Does anybody use Splunk with the K1/K2?
Looking through the K1 logs a bit, and wondering if anybody uses Splunk to manage the Kace logs. If not Splunk specifically, how do you manage the Kace logs?
Answers (2)
I haven't used Splunk before, but I would tend to say that the logs are not accessible by default to that software. The reason behind this is that there is no API to get the logs. You would manually have to log in and navigate to them.
There is a patch that KACE support can give you for the k1000 that opens up a logs share that might work for this purpose. Ask for the triage patch if this might work.
Depending on what you are looking for, you might also be able to use munin for that. Go to http://yourk1000name/munin to see what I am talking about.
I've been using Splunk to manage the data kept in the KAgent.log file on each client at %ProgramData%\Dell\KACE\user\KAgent.log (Windows) and /var/dell/kace/user/KAgent.log (Linux). I was able to build a dashboard that displays endpoint license utilization, patches detected on each client, patches deployed to each client, inventory times, number of files replicated to replication shares, etc.
Comments:
-
We are trying to set this up now, how did you pull the patch information? - craig_andersen 7 years ago
-
My guess would be to setup the Splunk Universal Forwarder on each system, and then configure a Monitor input stanza for the KAgent.log.
You'll want to sample the log initially to make sure that Splunk can natively parse out the timestamp, and linebreak the events as needed.
If you have any other Splunk specific questions, answers.splunk.com is a great resource :D - muebel 7 years ago
