使用 Logback SSLSocketAppender 时 Splunk 日志显示为十六进制
Splunk Log Displaying as Hex When Using Logback SSLSocketAppender
我正在尝试使用 Splunk 为我的应用程序收集日志。我在端口 6514 上设置了 TCP 数据输入(在此端口上启用了 SSL)。从我的 Java 应用程序,我能够连接到端口并发送日志。但是,当我在 Splunk 网站上查看这些日志时,它显示为十六进制格式。
登录配置
<configuration debug="true">
<appender name="console" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%date{ISO8601} [%thread] [%cyan(%C.%M\(\))] [%highlight(%level)] : %msg - %ex{short} %n</pattern>
</encoder>
</appender>
<appender name="sslsocket" class="ch.qos.logback.classic.net.SSLSocketAppender">
<remoteHost>127.0.0.1</remoteHost>
<port>6514</port>
<queueSize>20</queueSize>
<reconnectionDelay>20</reconnectionDelay>
<ssl>
<trustStore>
<location>file:///path/to/truststore.jks</location>
<password>truststorepassword</password>
</trustStore>
</ssl>
</appender>
<logger name="splunk.secure.logger" additivity="false" level="INFO">
<appender-ref ref="sslsocket"/>
</logger>
<root level="DEBUG">
<appender-ref ref="console" />
</root>
</configuration>
用法
public class 初学者 {
private final static org.slf4j.Logger logger = LoggerFactory.getLogger("splunk.secure.logger");
public static void main(String[] args) {
logger.info("Testing SSL Socket Appender Log");
}
}
将调试输出记录回控制台
11:00:04,701 |-INFO in ch.qos.logback.core.joran.action.AppenderAction -
About to instantiate appender of type
[ch.qos.logback.classic.net.SSLSocketAppender]
11:00:04,720 |-INFO in ch.qos.logback.core.joran.action.AppenderAction -
Naming appender as [sslsocket]
11:00:04,763 |-INFO in
ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Assuming default type
[ch.qos.logback.core.net.ssl.SSLConfiguration] for [ssl] property
11:00:04,776 |-INFO in ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Assuming default type [ch.qos.logback.core.net.ssl.KeyStoreFactoryBean] for
[trustStore] property
11:00:06,035 |-INFO in ch.qos.logback.classic.net.SSLSocketAppender[sslsocket] - SSL protocol 'SSL' provider 'SunJSSE version 1.8'
11:00:06,045 |-INFO in ch.qos.logback.classic.net.SSLSocketAppender[sslsocket] - trust store of type 'JKS' provider 'SUN version 1.8': file:///path/to/truststore.jks
11:00:06,046 |-INFO in ch.qos.logback.classic.net.SSLSocketAppender[sslsocket] - trust manager algorithm 'PKIX' provider 'SunJSSE version 1.8'
11:00:06,063 |-INFO in ch.qos.logback.classic.net.SSLSocketAppender[sslsocket] - secure random algorithm 'SHA1PRNG' provider 'SUN version 1.8'
11:00:06,556 |-INFO in ch.qos.logback.classic.joran.action.LoggerAction - Setting level of logger [splunk.secure.logger] to INFO
11:00:06,557 |-INFO in ch.qos.logback.classic.joran.action.LoggerAction - Setting additivity of logger [splunk.secure.logger] to false
11:00:06,564 |-INFO in ch.qos.logback.core.joran.action.AppenderRefAction -
Attaching appender named [sslsocket] to Logger[splunk.secure.logger]
SPLUNK WEB 接收什么
Time Event
3/2/19
9:48:45.000 上午
\xAC\xED\x00
host = 127.0.0.1 source = tcp:6514 sourcetype = logback
总结
从上面看来,在我看来这不是连接问题,因为 Splunk 正在侦听端口 6514 并且能够捕获输入但捕获的输入显示为 HEX 而不是正常情况。
当我使用正常 com.splunk.logging.TcpAppender 时,我的日志在 splunk 上正确显示。
- 是否还有其他我可能遗漏的配置
- 使用 com.splunk.logging.TcpAppender
时是否可以启用 SSL
- 是否有专用的 Splunk SSL appender 可以代替 ch.qos.logback.classic.net.SSLSocketAppender
- 欢迎任何其他建议。
为了解决这个问题,我不得不切换到 log4j。在 log4j 中使用以下配置,日志在 splunk web 上正确显示。
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="info" name="example" packages="">
<Appenders>
<Socket name="ssl" host="localhost" port="6514">
<PatternLayout charset="UTF-8">
<pattern>%date{ISO8601} [%thread] [%C.%M\(\) - Line %L] [%level] : %msg %ex{short} %n</pattern>
</PatternLayout>
<JsonLayout properties="true"/>
<SSL>
<TrustStore location="/path/to/keystore.jks" password="password"/>
</SSL>
</Socket>
</Appenders>
<Loggers>
<Root level="INFO">
</Root>
<Logger name="splunk.secure.logger" level="info">
