HPE Community
HPE SimpliVity
1819814 Members
4189 Online
109607 Solutions
New Discussion юеВ

OVC Log to Splunk Server?

 
SOLVED
Go to solution
DavS
Advisor

тАО02-12-2020 07:24 AM

тАО02-12-2020 07:24 AM

OVC Log to Splunk Server?

Can OVC logs be forwarded to a Splunk server?

Dave
0 Kudos
Reply
10 REPLIES 10
scott_svt
Frequent Advisor

тАО02-12-2020 08:33 AM - edited тАО02-12-2020 08:35 AM

тАО02-12-2020 08:33 AM - edited тАО02-12-2020 08:35 AM

Re: OVC Log to Splunk Server?

Hi DavS,

There is no formal doc right now, but sure you can.

I'll stay away from the straight Linux side of things with rsyslog, as I assume you are already familiar with that (I can find some links if you need them). A standard set of logs collection examples are below, but is there some specific part of system operation you want to gather?

vi /etc/rsyslog.d/svt.conf
$ModLoad imfile

# Additional log files to feed to Splunk

# /var/svtfs/0/log/svtfs.log
$InputFileName /var/svtfs/0/log/svtfs.log
$InputFileTag svtfs
$InputFileStateFile svtfs
$InputRunFileMonitor

# /var/svtfs/0/log/hyperproxyserver.log
$InputFileName /var/svtfs/0/log/hyperproxyserver.log
$InputFileTag hyperproxy
$InputFileStateFile hyperproxy
$InputRunFileMonitor

# /var/svtfs/0/log/eventmgr.log
$InputFileName /var/svtfs/0/log/eventmgr.log
$InputFileTag event-manager
$InputFileStateFile event-manager
$InputRunFileMonitor
service rsyslog restart

Thanks,

Scott


Accept or Kudo
0 Kudos
Reply
DavS
Advisor

тАО02-12-2020 11:41 AM

тАО02-12-2020 11:41 AM

Re: OVC Log to Splunk Server?

Scott,

Here are some for our requirements...

Audit Event

Frequency

Authentication Events:
(1) Logons (Successful/Failure)
(2) Logoffs (Success)

Continuous

   

User and Group Management events:

(1) User add, delete, modify, suspend, lock (Success/Failure)

(2) Group/Role add, delete, modify (Success/Failure)

Continuous

 

Use of Privileged/Special Rights events:

(1) Security or audit policy changes (Success/Failure) (2) Configuration changes (Success/Failure)

 

Continuous

Admin or root-level access (Success/Failure)

Continuous

Privilege/Role escalation (Success/Failure)

Continuous

Audit and log data accesses (Success/Failure)

Continuous

System reboot, restart and shutdown (Success/Failure)

Continuous

 

Thank you.

Dave
0 Kudos
Reply
DavS
Advisor

тАО02-12-2020 11:44 AM

тАО02-12-2020 11:44 AM

Solution

Re: OVC Log to Splunk Server?

Some of this should be in the "standard" /var/log log files...

Dave
0 Kudos
Reply
scott_svt
Frequent Advisor

тАО02-13-2020 01:39 AM

тАО02-13-2020 01:39 AM

Re: OVC Log to Splunk Server?

Hi DavS,

OK perfect. It sounds like in this case it is beyond SimpliVity specific system operation (the info I provided) and it has moved towards general Linux auditing. In this case you are free to gather any and all logs dirct from the Linux side of things, and all the usual logging that you collect from other Linux boxes. At this level it is in every way a standard linux distro.

Going in to this in great detail may be outside of a forum chat and may be better placed in Support ticket. If you have any issues with your 'standard' compliance requirements, i'd suggest opening a case so that we address specific issues.

Thanks,

Scott


Accept or Kudo
0 Kudos
Reply
DavS
Advisor

тАО02-13-2020 05:37 AM

тАО02-13-2020 05:37 AM

Re: OVC Log to Splunk Server?

Scott,

Thanks for the information. I should have asked the question a different way. I should have asked if the Ubuntu implementaion in the OVC support standard auditing and credition scans.

Your response, "At this level it is in every way a standard linux distro", answered the question.

Dave

Dave
0 Kudos
Reply
scott_svt
Frequent Advisor

тАО02-13-2020 08:36 AM

тАО02-13-2020 08:36 AM

Re: OVC Log to Splunk Server?

Not a bother Dave!


Accept or Kudo
0 Kudos
Reply
DavS
Advisor

тАО07-13-2021 11:36 AM - edited тАО07-14-2021 04:56 AM

тАО07-13-2021 11:36 AM - edited тАО07-14-2021 04:56 AM

Re: OVC Log to Splunk Server?

If logging to a syslog server is configured for an OVC, is the configuration persistent after a reboot?

Certain configurations are reset after reboot. For example Splunk can be installed, configured and works well, however, the Splunk agent is removed from the OVC configuration after reboot.

Second question, is there are way to script custom configurations that are persistent after a reboot?

Logging to Splunk is the preferred solution! Is it possible to have the Splunk agent installed and remain persistent over reboots?

Dave
0 Kudos
Reply
BSDUKJ
Occasional Visitor

тАО05-23-2022 02:17 AM

тАО05-23-2022 02:17 AM

Re: OVC Log to Splunk Server?

Did you ever get a reply to this?

I'm looking to do the same thing, not quite splunk but shipping to a syslog server

0 Kudos
Reply
Sunitha_Mod
Moderator

тАО05-24-2022 01:50 AM

тАО05-24-2022 01:50 AM

Re: OVC Log to Splunk Server?

Hello @BSDUKJ , 

Thank you for posting! Since you have posted in an old topic and there is no response yet, I would recommend you to create a new topic using the create "New Discussion" button.



Thanks,
Sunitha G
I'm an HPE employee.
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
BSDUKJ
Occasional Visitor

тАО05-26-2022 01:30 AM

тАО05-26-2022 01:30 AM

Re: OVC Log to Splunk Server?

I know it's closed but thought I'd add value and extra information  as I created a call myself and HPE have said getting any logs out of OVC are not supported and are out of scope which would set them apart as an exception to any onther vendor.

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.