Archive

Is there any method to index log4j syslog from remote log4j server?

Builder

I want to index log4j syslog from remote log4j server, but I noticed the data is not plain text, splunk can not index them dicretly via network.
I read the best way to index log4j file is to set up a standard log4j-syslog appender on my log4j host.
However, log4j-syslog appender seems to be no longer available.

http://www.splunk.com/wiki/Community:Log4j

Does anybody know if there is any other method to index log4j from remote log4j server?
If log4j-syslog appender is still available, please also let me know how I can get it.

Tags (1)
0 Karma
Highlighted

Re: Is there any method to index log4j syslog from remote log4j server?

Builder

the syslog appender is still available. You can configure it like so;

# Syslog appender
log4j.appender.syslog=org.apache.log4j.net.SyslogAppender
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%-5.5p | %other_pattern | %m%n
# Set the following to yoursyslogserver:514 for remote. 
log4j.appender.syslog.SyslogHost=localhost:514
log4j.appender.syslog.Facility=Local0
log4j.appender.syslog.Threshold=WARN
log4j.appender.syslog.FacilityPrinting=false

The syslog appender is definitely still available in log4j 1.2 API: API doc

On a side note, we use a local splunkforwarder with udp:localhost:514 listener forwarding to our index server - its more reliable like this, as UDP is a "fire and forget" protocol.

0 Karma