Skip to main content
Code42 Support

Code42 Environment Logs As Data Sources For Splunk Enterprise

Applies to:
  • CrashPlan PROe
This tutorial explains how to send log files in the Code42 environment to a Splunk Enterprise server. Logs from both endpoint devices and enterprise servers can be forwarded. This provides another rich source of data to use with Splunk Enterprise.

Considerations

  • The Splunk Universal Forwarder is a lightweight application that sends data from an enterprise server, CrashPlan app, or other device in your Code42 environment to your Splunk Enterprise server for consumption. You are thus able to gather, index, and analyze data from most devices in your Code42 environment using Splunk Enterprise.
  • You can also use the Linux/Unix syslog utility to forward logs to Splunk Enterprise.

Configure Splunk enterprise to monitor forwarded data

You must specify a particular port for Splunk Enterprise to monitor data from the Universal Forwarder:

  1. From Splunk Home, click Settings.
    Splunk Forwarder Forwarding receiving menu
  2. Choose Forwarding and receiving.
  3. Click Add New in the Configure and receiving item under Receive data.
    Splunk Forwarder Configure receiving add new
  4. Enter the port number you wish to monitor. In this example, we will add port 9997:
    Splunk Forwarder Configure receiving add port
  5. Click Save.
    You have added a port to monitor for incoming data from your Universal Forwarder.
    Splunk Forwarder monitoring port added

Install and configure universal forwarder

The Universal Forwarder can be installed on an enterprise server or endpoint device.

  • The example in this tutorial uses a Linux, Unix or Mac OSX environment.
  • For additional details about configuring Splunk, see Splunk's detailed instructions.

Before you begin

The command line example below requires the command line utility wget.

Step 1: Download universal forwarder

Option A: Download from the command line

Run the following commands from the command line to download and expand the Universal Forwarder:

mkdir splunk 
cd splunk 
wget --no-check-certificate -O splunkforwarder_64.tgz 'http://www.splunk.com/page/download_track?file=[replace with latest]'
tar xvf splunkforwarder_64.tgz 

Option B: Download using a web browser

  1. Visit the Splunk download page.
  2. Select Universal Forwarder.
  3. Expand the downloaded archive by double-clicking the archive or using your favorite archive utility.

Splunk Forwarder download expand

Step 2: Start Splunk forwarder

  1. Open a command line terminal and navigate to the Splunk Forwarder bin directory.
  2. Run the following command to start the forwarder:
    ./splunk start
  3. Read through the SLA and enter "y" if you agree (this is necessary only the first time you run the forwarder).

Step 3: Tell forwarder about your Splunk enterprise server

From the Splunk Forwarder "bin" directory, enter the following command. In the example below, replace "Your_splunk_server" with the FQDN or IP address of your Splunk Enterprise Server:

./splunk add forward-server [Your_splunk_server]:9997 -auth admin:password
Added forwarding to: 172.16.195.137:9997.
Change the default password
The Splunk Forwarder's administrator username and password are set to "admin" and "password" by default. We strongly recommend changing the administrator password to something more secure than password.

Step 4: Add one or more log files to the forwarder

Now that your Splunk Forwarder is running and configured to know about your Splunk Enterprise server, you can tell it to monitor as many files as you would like.

  1. Open a command line terminal and navigate to the Splunk Forwarder bin directory.
  2. Determine which log file or directory to monitor. See Code42 Log Locations for a list of log directories.
  3. Run the following command to monitor a file or directory:
    ./splunk add monitor <path_to_log_file_or_directory>
    

The log file or files you have told the Splunk Forwarder to send to your Splunk Enterprise server are now being monitored, and you can search and visualize the data using the techniques described in our Analyzing Data With Splunk And The Code42 API article.

Using Linux/Unix syslog to forward enterprise server data to Splunk

If your operating system supports syslog or an equivalent, then you are able to use syslog to forward data from an enterprise server to your Splunk Enterprise server or an endpoint device without the need to install a Splunk Forwarder.

Before you begin

  • You must have syslog, rsyslog, or a functionality equivalent application installed on your server to complete these steps.
  • If you are a Managed Private Could customer, you must work with Code42 Professional Services to implement this solution.

