Splunk
A Splunk handler sends messages to a Splunk service.
To enable the Splunk handler, see "Configure a Custom Access Log". The JSON configuration file for the Splunk handler has the following format:
{
"class": "org.forgerock.audit.handlers.splunk.SplunkAuditEventHandler",
"config": {
"name": string, // Handler name, such as "splunk".
"enabled": boolean, // Is the handler enabled?
"topics": array, // LDAP: "ldap-access"; HTTP: "http-access".
"authzToken": string, // Splunk authorization token for HTTP requests.
"buffering": { // Required message buffering configuration.
"maxBatchedEvents": number, // Maximum messages in prepared statement.
"maxSize": number, // Maximum number of buffered messages.
"writeInterval": duration // Duration as described below.
},
"connection": { // (Optional) Default: Use default settings.
"host": string, // Splunk hostname. Default: "localhost".
"port": number, // Splunk port number. Default: "8088".
"useSSL": boolean // Use secure connection to Splunk? Default: false.
}
}
} For a sample configuration, see opendj/config/audit-handlers/splunk-config.json-example.
The writeInterval takes a duration, which is a lapse of time expressed in English, such as 23 hours 59 minutes and 59 seconds. Durations are not case sensitive. Negative durations are not supported. Durations use these units:
indefinite,infinity,undefined,unlimited: unlimited durationzero,disabled: zero-length durationdays,day,d: dayshours,hour,h: hoursminutes,minute,min,m: minutesseconds,second,sec,s: secondsmilliseconds,millisecond,millisec,millis,milli,ms: millisecondsmicroseconds,microsecond,microsec,micros,micro,us: microsecondsnanoseconds,nanosecond,nanosec,nanos,nano,ns: nanoseconds