4 Replies Latest reply on Jan 8, 2016 6:41 AM by Mirko Swillus
      • Re: Anyone tried to use logstash for jive log management?
        wmedlen

        I know you asked this years ago, but we recently implemented the ELK Stack for logging, mainly incident response. I can give you some info. if you are interested.

         

        Thanks

            • Re: Anyone tried to use logstash for jive log management?
              wmedlen

              The need for some sort of decent logging spun out of our need for incident response. The Marshall Space Flight Center uses Jive as a social collaboration tool, and since it is a government agency, we needed a way to track logs well in case an employee post something inappropriate, or posts something data-sensitive. We had a plug-in built for us that captured the ip address of any user who commits an action.

               

              As you may know, Jive spits out tons of logs, each on it's own server. What we did was that we spun up a server dedicated to analytics and logging. Using Linux's built in rsync command, we sync some logs across our network to this server and run them through the ELK Stack. Since the ELK Stack has great searchability, a use case would be that somebody posts something inappropriate, and I can view the logs across a specific time frame, search the user name, and gather all needed information about the inappropriate post. I can then submit that to our incident response team.

          • Re: Anyone tried to use logstash for jive log management?
            Mirko Swillus

            Hej Aljaz,

             

            good point. Currently I'm thinking about connecting Log4J directly through a SocketAppender to the Logstash TCP port. But I don't know exactly where to put that log4j.properties file. /usr/local/jive/applications/sbs/home/etc/ seems to be a good place, since there is this log4j-override.properties in there. Or the other way around, how do I manage to put some custom log4j config in that override file without having it overwritten with every update on the admin backend?

             

            Any hint appreciated, thanks in advance.

             

            Mirko