MessageLogging policy not showing results in Splun...

Report Inappropriate Content · 10-19-2015 03:57 AM

My messagelog policy is,

<MessageLogging name="Message-Logging-1">
    <DisplayName>Message Logging 1</DisplayName>
    <Syslog>
        <Message>Message.id = {request.queryparam.w}</Message>
        <Host>XXXX</Host>
        <Port>XXXX</Port>
    </Syslog>
</MessageLogging>

I am not able to see any logs in Splunk,

Is this issue connected with this one in some way for syslog configurations in MessageProcessor?

anilsr

@RadhamaniRamadoss , Is it OPDK / Cloud ?

Report Inappropriate Content

@Anil Sagar

I am using OPDK.

DChiesa

Hi @RadhamaniRamadoss

I have answered your other question regarding message logging. This one refers to Splunk.

As you may know, Splunk has a syslog TCP listener. It is described here. You must configure the listener appropriately in Splunk, before sending data via syslog. Have you done that?

Have you checked that the host and port you specified in the MessageLogging policy agree with the host and port for the Splunk syslog listener?

Finally, according to the documentation for the MessageLogging policy, the default outbound protocol used by Edge when sending syslog messages is UDP. But Splunk requires TCP. Therefore you must configure the MessageLogging policy to use TCP. The configuration must be something like this:

<MessageLogging name="Message-Logging-1">
  <DisplayName>Message Logging 1</DisplayName>
  <Syslog>
    <Message>Message.id = {request.queryparam.w}</Message>
    <Host>XXXX</Host>
    <Port>XXXX</Port>
    <Protocol>TCP</Protocol>
  </Syslog>
</MessageLogging>

Notice the addition of the Protocol element.

Please let me know if this helps you!

Report Inappropriate Content

I tried adding <Protocol> tag inside <Syslog>.But its not letting me to add,

Error occurred while validation of bean MessageLogging-1.xml. Reason: - Schema validation failed. Cause : unexpected element (uri:"", local:"Protocol"). Expected elements are <{}Port>,<{}Message>,<{}Host>. Line number : 8. Column number : 19. File name : MessageLogging-1.xml..

I could see in the document that <Protocol> can be added for thirdparty configuration.But I am not sure why its throwing me error.

(My APIGEE OnPremise Edge version is 4.14.07.0.0)

Report Inappropriate Content

@Dino

Could you let me know why I am unable to use <Protocol> tag inside <Syslog> ?Its throwing me schema error.

I am not sure whether it is version issue or some package has to be enabled.

sarthak

@RadhamaniRamadoss are you using an on-prem version of Apigee?

divyaachan

@RK4 In addition to what @Dino mentioned , you can also take a tcpdump on the MEssage Processors to see if the requests are being fired to your Splunk servers. You need to mention the flag to include UDP messages as well in the tcpdump command.

Alternatively, you can also test using netcat to see if the Message Processors are able to send UDP messages to your Splunk

netcat -luv <splunk_host> <udp_port>

The reason you are not able to add the <Protocol> tag is because we introduced supporting TCP with syslog only in a recent release of Onprem, I guess 1504. If you are on a release prior to that, then you would get the error that you are seeing.

MessageLogging policy not showing results in Splunk