You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "Revolyssup (via GitHub)" <gi...@apache.org> on 2023/05/10 20:39:18 UTC
[GitHub] [apisix] Revolyssup opened a new issue, #9458: bug: Wrong log format for splunk-hec-logging
Revolyssup opened a new issue, #9458:
URL: https://github.com/apache/apisix/issues/9458
### Current Behavior
splunk-hec-logging returns an error from logging server while trying to POST the event. The error log is given below. It looks like the splunk server expects a json and not an array. [Here](https://github.com/apache/apisix/blob/e0a4cd7a48d09e2108127848e27bdad6e7c14f22/apisix/plugins/splunk-hec-logging.lua#L133) switching from core.json.encode(entries)to core.json.encode(entries[1])fixes the issue and produces the log given below
```
{"@timestamp":"2023-05-11T01:57:51+05:30","client_ip":"127.0.0.1","host":"revolyssup","route_id":"1","source_type":"splunk_hec","spl
unk_source":"apache-apisix-splunk-hec-logging","splunk_sourcetype":"_json","timestamp":"2023-05-10T20:27:51.805000066Z"}
```
### Expected Behavior
The logs should be POST'ed correctly by APISIX on logging server.
### Error Logs
```
Batch Processor[splunk-hec-logging] failed to process entries: failed to send splunk, Event field is required, context: ngx.timer, client: 127.0.0.1, server: 0.0.0.0:9080
```
### Steps to Reproduce
Run APISIX locally.
Follow the doc for configuring the logger - https://apisix.apache.org/docs/apisix/plugins/splunk-hec-logging/
Use the below vector configuration
```
[sources.log-from-splunk]
type = "splunk_hec"
address = "0.0.0.0:3000"
valid_tokens = [
"BD274822-96AA-4DA6-90EC-18940FB2414C"
]
```
### Environment
- APISIX version 3.3.0
- Operating system Linux 6.3.1-arch2-1
- OpenResty / Nginx version nginx version: openresty/1.21.4.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jiangfucheng commented on issue #9458: bug: Wrong log format for splunk-hec-logging
Posted by "jiangfucheng (via GitHub)" <gi...@apache.org>.
jiangfucheng commented on issue #9458:
URL: https://github.com/apache/apisix/issues/9458#issuecomment-1545898989
@Revolyssup Hi, I have been sbumit [PR](https://github.com/apache/apisix/pull/9478). As metioned above, I just test it use vector as log server. So, I hope you can help me to test if this PR work correctly. Thanks.
It should be note that Splunk seems can receive json array as request body, otherwise, the previous tests should have failed. vector strictly aderes to `Splunk Event Data` format specification, because [this test](https://github.com/apache/apisix/blob/4419d0d8eb3daf901a1cf6fd4d2f806e579dced9/t/plugin/splunk-hec-logging.t#L189) will failed immediately before I fix this bug when I use vector as log server. So if splunk not strictly aderes to `Splunk Event Data` format specification, we also need to add other test case using vector as the log server.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jiangfucheng commented on issue #9458: bug: Wrong log format for splunk-hec-logging
Posted by "jiangfucheng (via GitHub)" <gi...@apache.org>.
jiangfucheng commented on issue #9458:
URL: https://github.com/apache/apisix/issues/9458#issuecomment-1544252988
> The batch protocol for HTTP Event Collector involves event objects stacked one after the other, and not in a JSON array
ref:https://docs.splunk.com/Documentation/Splunk/latest/Data/FormateventsforHTTPEventCollector#Example_3:_Batched_data
I reproduced this bug when using vector as the log server. But I can't test this behavior for use Splunk, since I only has MBP with M1 arch, it can't deploy splunk server.
Though the explaination of splunk documentation, Maybe we can change these codes to fix this issues:
```
local function send_to_splunk(conf, entries)
local request_headers = {}
request_headers["Content-Type"] = "application/json"
request_headers["Authorization"] = "Splunk " .. conf.endpoint.token
if conf.endpoint.channel then
request_headers["X-Splunk-Request-Channel"] = conf.endpoint.channel
end
local http_new = http.new()
http_new:set_timeout(conf.endpoint.timeout * 1000)
local t = {}
for _, e in ipairs(entries) do
table_insert(t, core.json.encode(e))
end
local res, err = http_new:request_uri(conf.endpoint.uri, {
ssl_verify = conf.ssl_verify,
method = "POST",
body = table_concat(t),
headers = request_headers,
})
if not res then
return false, "failed to write log to splunk, " .. err
end
if res.status ~= 200 then
local body = core.json.decode(res.body)
if not body then
return false, "failed to send splunk, http status code: " .. res.status
else
return false, "failed to send splunk, " .. body.text
end
end
return true
end
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Revolyssup commented on issue #9458: bug: Wrong log format for splunk-hec-logging
Posted by "Revolyssup (via GitHub)" <gi...@apache.org>.
Revolyssup commented on issue #9458:
URL: https://github.com/apache/apisix/issues/9458#issuecomment-1549079511
> @Revolyssup Hi, I have been sbumit [PR](https://github.com/apache/apisix/pull/9478). As metioned above, I just test it use vector as log server. So, I hope you can help me to test if this PR work correctly and imporve it. Thanks.
>
> It should be note that Splunk seems can receive json array as request body, otherwise, the previous tests should have failed. vector strictly aderes to `Splunk Event Data` format specification, because [this test](https://github.com/apache/apisix/blob/4419d0d8eb3daf901a1cf6fd4d2f806e579dced9/t/plugin/splunk-hec-logging.t#L189) will failed immediately before I fix this bug when I use vector as log server. So if splunk not strictly aderes to `Splunk Event Data` format specification, we also need to add other test case using vector as the log server.
You can change the assertions in the test from data[1] to data to pass the failing ci tests. The tests currently are partially mocked. The responses in assertions come from mocked server whereas the splunk events are posted on actual splunk server. Using vector will ideally make the whole test real. For now you can just change the assertions as mentioned above and this will fix the immediate issue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Revolyssup commented on issue #9458: bug: Wrong log format for splunk-hec-logging
Posted by "Revolyssup (via GitHub)" <gi...@apache.org>.
Revolyssup commented on issue #9458:
URL: https://github.com/apache/apisix/issues/9458#issuecomment-1544315218
> core.json.encode(e))
Yep, This looks good to me. Can you create a pull request with this change?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] monkeyDluffy6017 closed issue #9458: bug: Wrong log format for splunk-hec-logging
Posted by "monkeyDluffy6017 (via GitHub)" <gi...@apache.org>.
monkeyDluffy6017 closed issue #9458: bug: Wrong log format for splunk-hec-logging
URL: https://github.com/apache/apisix/issues/9458
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org