How to integrate Automation Suite with Splunk with multiple indexes?
Issue Description:
Splunk log monitoring is a way of collecting and analyzing data from various sources such as applications, systems, and networks. Splunk uses forwarders to monitor and index files or directories as new data appears1. Splunk can also monitor Windows Event Log channels using the Splunk Add-on for Windows2. Splunk log monitoring helps users to gain insights into the performance, security, and availability of their IT infrastructure.
Resolution: Use the following steps to integrate Automation Suite with Splunk.
- Copy the following script to the server. This is to configure multiple indexes. Customize based on the needs.
{
"NLog": {
"autoReload": false,
"throwConfigExceptions": false,
"internalLogLevel": "Trace",
"internalLogToConsole": true,
"default-wrapper": {
"type": "UiPrettyExceptionWrapper"
},
"extensions": [
{ "assemblyFile": "/var/orchestrator/plugins/nlog/NLog.Targets.Splunk.dll" },
{ "assembly": "UiPath.Orchestrator.Logs.DatabaseBulk.NLogTarget" }
],
"targets": {
"Splunk": {
"type": "BufferingWrapper",
"flushTimeout": 5000,
"target": {
"type": "SplunkHttpEventCollector",
"serverUrl": "http://splunk.FQDN:8088",
"token": "be49deed-1e7b-48b6-a0a4-293998519b03",
"channel": "",
"source": "${logger}",
"sourceType": "_json",
"index": "test_index_name",
"retriesOnError": "0",
"batchSizeBytes": "0",
"batchSizeCount": "0",
"includeEventProperties": "true",
"includePositionalParameters": "true",
"includeMdlc": "true",
"maxConnectionsPerServer": "10",
"ignoreSslErrors": "false",
"useProxy": "false",
"proxyUrl": "",
"proxyUser": "",
"proxyPassword": ""
}
}
},
"SplunkFintech": {
"type": "BufferingWrapper",
"flushTimeout": 5000,
"target": {
"type": "SplunkHttpEventCollector",
"serverUrl": "http://splunk.FQDN:8088",
"token": "xxxx-xxxx-xxxx-xxxx",
"channel": "",
"source": "${logger}",
"sourceType": "_json",
"index": "test_index_name",
"retriesOnError": "0",
"batchSizeBytes": "0",
"batchSizeCount": "0",
"includeEventProperties": "true",
"includePositionalParameters": "true",
"includeMdlc": "true",
"maxConnectionsPerServer": "10",
"ignoreSslErrors": "false",
"useProxy": "false",
"proxyUrl": "",
"proxyUser": "",
"proxyPassword": ""
}
},
"SplunkGenome": {
"type": "BufferingWrapper",
"flushTimeout": 5000,
"target": {
"type": "SplunkHttpEventCollector",
"serverUrl": "http://splunk.FQDN:8088",
"token": "be49deed-1e7b-48b6-a0a4-293998519b03",
"channel": "",
"source": "${logger}",
"sourceType": "_json",
"index": "test_index_name",
"retriesOnError": "0",
"batchSizeBytes": "0",
"batchSizeCount": "0",
"includeEventProperties": "true",
"includePositionalParameters": "true",
"includeMdlc": "true",
"maxConnectionsPerServer": "10",
"ignoreSslErrors": "false",
"useProxy": "false",
"proxyUrl": "",
"proxyUser": "",
"proxyPassword": ""
}
}
},
"rules": {
"20_Robot_Primary": {
"logger": "Robot.*",
"ruleName": "robotLogsFinance",
"writeTo": "SplunkFinance",
"minLevel": "Info",
"maxLevel": "Fatal",
"filter": {
"when condition" : "equals('${event-properties:item=tenantId}','1')" },
"final": false
},
"21_Robot_Primary": {
"logger": "Robot.*",
"ruleName": "robotLogsFintech",
"writeTo": "SplunkFintech",
"minLevel": "Info",
"maxLevel": "Fatal",
"filter": {
"when condition" : "equals('${event-properties:item=tenantId}','2')" },
"final": false
},
"22_Robot_Primary": {
"logger": "Robot.*",
"ruleName": "robotLogsFintech",
"writeTo": "SplunkGenome",
"minLevel": "Info",
"maxLevel": "Fatal",
"filter": {
"when condition" : "equals('${event-properties:item=tenantId}','3')" },
"final": true
}
}
}
- Run the following command as per Automation Suite - Using the Orchestrator Configurator Tool (uipath.com)
# ./orchestrator_configurator.sh --nlog-config-file /opt/UiPathAutomationSuite//installer/nlog.custom.json --nlog-extensions-folder /var/orchestrator/plugins/nlog/ -y