Re: Using Splunk HTTP Event Collector with log4j2

crippled-ankle · ‎10-10-2020

Hi,

I'm trying to use SplunkHTTPAppender in production, the set up (log4j2.xml) works in development environment. But when I switch to production, http collector metrics (_introspection) starts to show data.num_of_requests_to_incorrect_url > 1 and no events are posted.

Is there a way to know the url used in event posting? and what is the criteria to determine a wrong url?

Thank you!

crippled-ankle · ‎10-11-2020

up

crippled-ankle · ‎10-10-2020

My config is like below,

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="info" name="example" packages="com.splunk.logging">
    <Appenders>
        <SplunkHttp
                name="splunk"
                url="http://localhost:8088"
                token="token"
                index="comminimizer"
                messageFormat="text"
                batch_size_count="1"
                disableCertificateValidation="true"
        >

            <PatternLayout pattern="%m"/>
        </SplunkHttp>

    </Appenders>

    <Loggers>
        <Root level="INFO">
            <AppenderRef ref="splunk"/>
        </Root>
    </Loggers>
</Configuration>

Using Splunk HTTP Event Collector with log4j2

HTTP Event Collector

Linux

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Splunk ITSI & Correlated Network Visibility

Are you a member of the Splunk Community?