Skip to Main Menu

Serilog and Splunk 6.3 - The Event Collector Sink

Serilog gets HEC!

Recently I had the privilege of attending and speaking at Splunk .conf. During the keynote a major announcement was made relating to the way you can get data into Splunk. The new HTTP Event Collector announced in Splunk 6.3 allows for so many new ways of publishing data from IoT, Cloud, pretty much anything that understands HTTP.

So of course that means an update of the Serilog sink was required. This is a blessing as it means that the current HTTP sink that utilises the management port can be made obsolete. This was a problematic and security nightmare on larger deployments.

So, now with version 1.6 of Serilog.Sinks.Splunk the HTTP event collector is supported.

This release attempts to cater for the basics of event collector with the understanding more performance and other usability features will be added later.

It is super easy to get started. Once you have a HTTP Event Collector endpoint (normally in the format of https://mysplunk:8088/services/collector) and a valid token then configuring Serilog is done as follows.

var log = new LoggerConfiguration()
	.WriteTo.SplunkViaEventCollector("https://mysplunk:8088/services/collector", "token")
    .CreateLogger();

If you have configured Splunk appropriately, you can also override the source, source type, host and index.

var log = new LoggerConfiguration()
	.WriteTo.SplunkViaEventCollector("https://mysplunk:8088/services/collector",
    "token",
    "my special source (not sauce)",
    "my sauce type",
    Environment.MachineName,
    "my index" ,
    .CreateLogger();

Version 1.6 is available up @ NuGet.

Get Amongst It!!

comments powered by Disqus