Wednesday, June 12, 2013

exim4 + splunk = violent happiness

exim4 + splunk

yes.  syslog is shot over udp and the ordering can be weird and stuff can be lost, 
because well, that's udp.  but, just for fun, let's throw our mail logs over to a 
splunk server.  and to the local system.  exim4 only allows for two places to 
plop logs, so be mindful

i'm runng ubuntu 12.02.1 lts.  it has rsyslogd (default conf) and exim4.

regarding syslog facilities, do recall:
main log is mapped to LOG_INFO
reject log is mapped to LOG_NOTICE
panic log is mapped to LOG_ALERT

you'll need to uncomment out those and have them forwarded to @loghost . 

first thing, edit /etc/exim4/update-exim4.conf to your liking.  make sure

dc_use_split_config='true'

is set.

at the very end of:

/etc/exim4/conf.d/main/02_exim4-config_options 

place:

.ifndef LOG_FILE_PATH     
LOG_FILE_PATH = syslog : /var/log/exim4/%slog
.endif
log_file_path = LOG_FILE_PATH          

those variable definitions are important.  no definitions mean no application.

then issue:
update-exim4.conf

and:
/etc/init.d/exim4 restart

to see if exim4 for real took that setting, issue:

exim4 -bP log_file_path

and it should look like:

log_file_path = syslog : /var/log/exim4/%slog

send some mail and check mainlog and splunk.  yeah.  awesome.
Post a Comment