无法使用 log4j2 将日志发送到 Splunk Enterprise 本地
我在 java 中使用 log4j2 和 splunk 将日志发送到我的 Splunk Enterprise HEC(HTTP 事件收集器) Splunk Enterprise 正在我的本地计算机中运行。
我正在以编程方式完成所有 log4j2 配置。 (我知道这不是正确的方法,但我仍然出于学习目的而这样做)。
我尝试使用相同的 URL 和令牌直接从邮递员将日志发送到 Splunk Enterprise,并且工作正常,但是当我尝试使用 log4j2 从 java 发送日志时,我在 splunk 中没有收到任何内容。
我的代码是 =>
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.config.Configurator;
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilder;
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;
import org.apache.logging.log4j.core.config.builder.impl.BuiltConfiguration;
import org.apache.logging.log4j.core.layout.PatternLayout;
import com.splunk.logging.*;
public class Main {
private static final Logger log;
static {
configureLog4J();
log = LogManager.getLogger(Main.class);
}
public static void configureLog4J() {
ConfigurationBuilder<BuiltConfiguration> builder =
ConfigurationBuilderFactory.newConfigurationBuilder();
// configure a splunk appender
builder.add(
builder.newAppender("splunkH", "SplunkHttp")
.add(
builder.newLayout(PatternLayout.class.getSimpleName())
.addAttribute(
"pattern",
"%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"
)
)
.addAttribute("sourcetype", "log4j2")
.addAttribute("index", "main")
.addAttribute("url", "http://localhost:8088/services/collector") //I tried this url in postman and its working fine there
.addAttribute("token", "xxx")
.addAttribute("disableCertificateValidation", "true")
);
// configure the root logger
builder.add(
builder.newRootLogger(Level.INFO)
.add(builder.newAppenderRef("splunkH"))
);
// apply the configuration
Configurator.initialize(builder.build());
}//end of configureLog4J
public static void main(String ar[]) {
log.log(Level.INFO, "Hello from log4j2");
log.log(Level.ERROR, "Error from log4j2");
}//end of main method
}//end of class
我的 POM 文件中
<dependencies>
<dependency>
<groupId>com.splunk.logging</groupId>
<artifactId>splunk-library-javalogging</artifactId>
<version>1.11.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.11.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.11.2</version>
</dependency>
<dependency>
<groupId>com.splunk</groupId>
<artifactId>splunk</artifactId>
<version>1.6.5.0</version>
</dependency>
</dependencies>
<repositories>
<repository>
<id>splunk-artifactory</id>
<name>Splunk Releases</name>
<url>https://splunk.jfrog.io/splunk/ext-releases-local</url>
</repository>
</repositories>
我看不到 splunk 中的任何日志。我错过了什么吗?
I'm using log4j2 and splunk within java to send logs into my Splunk Enterprise HEC (HTTP Event Collector) Splunk Enterprise is running in my local machine.
I'm doing all log4j2 configuration programmatically. (I know this is not the correct way to do this but I'm still doing this for learning purpose).
I tried to send the logs into Splunk Enterprise directly from postman with the same URL and token and it works fine, but when I tried to send the logs from java using log4j2 I don't get anything in splunk.
My code is =>
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.config.Configurator;
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilder;
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;
import org.apache.logging.log4j.core.config.builder.impl.BuiltConfiguration;
import org.apache.logging.log4j.core.layout.PatternLayout;
import com.splunk.logging.*;
public class Main {
private static final Logger log;
static {
configureLog4J();
log = LogManager.getLogger(Main.class);
}
public static void configureLog4J() {
ConfigurationBuilder<BuiltConfiguration> builder =
ConfigurationBuilderFactory.newConfigurationBuilder();
// configure a splunk appender
builder.add(
builder.newAppender("splunkH", "SplunkHttp")
.add(
builder.newLayout(PatternLayout.class.getSimpleName())
.addAttribute(
"pattern",
"%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"
)
)
.addAttribute("sourcetype", "log4j2")
.addAttribute("index", "main")
.addAttribute("url", "http://localhost:8088/services/collector") //I tried this url in postman and its working fine there
.addAttribute("token", "xxx")
.addAttribute("disableCertificateValidation", "true")
);
// configure the root logger
builder.add(
builder.newRootLogger(Level.INFO)
.add(builder.newAppenderRef("splunkH"))
);
// apply the configuration
Configurator.initialize(builder.build());
}//end of configureLog4J
public static void main(String ar[]) {
log.log(Level.INFO, "Hello from log4j2");
log.log(Level.ERROR, "Error from log4j2");
}//end of main method
}//end of class
my POM file
<dependencies>
<dependency>
<groupId>com.splunk.logging</groupId>
<artifactId>splunk-library-javalogging</artifactId>
<version>1.11.4</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.11.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.11.2</version>
</dependency>
<dependency>
<groupId>com.splunk</groupId>
<artifactId>splunk</artifactId>
<version>1.6.5.0</version>
</dependency>
</dependencies>
<repositories>
<repository>
<id>splunk-artifactory</id>
<name>Splunk Releases</name>
<url>https://splunk.jfrog.io/splunk/ext-releases-local</url>
</repository>
</repositories>
I cannot see any logs in splunk. Did I miss something ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
添加
.addAttribute("batch_size_count", "1")或创建一个生成 10 条日志消息的循环,因为这是batch_size_count的默认值。这已在 splunk 文档 “配置 Log4j 2”部分。顺便说一句,我认为 services/collector 端点应与 JSON 消息一起使用(例如
.add(builder.newLayout("JSONLayout")))。此外,您使用的 log4j2 版本存在 Log4Shell (CVE-2021-44228) 漏洞。它已在2.15.0中修复,请切换到该版本和最新版本2.17.2之间的任何版本。最后,我分享一下对问题如何配置log4j的答案的看法2.x 纯粹以编程方式? log4j2 在以编程方式配置时使用起来很麻烦。我在集群环境中遇到了问题,切换到文件配置解决了我的所有问题。
Add
.addAttribute("batch_size_count", "1")or make a loop producing 10 log messages, becasue that's the default value ofbatch_size_count. This has been explained in splunk docs "Configure Log4j 2" section.By the way, I reckon the services/collector endpoint should be used with JSON messages (e.g.
.add(builder.newLayout("JSONLayout"))). Also, you are using a log4j2 version that has the Log4Shell (CVE-2021-44228) vulnerability. It has been fixed in2.15.0, switch to anything between that and the newest version2.17.2.Finally, I share the sentiment of the answers to the question How to configure log4j 2.x purely programmatically? that log4j2 is troublesome to use when configured programmatically. I had issues with it in a cluster env and switching to file configuration solved all my problems.