0

We've an application that uses Log4Net for logging. Now we've the problem that we want to change our logging destination to Splunk. I've found several links that are desribing the use of the standard Log4Net UdpAppender (e.g. this link). I also found some "special" splunk log libraries. At the time I'm little bit confused which approach (Log4Net UdpAppender vs Splunk logging libraries) is the best one.

Can somebody explain the pros and cons of the different solutions?

Thx

Moerwald
  • 10,448
  • 9
  • 43
  • 83
  • _"I'm not sure if this solution will work"_ - why don't you try it out? – stuartd Jan 17 '17 at 10:33
  • You'll need to define what "best" means to you and your project. With the UdpAppender, you'll have to accept this 3rd party code With the Splunk logging libraries, you'll have to write your own integration into Log4Net. It's very subjective which one of those is "best" in the general case. – Peter Ritchie Jan 17 '17 at 14:32

1 Answers1

1

Splunk best practices says that you should use a syslog server to capture the UDP traffic on and log it. You should then install a Splunk Universal Forwarder on the syslog server and have it send to Splunk. The advantage of this is you will not have any gaps in traffic volumes. There are some times when you have to restart Splunk for configurations to take place, this will mean Splunk is down and cannot accept UDP messages. If your in a non-prod environment, you can simply enable Splunk to listen on port 514 and send your UDP traffic to it.. UdpAppender is not needed

skoelpin
  • 212
  • 1
  • 5