Solved: Log messages into Splunk over TCP

khanmohsin3011- · 02-10-2019 04:25 AM

Hello Team,

@Anil Sagar @ Google @sarthak @gbhandari @Dino @Harry Reynoso @Sai Saran Vaidyanathan @Gowdhaman Tamilarasan

Just to move forward with the logs we have to consider apigee log message using Splunk, below are my question that will help us to move forward with development.

1. What is MessageLoggingPolicy structure look like, if below one can we used then its fine, apart from this please let me know?

<MessageLogging name="LogToSyslog">
 <Syslog>
  <Message>[3f509b58 tag="{organization.name}.{apiproxy.name}.{environment.name}"] Wea		ther request for WOEID {request.queryparam.w}.</Message>
  <Host>logs-01.splunk.com</Host>
  <Port>514</Port>
  <Protocol>TCP</Protocol>
  <FormatMessage>true</FormatMessage>
 </Syslog>
 <logLevel>ALERT</logLevel>
</MessageLogging>

2. How to form message payload for MessageLogging, I found below two, which one can we use..?

A.

<Message>[3f509b58 tag="{organization.name}.{apiproxy.name}.{environment.name}"] Weather request for WOEID {request.queryparam.w}.</Message>

B.

<Message> Logging time = {system.time} | Timestamp = {system.timestamp} | Log Level = {logging.loglevel} | Environment = {environment.name} | API = {apiproxy.name} | ClientID = {client_id} | App = {developer.app.name} | Data = {logging.data}
		</Message>

3. Can we use a shared flow structure?

If no, please let us know the reason

4. Can we force to disable this log policy?
We required this to do on a temporary basis once in production then will remove this element/tag

cjking

> 1. What is MessageLoggingPolicy structure look like, if below one can we used then its fine, apart from this please let me know?

I don't see anything obvious wrong with this, but it's probably worth trying in a test environment before enabling it in prod 🙂

> 2. How to form message payload for MessageLogging, I found below two, which one can we use..?

The message is free-form text - from the Apigee point of view you can include whatever you'd like.

However, Splunk needs to be configured to expect messages to be formatted in specific way so that it can index the data. You should try and ensure that the message payload matches your splunk configuration.

> 3. Can we use a shared flow structure?

You can use MessageLogging inside shared flows, yes. Depending on which version/environment you're running you may not be able to use MessageLogging shared flows inside the Post-Client-Response flow though, which has performance impacts.

> 4. Can we force to disable this log policy?

Yes, simply add enabled="false" to your <MessageLogging> tag

View solution in original post

khanmohsin3011-

Dear Community could you please carify on above points.?

cjking