JSON logging, to Splunk

Patrick Proniewski patrick.proniewski at univ-lyon2.fr
Mon Oct 6 14:36:59 CEST 2014


On 6 oct. 2014, at 14:01, Mark Martinec <Mark.Martinec+amavis at ijs.si> wrote:

>> After some testing, it appears the script won't quit. That's a problem
>> for Splunk as it waits for a clean return from the script to process
>> data.
>> How should I edit the script to make sure it quits cleanly after
>> pulling redis records?
> 
> No, it doesn't quit, it produces a *continuous* stream of JSON records
> on stdout, one per line. As these records are steadily being produced
> by amavisd child processes, why would a pulling program want to terminate?
> 
> Admittedly I don't know much about Splunk. Perhaps somebody else
> can fill in the misunderstanding gap.



Well well well. After reading more documentation about splunk's scripted input, I've found out that Splunk can accommodate a continuously running script:

> If you want the script to run continuously, write the script to never exit and set it on a short interval. This helps to ensure that if there is a problem the script gets restarted. Splunk Enterprise keeps track of scripts it has spawned and will shut them down upon exit.
> 
> <http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Setupcustominputs>


Hence my problem is elsewhere. 

I did let the script run for half an hour, and I should have seen a handful amavis events in Splunk, but I've seen none. Running the script from command line successfully retrieved events from redis DB, so on script's side its all OK.

I'm going to try again and put truss in the mix to spy on the script.

thanks,

Patrick PRONIEWSKI
-- 
Responsable pôle Opérations - DSI - Université Lumière Lyon 2
Responsable Sécurité des Systèmes d'Information



More information about the amavis-users mailing list