1. modify squid config and change cache_access_log to rsyslog
# vim /etc/squid3/squid.conf
#cache_access_log /var/log/squid3/access.log
cache_access_log syslog:local5.info squid
2. modify rsyslog configurtion to direct squid.log to splunk
# vim /etc/rsyslog.d/50-default.conf
add this line to the file
local5.* @splunk.xxx.xxx.xxx:514
3.restart squid and rsyslog
# /etc/init.d/squid3 restart
# /etc/init.d/rsyslog restart
4. confirm squid server status
# /etc/init.d/squid3 status
5. confirm the log data in splunk server
沒有留言:
張貼留言