Monitoring Splunk

Log.cfg appenders list (or other ways of routing internal logs)

nterry
Path Finder

Does anyone have a list of available appenders for the log.cfg file. We are trying to have splunk and the splunk universal forwarder log their internal events to Syslog instead of a file on disk.

We've debated on using a tmpfs mount and to have the splunk universal forwarder monitor that, but we'd rather have the logs route internally to itself with syslog.

Does anyone have any ideas to route internally without the appenders, of if not, we'd like the list and syntax for them. Here is a snippet of the log.cfg file that we have tried changing (all of the appenders are the same):

appender.license_usage=org.apache.log4j.net.SyslogAppender
appender.license_usage.SyslogHost=127.0.0.1:9999
appender.license_usage.layout=PatternLayout
appender.license_usage.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
appender.license_usage.Facility=USER

We've also tried:

appender.license_usage=SyslogAppender
appender.license_usage.SyslogHost=127.0.0.1:9999
appender.license_usage.layout=PatternLayout
appender.license_usage.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l %z} %-5p %c - %m%n
appender.license_usage.Facility=USER

When starting up, we get a parse error on both on each SyslogHost parameter and each Facility parameter.

Just FYI, we have configured splunk to listen on UDP port 9999 for syslog events and they correctly forward for non-internal logs.

0 Karma

nterry
Path Finder

Still, we'd rather use syslog as our servers are going to be diskless... We'll look into log4cxx more. Are there any other ideas anyone has?

0 Karma

nterry
Path Finder

Sorry guys, but i really need a fix for this.... so...

BUMP

0 Karma

Damien_Dallimor
Ultra Champion

Well the java logging framework(log4j) won't work.

I presume Splunk uses log4cxx.

Anyhow, out of curiosity, I tried the log4cxx SyslogAppender, and I too got parse errors as you describe.

I tend to dial down my splunk internal file logging output to a pretty low threshold, maxBackupIndex=1 and maxFileSize=5000000 ,as I am Splunk monitoring the logs and forwarding them into the Splunk "_internal" index anyway.

inputs.conf

[monitor://$SPLUNK_HOME/var/log/splunk]
_TCP_ROUTING = *
index = _internal

outputs.conf

[tcpout]
defaultGroup = mygroup
disabled = false

[tcpout:mygroup]
server = myindexer:9997
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...