topic log4j socket appender and Splunk? in Getting Data In

log4j socket appender and Splunk?

ljoshi — Thu, 29 Jul 2010 10:22:16 GMT

Does Splunk work with a log4j socket appender? ( not the rolling file one). How?

Re: log4j socket appender and Splunk?

dwaddle — Fri, 30 Jul 2010 08:23:32 GMT

Splunk can listen on a TCP socket for an arbitrary stream of bytes. This should include the output of log4j's socket appender. The inputs.conf stanza for this is similar to:

[tcp://7070]
connection_host=dns
sourcetype=log4j

There's at least one caveat with this approach - your log4j data is not persisted anywhere until it is indexed. If the connectivity between your log4j app and splunk is disrupted, or if the Splunk indexer is down for some reason -- you could lose event data. A forwarder on the log4j host, reading a file produced by the log4j app is more robust in this example.

Re: log4j socket appender and Splunk?

bchen — Fri, 03 Sep 2010 06:51:25 GMT

It's unlikely you want to use SocketAppender with Splunk, since it sends a serialized Java object, LoggingEvent, which is meant for something like SocketNode to receive and deserialize.

Something that may have more sensible data is to use SyslogAppender. (though I haven't tried it personally)

Re: log4j socket appender and Splunk?

mawalters1 — Wed, 15 Dec 2010 00:36:48 GMT

Fully agree with bchen, you will get serialized garble in your messages on the splunk index using SocketAppender. Log4j properties example below just alter SyslogHost values. Port is optional, but useful to create various index sources.

We use another appender to created log files of same data, used to fill long term analysis, feed those to splunk in different index.

example for syslog appender log4j log4j.appender.SPLUNKiT=org.apache.log4j.net.SyslogAppender log4j.appender.SPLUNKiT.SyslogHost=[:CustomPort] log4j.appender.SPLUNKiT.layout=org.apache.log4j.PatternLayout log4j.appender.SPLUNKiT.layout.ConversionPattern=sv-cdr-posted - %m log4j.appender.SPLUNKiT.Facility=USER

Re: log4j socket appender and Splunk?

LauraBre — Fri, 18 May 2012 13:21:39 GMT

I read your subject and I hava a question because I hava a similar problem. When I read my events in Splunk the data format is different. There are a lot of characters which haven't be it. Can you show me how you are logging your events. Me, I do it but I think it is bad:

LOGGER_SPLUNK.info("Requested serv. : D2T, Nb PAN : " + nbPan +", Requester : " + body.get(NlvValue.REQUESTER_ID) +", User : " + body.get(NlvValue.REQUESTER_ID)+"_ow, Host : "+host+" ServiceName : ");//+ exchange.getProperty(ConstantUtil.SERVICE_NAME));

this is my log4j.properties:

log4j.logger.net.awl.bfi.TokenizerWatchdogSplunk=info,watchdogSplunkSocket
log4j.appender.watchdogSplunkSocket=org.apache.log4j.net.SocketAppender
log4j.appender.watchdogSplunkSocket.remoteHost=odpcil01b
log4j.appender.watchdogSplunkSocket.port=5541
log4j.appender.watchdogSplunkSocket.locationInfo=false
log4j.appender.watchdogSplunkSocket.layout=org.apache.log4j.PatternLayout 
log4j.appender.watchdogSplunkSocket.layout.ConversionPattern = [%-5p][%d{dd/MM/yyyy HH:mm:ss}][%c][%F]%m%n

Thanks by advance,

Laura

Re: log4j socket appender and Splunk?

Damien_Dallimor — Sat, 19 May 2012 04:11:54 GMT

Check out SplunkJavaLogging

Log4j and Logback appenders to send events to Splunk via HTTP REST or Raw TCP
Helper classes for formatting log events in a best practice semantic format for Splunk

Re: log4j socket appender and Splunk?

nappana — Tue, 12 Mar 2019 22:21:21 GMT

i have .log file generate by using log4j. now my task is to pass this .log file into splunk dashboard. can anyone explain me step by step how to pass .log file into splunk dashboard.

Re: log4j socket appender and Splunk?

unitedmarsupial — Tue, 24 Dec 2019 15:26:53 GMT

Unfortunately, that library only works with log4j-2.x. Some of us are -- for the sins we've committed in prior lives -- still stuck with log4j-1.x