|
Does Splunk work with a log4j socket appender? ( not the rolling file one). How? |
|
Splunk can listen on a TCP socket for an arbitrary stream of bytes. This should include the output of log4j's socket appender. The inputs.conf stanza for this is similar to: There's at least one caveat with this approach - your log4j data is not persisted anywhere until it is indexed. If the connectivity between your log4j app and splunk is disrupted, or if the Splunk indexer is down for some reason -- you could lose event data. A forwarder on the log4j host, reading a file produced by the log4j app is more robust in this example. |
|
Fully agree with bchen, you will get serialized garble in your messages on the splunk index using SocketAppender. Log4j properties example below just alter SyslogHost values. Port is optional, but useful to create various index sources. We use another appender to created log files of same data, used to fill long term analysis, feed those to splunk in different index. example for syslog appender log4j log4j.appender.SPLUNKiT=org.apache.log4j.net.SyslogAppender log4j.appender.SPLUNKiT.SyslogHost=[:CustomPort] log4j.appender.SPLUNKiT.layout=org.apache.log4j.PatternLayout log4j.appender.SPLUNKiT.layout.ConversionPattern=sv-cdr-posted - %m log4j.appender.SPLUNKiT.Facility=USER |
|
It's unlikely you want to use SocketAppender with Splunk, since it sends a serialized Java object, LoggingEvent, which is meant for something like SocketNode to receive and deserialize. Something that may have more sensible data is to use SyslogAppender. (though I haven't tried it personally) |