Step 1: Add a UDP data source for syslog

  1. From Splunk Home, click Add Data.
    Splunk add data source
  2. Select From a UDP port.
    Splunk Forwader UDP data source
  3. Enter 514 as the UDP port.
  4. Select syslog as the source type.
    Syslog Forwarder UDP port 514 syslog set
  5. Click Save.

Step 2: Configure your Enterprise Server

You need to tell your enterprise server to send logging data to the syslog daemon, which will then forward it to Splunk Enterprise.

  1. Sign in to your enterprise server and open a terminal or command line interface.
  2. In the directory [path to main application]/conf, make a backup copy of the conf_base.groovy file.
    This backup copy is needed in case you need to roll back to the original configuration
    • Linux: /opt/proserver
      Applies to enterprise servers installed as root on Ubuntu
    • Windows: C:\Program Files\CrashPlan PROe Server
    • OS X: /Applications/PROServer.app/
    • Solaris: /opt/proserver
  3. Using a plain text editor, open conf_base.groovy.
  4. Edit the log section to place 'root' in the syslogroots attribute, and change the IP address or hostname for the host attribute to the network address of your Splunk Enterprise server:
log {
                        path('${config.backups}/logs')
                        rollingroots(['root', 'history', 'remote', 'peer'])
                        dailyroots(['rest'])
                        syslogroots(['root'])
                        root {
                                level('INFO')
                                logger('root')
                                filepath('${core.log.path}/com_backup42_app.log')
                                layout('com.code42.logging.Layout42')
                                appendtocurrent(false)
                                sizelimit(20971520L)
                                numVersions(2)
                                console(true)
                                syslog {
                                         host("YourSplunkServer.example.com")
                                        facility("LOCAL0")
                                }
                        }
  1. Save your changes, and quit the editor.
  2. Restart your enterprise server.

Step 3: Verify logging data is being collected

  1. From Splunk Home, click Search.
  2. Click Data Summary.
    Splunk Forwarder Data Summary
    You should see a new entry for the host that is sending logging data to your Splunk Enterprise server through syslog:
    Splunk Forwarder syslog host
  3. Click on the host name or address to view a summary of data and fields that are now indexed and searchable:
    Splunk Forwarder syslog data

You have added your enterprise server's main server logs as a data source to Splunk Enterprise.

Code42 log locations

Enterprise server

Server Logs

  • Linux: /var/log/proserver
    Applies to enterprise servers installed as root on Ubuntu
  • Windows: C:\Program Files\CrashPlan PROe Server\logs
  • OS X: /Library/Logs/PROServer
  • Solaris: /var/log/proserver

Requested CrashPlan app Logs

  • Linux: /var/opt/proserver/client-logs
    Applies to enterprise servers installed as root on Ubuntu
  • Windows: C:\Program Files\CrashPlan PROe Server\client-logs
  • OS X: /Library/Logs/PROServer/client-logs
  • Solaris: /var/opt/proserver/client-logs

CrashPlan app

Service Logs

  • Windows Vista, 7, 8, 10, Server 2008, and Server 2012: C:\ProgramData\CrashPlan\log
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
  • Windows XP: C:\Documents and Settings\All Users\Application Data\CrashPlan\log
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
  • OS X: /Library/Logs/CrashPlan
    If you installed per user, see the file and folder hierarchy.
  • Linux: /usr/local/crashplan/log
  • Solaris: /opt/sfw/crashplan/log

UI Log Files

  • Windows Vista, 7, 8, 10, Server 2008, and Server 2012: C:\ProgramData\CrashPlan\log
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
  • Windows XP: C:\Documents and Settings\All Users\Application Data\CrashPlan\log
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
  • OS X: ~/Library/Logs/CrashPlan
    To view this hidden folder, open the Finder, press Command-Shift-G, and paste the path.
  • Linux: /usr/local/crashplan/log
  • Solaris: /opt/sfw/crashplan/log

External resources

What's next?

Click Next below for script recipes to retrieve useful information about your Code42 environment with Splunk.

  • Was this article helpful?