How to Set Logging Content for Tools like Splunk
Join the DZone community and get the full member experience.
Join For FreeIn the "Settings" section of the API Server configuration in Policy Studio, there is an "audit log" tab. In the screenshot below, I'm setting the format of what gets put into the text logs. You can see that I've chosen it to be:
${timestamp},${id},'${text}'
The answer can be seen if you look at any filter in a policy in Policy Studio, and click "Next". This is where you configure what gets logged. What gets logged is what goes into that ${text} value. In the example below, I have a filter which is logging the following upon the "Success" condition:
${authentication.subject.id} accessed the API
So now, when I look at the log file being written out, I see this:
# ProductName=apiserver1 7.0.0-2012-07-07 (Windows) # CurrentDate=Tue, 11 Sep 2012 17:58:16 -0500 # CurrentDateUTC=1347400696 # TZ=Eastern Daylight Time 09.11.2012 22:59:11,884,Id-0599f187504fb42f112c0c5d,'JoeDeveloper accessed the API' 09.11.2012 22:59:11,916,Id-58e1fd41504fb42f06110000,'JaneDeveloper accessed the API' 09.11.2012 22:59:12,070,Id-ab634e7c504fb430152c0c5d,'JoeDeveloper accessed the API'
While we're looking at the logging settings, let's look at the database logging. You can see in the screenshot below that I'm logging to the database:

The same content, ${authentication.subject.id} accessed the API , gets logged to the database. This can then be found in the Analytics of the API Server, in the Audit Trail. In the screenshot below, you can see the view of the Audit Trail, showing the entries. This is the same information as is written into the text log. In fact, if I also choose to write to Syslog (let's say) then the same information is written there too.

Clicking in on any of these entries, I can see the message ID, and the filter which wrote that log text. If many filters in my policy wrote out log data for the same message, then this is where I see the path through the policy, filter by filter.

I can also search the Audit Log here. Let's say I am only interested in the API accesses by "Joe Developer". Here in the screenshot below I construct a search looking for lines which contain "Joe":
Published at DZone with permission of Mark O'Neill, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments