In my previous post, we set up a Splunk Docker container and configured it to collect http posted events to its HEC and pushed an example log event through postman. However, in order for this to work, we had to disabled the SSL Verification checks in Postman. Switching off such checks in code is rarely a good idea and should be avoided without exception in production code. Where you are simply testing a local dev/ test set up then it’s better to revert to non SSL calls, rather then subverting potentially important SSL errors.
To allow non secure http posts in Splunk, you need to go back into Global Settings for your HEC inputs (http://localhost:8000/en-GB/manager/search/http-eventcollector). Note that although the management interface for Splunk is showing as plain http, the HEC defaults to using SSL. Within the Global Settings, uncheck the Enable SSL option and click save:
You should not need to restart Splunk to activate this option so head back over to Postman and change your POST url from https to http. To ensure all is working without SSL, it’s good practive to enable the SSL Verification check in your Postman Settings.
Now we have plain http working, let’s take a look at how to post to Splunk from code. We could setup a logging provider that posts our log events to Splunk ourselves, but an excellent Splunk HEC logging provider has been created by Chris Coleman and is available as a nuget package.
Install-Package ColeSoft.Extensions.Logging.Splunk -Version 1.0.72
You can then simply configure your code to use Splunk as your logging provider with the following code under ConfigureServices method in your startup.cs:
services.AddLogging(builder => builder.AddSplunk(options => { options.SplunkCollectorUrl = "http://localhost:8088/services/collector"; options.AuthenticationToken = "5ce548e4-526c-4d19-8663-702b3a418bb3"; }));
Don’t forget to substitute in your own HEC token.
And that’s about it – anytime you use the logger, it will include a push to Splunk!
0 Comments