Log storage: Splunk logstore

logstore_splunk
Maintained by Picture of Skylar KeltySkylar Kelty
A plugin for syncing Moodle logs to Splunk either in realtime or as a background task.
7 sites
8 downloads
1 fans
Current versions available: 1
This plugin syncs Moodle's logs to Splunk via the API,  either in realtime (as the logs are entered) or as a background cron task.

The cron task can be useful if you are just trialing Splunk or do not otherwise have a proper HA setup.

This will require a Splunk installation. Splunk is a third party app, you can download a free trial here: http://www.splunk.com/en_us/download-5.html

Contributors

Picture of Skylar Kelty
Skylar Kelty (Lead maintainer)
Please login to view contributors details and/or to contact them

Comments RSS

Show comments
  • Picture of Mike Churchward
    Sat, May 14, 2016, 3:35 AM
    Hi Skylar. I am with the Plugins Guardians and I am looking at your plugin for acceptance into the plugins database.
    There are a few coding guideline issues identified in the prechecker above. It would be good if you could look at those and resolve them if possible.
    Can you add some details to the description about what Splunk is for and what functions it provides? I believe it is a data analyzer and report engine, but I didn't spend enough time looking at the Splunk site to be sure.
    I had one problem. The settings screen has a setting for "Hostname of sender". This defaults to the $CFG->wwwroot value. But I could not save the settings screen with that value loaded. Through trial and error, I discovered that the value could not contain "http://" or other "/" characters. So "localhost" would work, but "localhost/moodle" would not. I think that may be a problem?
    You might consider adding some help documentation to explain the settings as well. For example, the difference between "Realtime" and "Background" export modes.
    The code looks good and is well-written.
    The third-party library uses a compatible open source license (Apache v 2.0).
    I did not spend any time setting it up to work with Splunk, but I presume it does what its supposed to. Are there any possible performance issues using Splunk that people should be aware of?
  • Picture of David Mudrák
    Thu, May 26, 2016, 6:11 AM

    Thanks Skylar for sharing the plugin with the community, and thanks Mike for providing the peer-review. I can see the description has been fixed.

    With regards to the "Hostname of sender", Mike raises a good point. There is PARAM_HOST used as the type for that field. That type is valid for fields like servername as the underlying Splunk library expects the valid hostname there. But here, this hostname is used as a part of the event data. The Splunk API documentation describes that field as Host name for the Active Directory Monitor with the default value Docs-W8R2-Std7 which suggests that PARAM_HOST might be valid type here, too. It might help to double check this and maybe provide some explanation for admins.

    Said that, I am happy to approve this now. You are cleared to land, welcome to the Plugins directory!

  • Picture of Skylar Kelty
    Thu, May 26, 2016, 5:20 PM
    Sorry for the delayed response! I believe PARAM_HOST to be right, I'll change the default..
    As far as the docs go, I could provide more explanation as to what Splunk is but given the cost to institutions who use it, it is likely they have spent a long time evaluating it already.
    I'll write some better docs for it shortly, though more in regards to the plugin than Splunk itself.
    There is negligible impact on performance while Splunk is healthy, even in "realtime".
Please login to post comments