log4j2 configuration for Splunk HEC on EC2

crippled-ankle · ‎10-14-2020

I have my log4j2.xml as below,

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="info" name="example" packages="com.splunk.logging">
    <Appenders>
        <SplunkHttp
                name="splunk"
                url="http://localhost:8088"
                token="sometoken"
                index="someindex"
                messageFormat="text"
                source="somesource"
                sourceType="log4j"
                batch_size_count="1"
                disableCertificateValidation="true"
        >

            <PatternLayout pattern="%m"/>
        </SplunkHttp>

    </Appenders>

    <Loggers>
        <Root level="INFO">
            <AppenderRef ref="splunk"/>
        </Root>
    </Loggers>
</Configuration>

I'm trying to set up Splunk with HEC on an EC2 instance. The same configuration works for a Splunk instance on my Windows machine.

I used tcpdump to trace packets on port 8088 and it seems there is no packet reaching to that port. Did I miss anything on the configuration?

Thank you!

richgalloway · ‎10-15-2020

Have you checked your firewall? Is Splunk listening on port 8088?

---
If this reply helps you, Karma would be appreciated.

log4j2 configuration for Splunk HEC on EC2

HTTP Event Collector

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...