This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Apigee Splunk Logs Problem

Posted on 07-15-2020 06:45 PM
rssabandal
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi,

I'm trying to push logs in splunk via TCP Syslog.The flow is Apigee > NGINX > Splunk. Here's the policy configuration:

10130-messagelogging.jpg

Here's the configuration in nginx:

10131-nginx-splunk.jpg

The logs still doesn't appear in Splunk. Any ideas on why it doesn't appear on Splunk?

Regards,

Ryan

Solved Solved
0 4 542
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I don't have a good idea.

To diagnose, I would check these things

  1. network connectivity between the Apigee MP and nginx. I suppose you are using a "customer managed" (OPDK) version of Apigee. That means you manage thenetwork and the firewalls. Can the MP actually connect to port 514 of the nginx server? You can try this with telnet from the MP VM.
  2. logging at nginx. Turn on access logging and check to see if you are seeing any transactions.
  3. The format of the message you are sending . The content of {splunkLogs}. I have seen misformatted messages be rejected by Splunk; nothing shows in the splunk log.
  4. Your query in the Splunk UI. Make sure you are checking in the right place for the log messages.

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I don't have a good idea.

To diagnose, I would check these things

  1. network connectivity between the Apigee MP and nginx. I suppose you are using a "customer managed" (OPDK) version of Apigee. That means you manage thenetwork and the firewalls. Can the MP actually connect to port 514 of the nginx server? You can try this with telnet from the MP VM.
  2. logging at nginx. Turn on access logging and check to see if you are seeing any transactions.
  3. The format of the message you are sending . The content of {splunkLogs}. I have seen misformatted messages be rejected by Splunk; nothing shows in the splunk log.
  4. Your query in the Splunk UI. Make sure you are checking in the right place for the log messages.
Jump to Solution

Posted on --/--/---- --:-- AM
rssabandal
Bronze 4
Bronze 4
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi. Thanks for your time. Logs is actually enabled in nginx. If there are logs being sent from Apigee to NGINX, will it appear in the logs?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to rssabandal
Reply posted on --/--/---- --:-- AM

I am no nginx expert, but as far as I know, if you have stream logging enabled in nginx, then yes, you should see log entries in the nginx logs, resulting from the TCP syslog messages that Apigee sends to the nginx-managed port.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

nginx logs will be available in the routers log directory. You can install the Splunk universal forwarder on the router and send the logs to splunk application.

Jump to Solution
0 Likes