Friday, November 22, 2013

First foray into Splunk

As I continue my testing endeavors into our more recent enterprise offering here at work, I've had the opportunity to test our logging framework's newest support: Oracle 11g and Splunk.

Oracle is old hat. Splunk is a little more exciting.

We've been using Spunk a lot for logging and the associated analytics in our two older products so it's nice to have support for it going forward for our newer access management offering.

For a Spunk newbie, I'd say it's pretty easy to install and for a certain log size, is free without having to buy a license; which is convenient for testing.

I was able to use Splunk on Mac OS X, read some basic docs, point it to some Splunk formatted log files and get it working within 3 hours.

We use blitz4j on top of log4j and the setup in blitz4j didn't require a lot of time from the developer too.

Here's a snippet of the way we setup inside our blitz4j config file:

### Logging for Splunk
# To include API audit logging for Splunk, uncomment the log4j.appender.
# ex: "log4j.logger.apiaudit=INFO,apiaudit,SplunkApiAudit
# log4j.appender.[your string here]=org.apache.log4j.DailyRollingFileAppender
# log4j.appender.[your string here]=./logs/splunk.log
# log4j.appender.[your string here].Append=true
# log4j.appender.[your string here].DatePattern='.'yyyy-MM-dd'.log'
# log4j.appender.[your string here].
# log4j.appender.[your string here]. layout.ConversionPattern=%d subject="%X{AUDIT.subject}" authMech="%X{AUDIT.authMech}" client="%X{AUDIT.client}" method="%X{AUDIT.method}" requestUri="%X{AUDIT.requestUri}" responseCode="%X{AUDIT.responseCode}" %n