Skip to main content
Code42 Support

Code42 environment logs as data sources for Splunk Enterprise

Applies to:
  • CrashPlan PROe

Overview

This tutorial explains how to send log files from enterprise servers or devices to a Splunk Enterprise server.

For additional details about configuring Splunk, see Splunk's documentation.

Before you begin

  1. Install and configure Splunk Enterprise for use with your Code42 environment.
  2. In your Splunk Enterprise configuration, configure Splunk Enterprise to receive data from your forwarder.

Step 1: Send logs to Splunk Enterprise

We recommend using one of two options to send logs to Splunk Enterprise:

Tool Recommended For Not Recommended For
Splunk Universal Forwarder
  • Enterprise servers
  • Devices
Managed appliances
syslog

Enterprise servers, including managed appliances

Devices

Option 1: Send logs via the Splunk universal forwarder

The Splunk Universal Forwarder sends data from an enterprise server or a device in your Code42 environment to your Splunk Enterprise server.

For each enterprise server and device, set up the Splunk Universal Forwarder. The installation process follows this general outline:

  1. Download and install the Splunk Universal Forwarder on the enterprise server or device that contains the logs you wish to forward.
  2. Configure the Splunk Universal Forwarder to target your Splunk Enterprise server.
  3. Configure the Splunk Universal Forwarder to monitor log files on your enterprise server or device.
    See Code42 Log Locations below for a list of log directories.
  4. Start the Splunk Universal Forwarder.

Splunk supports many installation options and procedures, so we recommend that you thoroughly review Splunk's installation instructions.

Option 2: Send logs via syslog

In version 4.3 and later of the Code42 platform, you can use syslog to forward data from an enterprise server to Splunk Enterprise. For earlier versions, see Steps For Code42 environments Version 4.1 And 4.2.

Managed Private Cloud customers
Contact your Code42 PRO Services representative to implement this solution on your managed appliances.

Step 1: Add a UDP data source for syslog

Configure Splunk Enterprise to accept data from a UDP source.

Step 2: Configure your Enterprise server

Configure your enterprise server to send log data to Splunk Enterprise via syslog:

Alternative commands
The example commands shown here apply to all your enterprise servers. For more information on configuring system properties, including alternative parameters that target individual enterprise servers, refer to Administration console Command-Line Interface.
  1. Sign in to your administration console.
  2. Double-click the Code42 logo to open the administration console command-line interface.
  3. Enter the following commands, adapted to your syslog configuration, to configure syslog communication:
    prop.set c42.log.syslog.v1.host localhost save all
    prop.set c42.log.syslog.v1.facility LOCAL0 save all
    
  4. Enter the following commands to enable syslog for each log.
    Replace true with false to disable syslog for each log.
    • com_backup42_app.log
      prop.set c42.log.syslog.v1.root.enabled true save all
      
    • history.log
      prop.set c42.log.syslog.v1.history.enabled true save all
      
    • rest.log
      prop.set c42.log.syslog.v1.rest.enabled true save all 
  5. Restart all enterprise servers in your Code42 environment.
    1. Navigate to Destinations > Servers in the administration console.
    2. For each enterprise server:
      1. Select the enterprise server to view its details.
      2. Click Action menu > Restart Server to immediately restart the enterprise server.

Step 2: Verify that log data is being collected

In your Splunk Search dashboard, view your Data Summary to verify that data from your Code42 environment is transmitting to Splunk Enterprise.

Splunk Forwarder syslog data

Next steps

Once Splunk Enterprise is monitoring log files from your Code42 environment, you can search and visualize the data using the techniques described in Analyzing Data With Splunk And The Code42 API.

Code42 log locations

Enterprise server

Server Logs

  • Linux: /var/log/proserver
    Applies to enterprise servers installed as root on Ubuntu
  • Windows: C:\Program Files\CrashPlan PROe Server\logs
  • OS X: /Library/Logs/PROServer

Requested CrashPlan app Logs

  • Linux: /var/opt/proserver/client-logs
    Applies to enterprise servers installed as root on Ubuntu
  • Windows: C:\Program Files\CrashPlan PROe Server\client-logs
  • OS X: /Library/Logs/PROServer/client-logs

CrashPlan app

Service Logs

  • Windows Vista, 7, 8, 10, Server 2008, and Server 2012: C:\ProgramData\CrashPlan\log
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
  • Windows XP: C:\Documents and Settings\All Users\Application Data\CrashPlan\log
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
  • OS X: /Library/Logs/CrashPlan
    If you installed per user, see the file and folder hierarchy.
  • Linux: /usr/local/crashplan/log
  • Solaris: /opt/sfw/crashplan/log

UI Log Files

  • Windows Vista, 7, 8, 10, Server 2008, and Server 2012: C:\ProgramData\CrashPlan\log
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
  • Windows XP: C:\Documents and Settings\All Users\Application Data\CrashPlan\log
    To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
  • OS X: ~/Library/Logs/CrashPlan
    To view this hidden folder, open the Finder, press Command-Shift-G, and paste the path.
  • Linux: /usr/local/crashplan/log
  • Solaris: /opt/sfw/crashplan/log

SharePlan App

Using syslog in versions 4.1 and 4.2 of the Code42 platform

In versions 4.1 and 4.2 of the Code42 platform, you must edit configuration files on the file system of your enterprise servers to configure syslog to forward log data to Splunk Enterprise. These changes are not retained when upgrading your Code42 environment, so we recommend upgrading to version 4.3 or later of the Code42 platform before implementing log monitoring.

  1. On each enterprise server in your environment, edit the configuration files:
    1. In the conf directory of the enterprise server installation, make a backup copy of conf_base.groovy.
      This backup copy can be used to revert to the default configuration.
      • Linux: /var/opt/proserver/conf
        Applies to enterprise servers installed as root on Ubuntu
      • Windows: C:\ProgramData\PROServer\conf
      • OS X: /Library/Application Support/CrashPlan/PROServer/conf
    2. Edit the log section of conf_base.groovy:
      • Set the value syslogroots to 'root'.
      • Within the value root, add the value syslog.
      • Within the value syslog, add entries for host and facility appropriate to your Splunk configuration.
      log {
          path('${config.backups}/logs')
          rollingroots(['root', 'history', 'remote', 'peer'])
          dailyroots(['rest'])
          syslogroots(['root'])
          root {
              level('INFO')
              logger('root')
              filepath('${core.log.path}/com_backup42_app.log')
              layout('com.code42.logging.Layout42')
              appendtocurrent(false)
              sizelimit(20971520L)
              numVersions(2)
              console(true)
              syslog {
                  host("splunk-server.example.com")
                  facility("LOCAL0")
              }
          }
      }
      
  2. Restart all enterprise servers in your Code42 environment to apply the changes.
    1. Navigate to Destinations > Servers in the administration console.
    2. For each enterprise server:
      1. Select the enterprise server to view its details.
      2. Click Action menu > Restart Server to immediately restart the enterprise server.