Spent quite a while debugging this and identified some issues:
- The whole application fails silently if the port is wrong
- This happens even with debug mode enabled:
I think this is because the try-catch block here triggers:
|
try: |
|
self.write_debug_log("Sending payload: " + payload) |
|
r = self.session.post( |
|
self.url, |
|
data=payload, |
|
headers={'Authorization': "Splunk %s" % self.token}, |
|
verify=self.verify, |
|
timeout=self.timeout |
|
) |
|
r.raise_for_status() # Throws exception for 4xx/5xx status |
|
self.write_debug_log("Payload sent successfully") |
|
|
|
except Exception as e: |
|
try: |
|
self.write_log("Exception in Splunk logging handler: %s" % str(e)) |
|
self.write_log(traceback.format_exc()) |
|
except Exception: |
|
self.write_debug_log("Exception encountered," + |
|
"but traceback could not be formatted") |
But for some reason the except never fires - I can't get anything to run in that except block, and even adding another except or a finally block doesn't seem to run. This one is a bit beyond me, but I wonder if the requests/sessions module is somehow sending a terminate signal instead of an exception of some kind.
This is with the following versions:
python --version
Python 3.10.6
pip list | grep splunk
splunk-handler 3.0.0
This all came about because I didn't realise that Splunk Cloud has a different default port for the HEC (443) compared to Splunk Cloud Free and Splunk Enterprise (which use 8088).
I ended up making a minimum viable program to test/debug this:
# main.py
from modules.constants import *
from modules.logging import *
def main():
logger.info(f"Starting application.")
if __name__ == '__main__':
main()
# logging.py
import logging
from modules.constants import *
from splunk_handler import SplunkHandler
DEFAULT_LOGGING_FORMAT = '%(levelname)s: %(message)s'
logger = logging.getLogger("MyProgram")
logger.setLevel(logging.DEBUG)
# Outputs logs to Splunk
splunk = SplunkHandler(
host = SPLUNK_URL,
port = '8088',
token = SPLUNK_HEC_TOKEN,
index = SPLUNK_DEV_INDEX,
debug = True,
# url = SPLUNK_HEC_URL
)
# logger.addHandler(handler)
logger.addHandler(splunk)
Side note: debugging this was made extra difficult because for some reason VS Code was refusing to honour break points set throughout most of the splunk_handler/__init__.py module, even with "justMyCode": false, set. E.g. for some reason I could set a breakpoint on line 109 and it would work fine, but break points set anywhere inside the _splunk_worker function were ignored. Again, this is beyond me a bit.
Spent quite a while debugging this and identified some issues:
I think this is because the try-catch block here triggers:
splunk_handler/splunk_handler/__init__.py
Lines 259 to 277 in 28d64d0
But for some reason the except never fires - I can't get anything to run in that except block, and even adding another
exceptor afinallyblock doesn't seem to run. This one is a bit beyond me, but I wonder if the requests/sessions module is somehow sending a terminate signal instead of an exception of some kind.This is with the following versions:
python --version Python 3.10.6 pip list | grep splunk splunk-handler 3.0.0This all came about because I didn't realise that Splunk Cloud has a different default port for the HEC (443) compared to Splunk Cloud Free and Splunk Enterprise (which use 8088).
I ended up making a minimum viable program to test/debug this:
Side note: debugging this was made extra difficult because for some reason VS Code was refusing to honour break points set throughout most of the
splunk_handler/__init__.pymodule, even with"justMyCode": false,set. E.g. for some reason I could set a breakpoint on line 109 and it would work fine, but break points set anywhere inside the _splunk_worker function were ignored. Again, this is beyond me a bit.