<AppenderRef ref="ssl"/>
</Logger>
</Loggers>
</Configuration>
我正在尝试使用 Splunk 为我的应用程序收集日志。我在端口 6514 上设置了 TCP 数据输入(在此端口上启用了 SSL)。从我的 Java 应用程序,我能够连接到端口并发送日志。但是,当我在 Splunk 网站上查看这些日志时,它显示为十六进制格式。
登录配置
<configuration debug="true">
<appender name="console" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%date{ISO8601} [%thread] [%cyan(%C.%M\(\))] [%highlight(%level)] : %msg - %ex{short} %n</pattern>
</encoder>
</appender>
<appender name="sslsocket" class="ch.qos.logback.classic.net.SSLSocketAppender">
<remoteHost>127.0.0.1</remoteHost>
<port>6514</port>
<queueSize>20</queueSize>
<reconnectionDelay>20</reconnectionDelay>
<ssl>
<trustStore>
<location>file:///path/to/truststore.jks</location>
<password>truststorepassword</password>
</trustStore>
</ssl>
</appender>
<logger name="splunk.secure.logger" additivity="false" level="INFO">
<appender-ref ref="sslsocket"/>
</logger>
<root level="DEBUG">
<appender-ref ref="console" />
</root>
</configuration>
用法
public class 初学者 {
private final static org.slf4j.Logger logger = LoggerFactory.getLogger("splunk.secure.logger");
public static void main(String[] args) {
logger.info("Testing SSL Socket Appender Log");
}
}
将调试输出记录回控制台
11:00:04,701 |-INFO in ch.qos.logback.core.joran.action.AppenderAction -
About to instantiate appender of type
[ch.qos.logback.classic.net.SSLSocketAppender]
11:00:04,720 |-INFO in ch.qos.logback.core.joran.action.AppenderAction -
Naming appender as [sslsocket]
11:00:04,763 |-INFO in
ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Assuming default type
[ch.qos.logback.core.net.ssl.SSLConfiguration] for [ssl] property
11:00:04,776 |-INFO in ch.qos.logback.core.joran.action.NestedComplexPropertyIA - Assuming default type [ch.qos.logback.core.net.ssl.KeyStoreFactoryBean] for
[trustStore] property
11:00:06,035 |-INFO in ch.qos.logback.classic.net.SSLSocketAppender[sslsocket] - SSL protocol 'SSL' provider 'SunJSSE version 1.8'
11:00:06,045 |-INFO in ch.qos.logback.classic.net.SSLSocketAppender[sslsocket] - trust store of type 'JKS' provider 'SUN version 1.8': file:///path/to/truststore.jks
11:00:06,046 |-INFO in ch.qos.logback.classic.net.SSLSocketAppender[sslsocket] - trust manager algorithm 'PKIX' provider 'SunJSSE version 1.8'
11:00:06,063 |-INFO in ch.qos.logback.classic.net.SSLSocketAppender[sslsocket] - secure random algorithm 'SHA1PRNG' provider 'SUN version 1.8'
11:00:06,556 |-INFO in ch.qos.logback.classic.joran.action.LoggerAction - Setting level of logger [splunk.secure.logger] to INFO
11:00:06,557 |-INFO in ch.qos.logback.classic.joran.action.LoggerAction - Setting additivity of logger [splunk.secure.logger] to false
11:00:06,564 |-INFO in ch.qos.logback.core.joran.action.AppenderRefAction -
Attaching appender named [sslsocket] to Logger[splunk.secure.logger]
SPLUNK WEB 接收什么
Time Event
3/2/19
9:48:45.000 上午
\xAC\xED\x00
host = 127.0.0.1 source = tcp:6514 sourcetype = logback
总结
从上面看来,在我看来这不是连接问题,因为 Splunk 正在侦听端口 6514 并且能够捕获输入但捕获的输入显示为 HEX 而不是正常情况。
当我使用正常 com.splunk.logging.TcpAppender 时,我的日志在 splunk 上正确显示。
- 是否还有其他我可能遗漏的配置
- 使用 com.splunk.logging.TcpAppender 时是否可以启用 SSL
- 是否有专用的 Splunk SSL appender 可以代替 ch.qos.logback.classic.net.SSLSocketAppender
- 欢迎任何其他建议。
为了解决这个问题,我不得不切换到 log4j。在 log4j 中使用以下配置,日志在 splunk web 上正确显示。
<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="info" name="example" packages="">
<Appenders>
<Socket name="ssl" host="localhost" port="6514">
<PatternLayout charset="UTF-8">
<pattern>%date{ISO8601} [%thread] [%C.%M\(\) - Line %L] [%level] : %msg %ex{short} %n</pattern>
</PatternLayout>
<JsonLayout properties="true"/>
<SSL>
<TrustStore location="/path/to/keystore.jks" password="password"/>
</SSL>
</Socket>
</Appenders>
<Loggers>
<Root level="INFO">
</Root>
<Logger name="splunk.secure.logger" level="info">
<AppenderRef ref="ssl"/>
</Logger>
</Loggers>
</Configuration>