Skip to content

How to make server LOGS to SPLUNK

Jump to bottom Edit New page
patr2217 edited this page Apr 5, 2024 · 4 revisions

MMI SPLUNK LOGS

How to make server LOGS to SPLUNK.

  1. Investigate where are the LOGS that you want to send to SPLUNK.
  2. Install SPLUNK AGENT (https://one.rackspace.com/pages/viewpage.action?pageId=196183520#SplunkPCIPlaybook-Step1:InstalltheSplunkForwarder)
  3. Reach SPLUNK TEAM to setup that account. (Point of contact Alan Rothwell from Security Analysis Automation Center)
  4. Use dashboard of SPLUNK to check metrics

Check List:

  • Verify in /opt/splunkforwarder/etc/system/local/inputs.conf have the correct host of the instance you want to log.
  • Verify in /opt/splunkforwarder/etc/system/local/server.conf have serverName equal to hostname ex: serverName = sage-prod-as0b7ed895.ord.rackspace.com
  • Start splunk as sudo -iu splunk /opt/splunkforwarder/bin/splunk start --accept-license --no-prompt
  • Enable at startup as sudo /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
  • When adding new logs to SPLUNK we need to create a Jira ticket to "Security Analysis Automation Center". example https://rackspace.atlassian.net/browse/SAAC-8157,
  • You can create the ticket here https://rax.io/saacjira

Summary "Add Logs to SPLUNK Forwarder" Requester Group - TBD Priority: Normal Description: describe which logs, format and path will be added. Work Type: Standard Company Priority: None

  • When creating the ticket, let them know the ENCORE accounts, and if the instance is or not in PCI compliance, in normal conditions is just for analytics and metrics.. Also
  • For the retention time, 90day retention should be fine.
  • And for the index name choose something like "rax_its_mmi_PROJECT" where PROJECT should be Blueflood, Intelligence, Ele.

How to check server LOGS in SPLUNK.

To access SPLUNK dashboards we need to request access to LDSP Group "lnx-cloud-mmi-engineers" using "SailPoint IdentityIQ" and searching for lnx-cloud-mmi-engineers

SPLUNK dashboard at https://sage.rackspace.com:8000/en-US/app/mmi/search

You can use the following search commands:

  • index=rax_it_mmi_sage (INTELLIGENCE)
  • index=rax_metrics_bluefloodstaging (BLUEFLOOD STAGING)
  • index=rax_metrics_bluefloodprod (BLUEFLOOD PRODUCTION)
Add a custom footer

Setup

API

Development

General

Our community

Contributing

FAQ

Clone this wiki locally