Splunk and Isilon

[David Maislin]

Hi,

I work for Splunk and am just digging into the Isilon for the first time, thinking that I might just update the customer written Splunk for EMC Isilon app:  http://apps.splunk.com/app/817/.

I installed the downloadable VM of an isilon, set it up, set up a share under the ifs, mounted it, and all is working well.  I then wanted to look at more than just the default performance monitoring statistics that the app seems to be written for where he runs a cron to:  /usr/bin/isi statistics system --nodes --running=300 -i 300 -r 288 --timestamp > /var/log/isi-statistics.log

I see that this version of Isilon uses CEE which is great as a couple years ago I wrote an EMC app for Symmetrix that uses the CEPA api to get the user auditing behavior. I have a few quick questions.

1. I turned on event forwarding where it expects a CEE Server URI, but instead I just pointed it at Splunk to see what magic happens.  I get this for example, but no user audit data.

PUT /vee HTTP/1.1

Host: 192.168.0.108:9998 Accept-Encoding: identity Content-Length: 115 Content-Type: text/xml <CheckFileRequest><Args action="9" sourceID="2" sourceIP="192.168.165.101" name="RABFAE0ATwA="/></CheckFileRequest>

2. I see there are a tremendous amount of logs, 51 in total that sit within /var/log on the box. Am I able to share that directory as an SMB share when it sits outside of the /ifs directory? For now I just copied the logs into a /ifs/logs directory, and pulled all of them into Splunk to see what cool things this Isilon logs. Anyone know heads or tails of what these logs mean and if there is useful data?

3. My goal is statistics and user auditing. I would love it if I didn't have to setup a CEE Server just to look at user/file audit behavior.

Thanks,

David Maislin

Splunk Sales Engineer

[Keith Nargi]

David

I didn't see a question there but I'm guessing you want to know if you can gather the logs without VEE.  The answer there is right now no.  CEE/VEE was used because Isilon isn't going to be doing the visualization and correlation of the events that are gathered by the log service.  

Each node in the cluster has a queue service that will package up the logs and keep them locally in a log file, which it appears you have found.  The log files will be feed to the VEE queue consumer that will push an XML file to VEE for 3rd party products to consume them.  

If you want to see them log items directly on the node you can do so by using the isi_audit_viewer command but if you want to use splunk for correlation and statistics I don't think you have a way to gather the logs in an automated fashion. 

Hope this helps. 

Keith

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
Keith 

[Mark May]

You can not export the /var/log as an NFS/SMB  export.  All exports need to be in /ifs.  What you can do is get tricky with symbolic linking.  I actually link /var/log/audit/smb.log to /ifs/audit/<node name>/audit/smb.log.  That lets me export all the logs to my central location.

You can also set up syslog for most of the logs you'll be interested in.

On Friday, 17 January 2014 12:17:31 UTC-5, David Maislin wrote:

Hi,