I am sending logs from application to splunk server by Splunk logging for java using Http Event Collector with log4j2 configurations.
Actually logs are printed correctly in console but not getting pushed to splunk server.
And I am not evening getting any Error.
Below is my log4j2.xml configuration file
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="info" name="example" packages="org.example">
<Appenders>
<Console name="console" target="SYSTEM_OUT">
<PatternLayout
pattern="%style{%d{IS08661}} %highlight{%-5level }[%style{%t}{bright, blue}] %style{%C{10}}{bright,yellow): %msg%n%throwable" />
</Console>
<File name="MyFile" fileName="logs/app.log">
<PatternLayout>
<Pattern>%d %p %c{1.} [%t] %m%n</Pattern>
</PatternLayout>
</File>
<SplunkHttp name="httpconf"
url="http://localhost:8088"
token="b489e167-d96d-46ec-922f-6b25fc83f199"
host="localhost"
index="spring_dev"
source="source name"
sourcetype="log4j"
messageFormat="text"
disableCertificateValidation="true">
<PatternLayout pattern="%m" />
</SplunkHttp>
</Appenders>
<Loggers>
<Root level="info">
<AppenderRef ref="console" />
<AppenderRef ref="MyFile"/>
<AppenderRef ref="httpconf" />
</Root>
</Loggers>
</Configuration>
I'm not very strong on log4j but I'd expect the HEC REST endpoint included in the URL.
No, because in official docs they mention only url = %scheme%://%host%:%port%
Also, I tried including HEC REST endpoint but not working in my case.
Ahhh... This is a Splunk-specific class. I thought this was supposed to be some generic HTTP POST based mechanism. OK, in this case it might indeed be inserting the proper REST endpoint on its own.
Anyway, I'd try debugging by just launching tcpdump/wireshark and verifying if there is any connectivity between your app and your HEC input (and if there is - what is going on there). You use unencrypted HTTP so you should see the traffic