Code42 environment logs as data sources for Splunk Enterprise

Last updated
Save as PDF

Who is this article for?

CrashPlan Cloud

CrashPlan for Small Business

CrashPlan On-Premises

Find your product plan in the Code42 console on the Account menu.
Not a CrashPlan On-Premises customer? Search or browse Incydr and Instructor, CrashPlan Cloud, or CrashPlan for Small Business.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, no.

Retired product plans, yes.

CrashPlan for Small Business, no.

Overview

This tutorial explains how to send log files from Code42 servers or devices to a Splunk Enterprise server.

For additional details about configuring Splunk, see Splunk's documentation.

Before you begin

Install and configure Splunk Enterprise for use with your Code42 environment.
In your Splunk Enterprise configuration, configure Splunk Enterprise to receive data from your forwarder.

Step 1: Send logs to Splunk Enterprise

We recommend using one of two options to send logs to Splunk Enterprise:

Tool	Recommended For	Not Recommended For
Splunk Universal Forwarder	Code42 servers Devices	Managed appliances
syslog	Code42 servers, including managed appliances	Devices

Option 1: Send logs via the Splunk universal forwarder

The Splunk Universal Forwarder sends data from a Code42 server or a device in your Code42 environment to your Splunk Enterprise server.

For each Code42 server and device, set up the Splunk Universal Forwarder. The installation process follows this general outline:

Download and install the Splunk Universal Forwarder on the Code42 server or device that contains the logs you wish to forward.
Configure the Splunk Universal Forwarder to target your Splunk Enterprise server.
Configure the Splunk Universal Forwarder to monitor log files on your Code42 server or device.
See Code42 Log Locations below for a list of log directories.
Start the Splunk Universal Forwarder.

Splunk supports many installation options and procedures, so we recommend that you thoroughly review Splunk's installation instructions.

Option 2: Send logs via syslog

You can use syslog to forward data from a Code42 server to Splunk Enterprise.

Managed Private Cloud customers
Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team to implement this solution on your managed appliances.

Step 1: Add a UDP data source for syslog

Configure Splunk Enterprise to accept data from a UDP source.

Step 2: Configure your Code42 server

Configure your Code42 server to send log data to Splunk Enterprise via syslog:

Alternative commands
The example commands shown here apply to all your Code42 servers. For more information on configuring system properties, including alternative parameters that target individual Code42 servers, refer to Code42 console command-line interface.

Sign in to your Code42 console.
Double-click the Code42 logo to open the Code42 console command-line interface.

Enter the following commands, adapted to your syslog configuration, to configure syslog communication:

prop.set c42.log.syslog.v1.host localhost save all
prop.set c42.log.syslog.v1.facility LOCAL0 save all

Enter the following commands to enable syslog for each log.
Replace true with false to disable syslog for each log.

com_backup42_app.log

prop.set c42.log.syslog.v1.root.enabled true save all

history.log

prop.set c42.log.syslog.v1.history.enabled true save all

request.log

prop.set c42.log.syslog.v1.request.enabled true save all

stats.log

prop.set c42.log.syslog.v1.stats.enabled true save all

support_event.log (Version 7.0 and later)

prop.set c42.log.syslog.v1.stats.supportevent true save all

Restart all Code42 servers in your Code42 environment.
1. Navigate to Storage > Servers in the Code42 console.
2. For each Code42 server:
  1. Select the Code42 server to view its details.
  2. Click action menu > Restart Server to immediately restart the Code42 server.

Step 2: Verify that log data is collected

In your Splunk Search dashboard, view your Data Summary to verify that data from your Code42 environment transmits to Splunk Enterprise.

Splunk Forwarder syslog data

Next steps

Once Splunk Enterprise is monitoring log files from your Code42 environment, you can search and visualize the data using the techniques described in Analyzing Data With Splunk And The Code42 API.

Code42 log locations

Code42 server

Server Logs

Linux: /var/log/proserver
Applies to Code42 servers installed as root on Ubuntu
Windows: C:\Program Files\CrashPlan PROe Server\logs

Requested Code42 app Logs

Linux: /var/opt/proserver/client-logs
Applies to Code42 servers installed as root on Ubuntu
Windows: C:\Program Files\CrashPlan PROe Server\client-logs

Code42 app

Service Logs

Windows: C:\ProgramData\CrashPlan\log
To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
Mac: /Library/Logs/CrashPlan
If you installed per user, see the file and folder hierarchy.
Linux: /usr/local/crashplan/log

UI Log Files

Windows:
- Version 6.5 and earlier: C:\ProgramData\CrashPlan\log
- Version 6.5.1 and later: C:\Users\<username>\AppData\Local\CrashPlan\log
To view these hidden folders, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy.
Mac: ~/Library/Logs/CrashPlan
To view this hidden folder, open the Finder, press Command-Shift-G, and paste the path.
Linux:
- Version 6.8.1 and earlier: /usr/local/crashplan/log
- Version 6.8.2 and later: ~/.code42/log

External resources

Splunk Enterprise documentation