've worked out a way to get alarms into syslog. I deployed a copy of nas to a linux server and set up an auto-operator profile that invokes a LUA script that calls the logger command. I could have done it directly from the AO profile command option but I wanted to have a bit more control over the syslog level constants.
Still interested to know if anyone has done integration with Splunk.
I have not done integration with Splunk before, but I was curious if you considered using the sysloggtw probe to send the alarms into Splunk? That might not meet your needs in this particular case, but it might be a simpler out-of-the-box solution if it would do what you need.
Unfortunately sysloggtw can only receive syslog events, generate a Nimsoft alarm (or queue message) and then forward those syslog events on to another syslog receiver - it can't send a syslog event from a Nimsoft alarm.
Actually it can generate syslog messages too. From the release note:
The sysloggtw is also capable of receiving Nimsoft alarm messages from e.g. the NAS auto-operator that will be converted to a syslog message and passed onto remote syslog daemons.
I've seen that and it's also mentioned in the help file but I cant find any way of actually configuring it to subscribe to alarm messages or how to code a rule in the NAS AO to send alarms to it.
Has anyone done this configuration and can give me the secret?
I believe that sysloggtw will look for and attach to an attach queue called "SYSLOG-OUT" so you can publish to an abitrary subject like 'myalarms' and create an attach queue named "SYSLOG-OUT" which subscribes to 'myalarms'.
(All from memory which may be rusty.)
Okay, you cannot quote me on this, but I think the sysloggtw probe will attach to a queue named SYSLOG-OUT on the hub if it exists. If it does not exist, I think the probe subscribes to messages with a subject of SYSLOG-OUT. Check the subscribers on the hub and see if you can see the sysloggtw probe subscribing. I am not sure if you have to enable something to make that happen or not.
Paul is quicker on the trigger...
In fact I cant give the prize to either of you.
The queue has to be called sysloggtw and according to case 19662 (https://na4.salesforce.com/50060000004qsBo?srPos=11&srKp=500) the message subject has to be SYSLOG-OUT. So you were both close but no cigar :-)
Thanks anyway for leading me in the right direction.
I was wondering if anyone ever found a solution to this, or happen to make the sysloggtw work and send alarms into splunk? I am now considering the value of this and if I can make this work.
to add a different perspective to this thread. Are you aware of CA UIM Log Analytics?
CA UIM Log Analytics - YouTube
This new feature is made of some probes that can collect data from logs and forward alarms/events to other solutions:
log_monitoring_service (Log Monitoring Service - Pre-Release - CA Unified Infrastructure Management Probes - CA Technolo…
it is a great feature and it can add a bunch of value for log analysis and integration with CA Agile Ops Tools and 3rd party.