Skip to main content
Version: 2.201911.x.x LTS

Log files

Each Nevis instance, such as nevisProxy or nevisAuth, creates individual log files which are stored on the local file system. The Nevis product or component rotates these files itself, limiting the number and size of the files.

You can forward this log data in real time to a syslog server by configuring the log facilities of each Nevis product or component accordingly. This can either be done by adapting the Nevis product or component's configuration file manually or by using nevisAdmin to generate suitable configuration files.

Alternatively, the Splunk universal forwarder or Filebeat may be used to forward log data to a centralized log server.

Syslog

nevisAppliance includes the rsyslog service.

  • Configuration: /etc/rsyslog.conf
  • Start/stop: systemctl start|stop rsyslog.service
  • Enable: Always enabled

The chapter Configure the Nevis product and components on how to configure a nevisAppliance to be used as a central logging server.

Splunk Universal Forwarder

You can use the Splunk Universal Forwarder to forward your log data to the Splunk server for indexing and consolidation.

caution

The default Splunk Universal Forwarder configuration starts a management service that listens on all network interfaces (that is, 0.0.0.0). See the official Splunk documentation for information on how to configure the default management service.

To enable the Splunk Universal Forwarder, you can create the necessary configuration files and start the process as shown in the following example.

Ensure you always call the /opt/splunkforwarder/bin/splunk command line tool as the user splunk (not root) to maintain proper file permissions.

  1. Copy the default splunkd.xml to enable the forwarder. If this file is not present, the Splunk Forwarder is not started at reboot.
cp /opt/splunkforwarder/etc/myinstall/splunkd.xml.cfg-default \
/opt/splunkforwarder/etc/myinstall/splunkd.xml
  1. Create a users-seed.conf file with the initial user at the following path /opt/splunkforwarder/etc/system/local/user-seed.conf, with the contents of (password and username must be adjusted accordingly):
[user_info]
USERNAME = admin
PASSWORD = change-me
  1. Splunk might ask for the 'CA file' to be specified. The original file that comes with the product can be used here:
cp /opt/splunkforwarder/etc/auth/ca.pem.default /opt/splunkforwarder/etc/auth/ca.pem
  1. Start the Splunk Forwarder manually on the nevisAppliance to complete the setup:
/opt/splunkforwarder/bin/splunk start
  1. Use the /opt/splunkforwarder/bin/splunk command line tool to configure the Splunk Forwarder. For example, use splunk add forward-server <hostname> to specify your log host. See Configure the universal forwarder.
# Forward to a Splunk Server
/opt/splunkforwarder/bin/splunk add forward-server splunk.intra.example.net:9997

# Add a log files to monitor
/opt/splunkforwarder/bin/splunk add monitor /var/opt/nevisagent/default/logs/nevisagent.log

Provide the previously configured [user_info] as the username and password, when asked.

  • Configuration: Via the command line interface
  • Start/stop: /etc/init.d/splunk stop|start
  • Enable: Create the file /opt/splunkforwarder/etc/myinstall/splunkd.xml

Control and configure Splunk forwarder

Allow access to OS logs (/var/log/*) for Splunk

By default, access to log files created by OS is restricted to the root user. Should the Splunk daemon (running as user splunk) get read access to files underneath of /var/log/ directory, modify the file /etc/logrotate.d/syslog by adding some "setfacl" calls to it:

/etc/logrotate.d/syslog

/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
missingok
sharedscripts
create 0640 root root
postrotate
/usr/bin/setfacl -m u:splunk:r /var/log/cron 2>/dev/null 1>/dev/null
/usr/bin/setfacl -m u:splunk:r /var/log/maillog 2>/dev/null 1>/dev/null
/usr/bin/setfacl -m u:splunk:r /var/log/messages 2>/dev/null 1>/dev/null
/usr/bin/setfacl -m u:splunk:r /var/log/secure 2>/dev/null 1>/dev/null
/usr/bin/setfacl -m u:splunk:r /var/log/spooler 2>/dev/null 1>/dev/null
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}