NLogTarget.Splunk 1.0.6

A simple, lightweight, and extensible Splunk NLog target that facilitates delivery of log entries to Http Event Collector (HEC). Supports sending log entries in async and sync mode with gzip compression enabled.

There is a newer version of this package available.
See the version list below for details.
Install-Package NLogTarget.Splunk -Version 1.0.6
dotnet add package NLogTarget.Splunk --version 1.0.6
<PackageReference Include="NLogTarget.Splunk" Version="1.0.6" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add NLogTarget.Splunk --version 1.0.6
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

Tested with .NET Framework 4.7.2 and .NET Core 2.1 (in AWS .NET LAMBDA environment as well)

Supports sending log entries in async and sync mode with gzip compression enabled. In async mode, the entries are sent in batches.

Sample NLog.config

The required parameters are

  • endpoint - HEC URL, such as https://sample.org/services/collector/event
  • authToken - Authentication token
  • index - An index to which to send the event logs to
  • source - Identifies the source of the event logs

Optional parameters are

  • ignoreSSLErrors - False by default. If True, ssl errors are ignored when posting to the HEC endpoint
  • timeout - # of milliseconds to wait before aborting a POST to HEC endpoint. Default is 30000 (30 seconds).

Keep in mind that the timestamp must be sent along with the log entries. The library will set the timestamp to the current time (DateTime.UtcNow) so ensure that the time across your servers is synchronized.

<?xml version="1.0" encoding="utf-8" ?>
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd"
      autoReload="false"
      throwExceptions="false"
      internalLogLevel="Off" internalLogFile="C:\logs\nlog_internal.log">
  <extensions>
    <add assembly="NLogTarget.Splunk"/>
  </extensions>
  <targets async="true">
    <target xsi:type="Splunk" name="splunk" endpoint="https://sample.org/services/collector/event" authToken="***" index="sample_index" source="http:your_app">
      <layout xsi:type="JsonLayout" includeAllProperties="true">
        <attribute name="logger" layout="${logger}" />
        <attribute name="severity" layout="${level}" />
        <attribute name="callsite" layout="${callsite:includeSourcePath=false:className=false}" />
        <attribute name="message" layout="${message}" />
        <attribute name="error" layout="${exception:format=ToString}" />
      </layout>
    </target>
  </targets>
  <rules>
    <logger name="*" minlevel="Info" writeTo="Splunk" />
  </rules>
</nlog>

NLog_sample.config

Resolving AuthToken Programmatically

It is highly recommended that the AuthToken value is resolved from a secrets vault rather then NLog.config. To resolve the AuthToken programmatically:

  • Set the value of AuthToken to *resolve* in NLog.config
  • Add a handler to SplunkAuthTokenResolver.OnObtainAuthToken event early on in the program before any log entries are written. Target name from NLog.config will be passed in to the event handler. Keep in mind that _wrapped suffix will be added to the target name incase targets async is set to true in NLog.config
  • The handler must return the value of the auth token. It is guaranteed that the resolution will only happen once per program lifecycle. If the auth token cannot be resolved, no log entries will be written. Check the internal log for errors (see internalLogFile in NLog.config)

Sample AuthToken resolution code

class Program
{
	static readonly Logger logger = LogManager.GetCurrentClassLogger();

	static void Main(string[] args)
	{
		SplunkAuthTokenResolver.OnObtainAuthToken += SplunkAuthTokenResolver_OnObtainAuthToken;

		logger.Info("Testing 123");

		Console.Read();
	}

	static string SplunkAuthTokenResolver_OnObtainAuthToken(string targetName)
	{
		if(targetName == "splunk" || targetName == "splunk_wrapped")
		{
			// get auth token from secrets vault

			return "auth token value";
		}

		return null;
	}
}

- Enjoy Responsibly -

Tested with .NET Framework 4.7.2 and .NET Core 2.1 (in AWS .NET LAMBDA environment as well)

Supports sending log entries in async and sync mode with gzip compression enabled. In async mode, the entries are sent in batches.

