Using ubuntu cloud-init to setup logging to splunk

Question

I intend to start up ~100 EC2 spot instances using Canonical's Ubuntu images. I am using multipart cloud-init user-data to setup packages, scripts, etc.

I would like to know how I can tell rsyslog to log to a splunk server (actually a splunk storm server) via the cloud-init configuration. Preferably, this would be done very early in the boot/config process so as to capture as much of the boot process logs themselves as possible.

score 2 · Accepted Answer · edited Aug 25 '11 at 06:09

2

Looks like there's a config provider for exactly this case; to throw a TCP syslog stream at splunk.example.com:

rsyslog:
 - '$RepeatedMsgReduction off'
 - filename: 30-splunk.conf
   content: '*.*   @@splunk.example.com'

edited Aug 25 '11 at 06:09

vsekhar

147
5

answered Aug 24 '11 at 21:14

Shane Madden

114,520
13
181
251

Right on the spot! – lynxman Aug 24 '11 at 21:34
1

I was getting errors because of the wildcard in the multi-line content. Edited with quoting (and filename convention) – vsekhar Aug 24 '11 at 21:54

Using ubuntu cloud-init to setup logging to splunk

1 Answers1