Archive
Highlighted

Is there any method to index log4j syslog from remote log4j server?

Builder

I want to index log4j syslog from remote log4j server, but I noticed the data is not plain text, splunk can not index them dicretly via network.
I read the best way to index log4j file is to set up a standard log4j-syslog appender on my log4j host.
However, log4j-syslog appender seems to be no longer available.

http://www.splunk.com/wiki/Community:Log4j

Does anybody know if there is any other method to index log4j from remote log4j server?
If log4j-syslog appender is still available, please also let me know how I can get it.

Tags (1)
0 Karma
Highlighted

Re: Is there any method to index log4j syslog from remote log4j server?

Builder

the syslog appender is still available. You can configure it like so;

# Syslog appender
log4j.appender.syslog=org.apache.log4j.net.SyslogAppender
log4j.appender.syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.syslog.layout.ConversionPattern=%-5.5p | %other_pattern | %m%n
# Set the following to yoursyslogserver:514 for remote. 
log4j.appender.syslog.SyslogHost=localhost:514
log4j.appender.syslog.Facility=Local0
log4j.appender.syslog.Threshold=WARN
log4j.appender.syslog.FacilityPrinting=false

The syslog appender is definitely still available in log4j 1.2 API: API doc

On a side note, we use a local splunkforwarder with udp:localhost:514 listener forwarding to our index server - its more reliable like this, as UDP is a "fire and forget" protocol.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.