Hi,
I work for Splunk and am just digging into the Isilon for the first time, thinking that I might just update the customer written Splunk for EMC Isilon app:
http://apps.splunk.com/app/817/.
I installed the downloadable VM of an isilon, set it up, set up a share under the ifs, mounted it, and all is working well. I then wanted to look at more than just the default performance monitoring statistics that the app seems to be written for where he runs a cron to: /usr/bin/isi statistics system --nodes --running=300 -i 300 -r 288 --timestamp > /var/log/isi-statistics.log
I see that this version of Isilon uses CEE which is great as a couple years ago I wrote an EMC app for Symmetrix that uses the CEPA api to get the user auditing behavior. I have a few quick questions.
1. I turned on event forwarding where it expects a CEE Server URI, but instead I just pointed it at Splunk to see what magic happens. I get this for example, but no user audit data.
PUT /vee HTTP/1.1
Host: 192.168.0.108:9998
Accept-Encoding: identity
Content-Length: 115
Content-Type: text/xml
<CheckFileRequest><Args action="9" sourceID="2" sourceIP="192.168.165.101" name="RABFAE0ATwA="/></CheckFileRequest>
2. I see there are a tremendous amount of logs, 51 in total that sit within /var/log on the box. Am I able to share that directory as an SMB share when it sits outside of the /ifs directory? For now I just copied the logs into a /ifs/logs directory, and pulled all of them into Splunk to see what cool things this Isilon logs. Anyone know heads or tails of what these logs mean and if there is useful data?
3. My goal is statistics and user auditing. I would love it if I didn't have to setup a CEE Server just to look at user/file audit behavior.
Thanks,
David Maislin
Splunk Sales Engineer