Skip to main content

Need some suggestion :

What is the recommended way to configure Commvault logs in Splunk . Which will provide you more control over the logs .

  1. To use Commvault Splunk app https://splunkbase.splunk.com/app/5718/ .
  2. To configure syslog server and then move logs from CommVault to syslog and create your own dashboards , reports in Splunk .

Does using the app provide something more which we can not get if we configure our monitoring based on the logs of syslog.

Can the app dashboards and reports be customized or create new reports/dashboards as per the requirements ?

We have a few ways to export data into Splunk.  Each have their use case, and Pros and Cons.  And you can combine multiple methods effectively.  Let me break it down a bit:

 

  1. Splunk App - use this if need to export log data into Splunk. 
    1. PRO:  This is great for IT Ops, advanced troubleshooting, log preservation and Commvault monitoring
    2. CON: Doesn't provide monitoring of events/alerts or audit trail.
  2. Syslog - use this if you need export alerts, events, and/or audit trail.  You dont need a Syslog server to ingest into splunk - splunk allows you to create a TCP connector to directly receive from the CommServer (over HTTPS).
    1. PRO: Allows you to preserve audit trail info externally, and allows monitoring of events, and alerts
    2. CON: Its all or nothing - You can pick and choose if you want to ingest events, alerts, or audit trail, but when you pick those options it will ingest all triggered alerts, events and audit events -  which could be too much info.
  3. Webhook - use this if you want to see only certain triggered alerts - FR25+ only
    1. PRO: Allows you to configure specific alerts (as configured in the alert notification) to ingest into third party system using API’s.  This method pushes the alerts to another system.  This is more modern approach than Syslog - and it allows you to control which alerts you want to see to limit the data ingest.
    2. CON: Dosnt support log data, and audit trail yet
  4. REST API - use Commvault api to pull report data into Splunk
    1. PRO: Allows you to ingest pretty much any report in Commvault into splunk.
    2. CON: Data has to be pulled from your Splunk system, Splunk requires an API plugin which costs money.  With this method you have to deal with auth tokens in Commvault etc.  I would only use API for specific custom reporting data that you want to periodically pull into splunk -  not for continuous ingestion of data.

Personally I use the Splunk APP, and Syslog together.  This provides me with all my log data in Splunk as well as all alert/event/and audit trail monitoring.  Webhooks would be a more modern approach to Syslog, but I want everything ingested into Splunk.  Once you ingest into splunk you can create your own search views, and dashboards.

 

I hope this helps.