Getting Data In

Logs not getting pushed to splunk server by Splunk logging for java using Http Event Collector with log4j configuration

VinayakJamadar
Loves-to-Learn Lots

I am sending logs from application to splunk server by Splunk logging for java using Http Event Collector with log4j2 configurations.

Actually logs are printed correctly in console but not getting pushed to splunk server.

And I am not evening getting any Error.

Below is my log4j2.xml configuration file

<?xml version="1.0" encoding="UTF-8"?>

<Configuration status="info" name="example" packages="org.example">

<Appenders>

<Console name="console" target="SYSTEM_OUT">

<PatternLayout

pattern="%style{%d{IS08661}} %highlight{%-5level }[%style{%t}{bright, blue}] %style{%C{10}}{bright,yellow): %msg%n%throwable" />

</Console>

<File name="MyFile" fileName="logs/app.log">

<PatternLayout>

<Pattern>%d %p %c{1.} [%t] %m%n</Pattern>

</PatternLayout>

</File>

<SplunkHttp name="httpconf"

url="http://localhost:8088"

token="b489e167-d96d-46ec-922f-6b25fc83f199"

host="localhost"

index="spring_dev"

source="source name"

sourcetype="log4j"

messageFormat="text"

disableCertificateValidation="true">

<PatternLayout pattern="%m" />

</SplunkHttp>

</Appenders>

<Loggers>

<Root level="info">

<AppenderRef ref="console" />

<AppenderRef ref="MyFile"/>

<AppenderRef ref="httpconf" />

</Root>

</Loggers>

</Configuration>
Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm not very strong on log4j but I'd expect the HEC REST endpoint included in the URL.

 

0 Karma

VinayakJamadar
Loves-to-Learn Lots

No, because in official docs they mention only url = %scheme%://%host%:%port%

 

https://dev.splunk.com/enterprise/docs/devtools/java/logging-java/howtouseloggingjava/enableloghttpj...

 

Also, I tried including HEC REST endpoint but not working in my case.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ahhh... This is a Splunk-specific class. I thought this was supposed to be some generic HTTP POST based mechanism. OK, in this case it might indeed be inserting the proper REST endpoint on its own.

Anyway, I'd try debugging by just launching tcpdump/wireshark and verifying if there is any connectivity between your app and your HEC input (and if there is - what is going on there). You use unencrypted HTTP so you should see the traffic

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...