Sample NLog.config

The required parameters are

  • endpoint - HEC URL, such as https://sample.org/services/collector/event
  • authToken - Authentication token
  • index - An index to which to send the event logs to
  • source - Identifies the source of the event logs

Optional parameters are

  • ignoreSSLErrors - False by default. If True, ssl errors are ignored when posting to the HEC endpoint
  • timeout - # of milliseconds to wait before aborting a POST to HEC endpoint. Default is 30000 (30 seconds).

Keep in mind that the timestamp must be sent along with the log entries. The library will set the timestamp to the current time (DateTime.UtcNow) so ensure that the time across your servers is synchronized.

<?xml version="1.0" encoding="utf-8" ?>
<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd"
      autoReload="false"
      throwExceptions="false"
      internalLogLevel="Off" internalLogFile="C:\logs\nlog_internal.log">
  <extensions>
    <add assembly="NLogTarget.Splunk"/>
  </extensions>
  <targets async="true">
    <target xsi:type="Splunk" name="splunk" endpoint="https://sample.org/services/collector/event" authToken="***" index="sample_index" source="http:your_app">
      <layout xsi:type="JsonLayout" includeAllProperties="true">
        <attribute name="logger" layout="${logger}" />
        <attribute name="severity" layout="${level}" />
        <attribute name="callsite" layout="${callsite:includeSourcePath=false:className=false}" />
        <attribute name="message" layout="${message}" />
        <attribute name="error" layout="${exception:format=ToString}" />
      </layout>
    </target>
  </targets>
  <rules>
    <logger name="*" minlevel="Info" writeTo="Splunk" />
  </rules>
</nlog>

NLog_sample.config

Resolving AuthToken Programmatically

It is highly recommended that the AuthToken value is resolved from a secrets vault rather then NLog.config. To resolve the AuthToken programmatically:

  • Set the value of AuthToken to *resolve* in NLog.config
  • Add a handler to SplunkAuthTokenResolver.OnObtainAuthToken event early on in the program before any log entries are written. Target name from NLog.config will be passed in to the event handler. Keep in mind that _wrapped suffix will be added to the target name incase targets async is set to true in NLog.config
  • The handler must return the value of the auth token. It is guaranteed that the resolution will only happen once per program lifecycle. If the auth token cannot be resolved, no log entries will be written. Check the internal log for errors (see internalLogFile in NLog.config)

Sample AuthToken resolution code

class Program
{
	static readonly Logger logger = LogManager.GetCurrentClassLogger();

	static void Main(string[] args)
	{
		SplunkAuthTokenResolver.OnObtainAuthToken += SplunkAuthTokenResolver_OnObtainAuthToken;

		logger.Info("Testing 123");

		Console.Read();
	}

	static string SplunkAuthTokenResolver_OnObtainAuthToken(string targetName)
	{
		if(targetName == "splunk" || targetName == "splunk_wrapped")
		{
			// get auth token from secrets vault

			return "auth token value";
		}

		return null;
	}
}

- Enjoy Responsibly -

Release Notes

v1.0.6 - Added icon url for better visibility in nuget.org
v1.0.5 - Added cleanup routine to dispose of the http client and the handler
v1.0.4 - Switched to HttpClient. Added SourceLink support and unit test project
v1.0.3 - Added lazy resolution of AuthToken
v1.0.2 - Added an ability to programmatically resolve the AuthToken
v1.0.1 - Initial release

This package is not used by any popular GitHub repositories.

Version History

Version Downloads Last updated
1.0.7 114 2/6/2019
1.0.6 130 11/25/2018
1.0.5 118 11/25/2018
1.0.4 108 11/25/2018
1.0.3 157 10/4/2018
1.0.2 140 10/3/2018
1.0.1 198 10/3/2018