Does anyone have a list of available appenders for the log.cfg file. We are trying to have splunk and the splunk universal forwarder log their internal events to Syslog instead of a file on disk.
We've debated on using a tmpfs mount and to have the splunk universal forwarder monitor that, but we'd rather have the logs route internally to itself with syslog.
Does anyone have any ideas to route internally without the appenders, of if not, we'd like the list and syntax for them. Here is a snippet of the log.cfg file that we have tried changing (all of the appenders are the same):
appender.license_usage=org.apache.log4j.net.SyslogAppender
appender.license_usage.SyslogHost=127.0.0.1:9999
appender.license_usage.layout=PatternLayout
appender.license_usage.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
appender.license_usage.Facility=USER
We've also tried:
appender.license_usage=SyslogAppender
appender.license_usage.SyslogHost=127.0.0.1:9999
appender.license_usage.layout=PatternLayout
appender.license_usage.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
appender.license_usage.Facility=USER
When starting up, we get a parse error on both on each SyslogHost parameter and each Facility parameter.
Just FYI, we have configured splunk to listen on UDP port 9999 for syslog events and they correctly forward for non-internal logs.
Still, we'd rather use syslog as our servers are going to be diskless... We'll look into log4cxx more. Are there any other ideas anyone has?
Sorry guys, but i really need a fix for this.... so...
BUMP
Well the java logging framework(log4j) won't work.
I presume Splunk uses log4cxx.
Anyhow, out of curiosity, I tried the log4cxx SyslogAppender, and I too got parse errors as you describe.
I tend to dial down my splunk internal file logging output to a pretty low threshold, maxBackupIndex=1 and maxFileSize=5000000 ,as I am Splunk monitoring the logs and forwarding them into the Splunk "_internal" index anyway.
inputs.conf
[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *
index = _internal
outputs.conf
[tcpout]
defaultGroup = mygroup
disabled = false
[tcpout:mygroup]
server = myindexer:9997