Hello Again !
All my logs are being sent to remotesys log sever (splunk) via the "sever-log-cfg" of webseal conf file. I am on ISAM 9.0.5.
Few weeks ago I have enabled "remote syslog forwarding" menu option from LMI to send just the Event logs to my splunk server while the server-log-cfg config still in place. Just when I enabled, I see logs dated previous month being sent to the spunk and I assumed it would be sending all logs that were lying on the appliance. But, even today it is still send logs dated previous month to splunk. Just checking if this is normal, any of you experienced this and is it advised that I clean up the appliance once I enable remote syslog fwd option just to avoid any confusion? It is causing unnecessary panic to me as there may be critical events in the past that are being sent now and my spunk throws high alert to me off hours and makes to login for health check only to find out that it is a one month old event.

Thank you!
-Raj

------------------------------
Rajkumar
------------------------------

Raj,

The way that the remote syslog forwarder works is to 'scrape' the specified log files and send any newly encountered messages to the remote syslog server.  So, the first time that you activate the capability it will forward all existing log messages to the remote syslog server.  At this point it will 'remember' which messages have already been sent and then send only new messages to the server.  

If you don't want the server to 'catch-up' and you want it to not send old messages your only real option is to first clear out the log files.

I hope that this helps.

------------------------------
Scott Exton
IBM
Gold Coast
------------------------------

Original Message:
Sent: Mon August 17, 2020 10:19 AM
From: Rajkumar Godi
Subject: sending event logs via "remote syslog forwading" vs "sever-log-cfg"

Hello Again !
All my logs are being sent to remotesys log sever (splunk) via the "sever-log-cfg" of webseal conf file. I am on ISAM 9.0.5.
Few weeks ago I have enabled "remote syslog forwarding" menu option from LMI to send just the Event logs to my splunk server while the server-log-cfg config still in place. Just when I enabled, I see logs dated previous month being sent to the spunk and I assumed it would be sending all logs that were lying on the appliance. But, even today it is still send logs dated previous month to splunk. Just checking if this is normal, any of you experienced this and is it advised that I clean up the appliance once I enable remote syslog fwd option just to avoid any confusion? It is causing unnecessary panic to me as there may be critical events in the past that are being sent now and my spunk throws high alert to me off hours and makes to login for health check only to find out that it is a one month old event.

Thank you!
-Raj

------------------------------
Rajkumar
------------------------------

Yes Scott. After testing in few appliances when I noticed 2018 events in my splunk. The oldest log on the appliances was dated to 2018 and because it has to scrape 2 year old files it is taking days to move them. Clearing the logs before enabling syslog forward is a good option. Thank you again., you have been very helpful. 

Reagrds
Raj.

------------------------------
Rajkumar
------------------------------

Original Message:
Sent: Tue August 18, 2020 12:25 AM
From: Scott Exton
Subject: sending event logs via "remote syslog forwading" vs "sever-log-cfg"

Raj,

The way that the remote syslog forwarder works is to 'scrape' the specified log files and send any newly encountered messages to the remote syslog server.  So, the first time that you activate the capability it will forward all existing log messages to the remote syslog server.  At this point it will 'remember' which messages have already been sent and then send only new messages to the server.  

If you don't want the server to 'catch-up' and you want it to not send old messages your only real option is to first clear out the log files.

I hope that this helps.

------------------------------
Scott Exton
IBM
Gold Coast

Original Message:
Sent: Mon August 17, 2020 10:19 AM
From: Rajkumar Godi
Subject: sending event logs via "remote syslog forwading" vs "sever-log-cfg"

Hello Again !
All my logs are being sent to remotesys log sever (splunk) via the "sever-log-cfg" of webseal conf file. I am on ISAM 9.0.5.
Few weeks ago I have enabled "remote syslog forwarding" menu option from LMI to send just the Event logs to my splunk server while the server-log-cfg config still in place. Just when I enabled, I see logs dated previous month being sent to the spunk and I assumed it would be sending all logs that were lying on the appliance. But, even today it is still send logs dated previous month to splunk. Just checking if this is normal, any of you experienced this and is it advised that I clean up the appliance once I enable remote syslog fwd option just to avoid any confusion? It is causing unnecessary panic to me as there may be critical events in the past that are being sent now and my spunk throws high alert to me off hours and makes to login for health check only to find out that it is a one month old event.

Thank you!
-Raj

------------------------------
Rajkumar
------------------------------