Splunk integration with APIGEE EDGE SAAS version

pratysin · 12-19-2019 03:49 AM

Hi Team

I have a query whether we can integrate ON-Prem SPLUNK to Cloud APIGEE Edge (SAAS).

Thanks

Pratyush

dchiesa1

yes, if you set things up correctly.

You'd need to expose a listener, some kind of listener for your Splunk instance. It can be a syslog listener or a HTTP Event Collector. I just tested this, using ngrok to expose my syslog server.

For the HEC you can use ServiceCallout instead of MessageLogging to send out log messages. And, ask for Apigee Support to allow ServiceCallout in the PostClientFlow.

pratysin

Thanks @Dino-at-Google

I tried with NGROk. I have few queries please :

-- I installed SPLUNK on my local machine for a Test scenario.

-- I installed NGROK on my local machine

-- I am trying to register my logs from Apigee Edge to Splunk. For this i gave below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<MessageLogging name="tcp-logger" async="false" continueOnError="false" enabled="true">
<DisplayName>Log to splunk over TCP</DisplayName>
<Syslog>
<FormatMessage>false</FormatMessage>
<Message>Message = "Logging in SPLUNK"</Message>
<Host>localhost</Host>
<Port>8000</Port>
<Protocol>TCP</Protocol>
</Syslog>
</MessageLogging>

I want to understand that what details i need to give in Host and Port. For time being i tried with Hostname as : localhost or 127.0.0.1 & Port as 8088 (splunk) and sometimes 9997 (for TCP receiving).

But i want to understand am i giving the correct value or not in my apigee. Because to send logs from APIGEE to SPlunk i have to connect to ngrok too. So i am lost a but. So kindly suggest me accordingly.

Regards

Pratyush

adricsaxon

@Pratyush Singh I've never worked with ngrok before, but reading through some dev guides, there should be a default Ngrok random subdomain that'll forward your requests to your local instance of SPLUNK. This says it way better than I ever could: https://danielmiessler.com/study/ngrok/. If you get it integrated, curious to know if syslog satisfies your needs, we are currently using HTTP Event Collector but log an awful lot (it was recommended HTTP be in interface to Splunk internally).

dchiesa1

Pratyush - 2 things

1st. I should have noted previously: I don't recommend ngrok for anything except proof-of-concept or development work. It's not suitable for carrying production logs, in my opinion. (the makers of ngrok may differ). In my view, ngrok is nothing more than a simulator of a proper segmented network with a firewall and a few exposed ports.

2nd. When you run ngrok, the ngrok program will tell you the domain that is available on the internet for your use. I Ran this command:

ngrok tcp 5443

The output of that command shows me something like this:

Forwarding         tcp://0.tcp.ngrok.io:19891 -> localhost:5443

What that is telling me is... When a TCP connection is initiated to the ngrok service available on the internet at 0.tcp.ngrok.io:19891, that connection is tunneled to my localhost on port 5443.

So I need to:

keep ngrok running
configure the MessageLogging policy to use host = 0.tcp.ngrok.io and port = 19891.
make sure my local syslog listener is listening on port 5443.

Your ports will be different!