Log Aggregation
There are 2 main log aggregation solutions:
- Local: Send log to the local log server.
- Cloud: Send log to the cloud log server.
- On the left side, select "TCP / UDP".
- For choosing TCP or UDP, if you want to send the log by syslog traffic, use "UDP". You can also send the log by TCP traffic for better transmission reliability.
- Set the port number.
-
Source type
- Choose "Select".
- Select Source Type: Choosing "Application" -> "catalina".
-
App context
- By default, you can choose "Search and Reporting (search)".
- If you have created your own app, you can select the app you created.
-
Host
- Splunk can track the log sender by DNS (hostname) or IP (address).
-
Index
- Choose "Default".
If you set the type of the data input point as "UDP" in Splunk, you need to change the logback-spring.xml file under the resources directory like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appender name="SYSLOG" class="ch.qos.logback.classic.net.SyslogAppender">
<syslogHost>127.0.0.1</syslogHost> <!-- Splunk server is running in local -->
<facility>SYSLOG</facility>
<port>50000</port> <!-- Use the port number when you set up the UDP data input point -->
<suffixPattern> [%thread] %logger %msg</suffixPattern>
</appender>
<root level="INFO">
<appender-ref ref="SYSLOG" />
</root>
</configuration>(Need to add)
After you start the Spring application with the updated logback-spring.xml, you should see the log coming into the Splunk (with the app you chose).
