Linux – Forward linux logs to fluentd on linux

fluentdlinuxrsyslogubuntu-12.04

On one VM I have this in /etc/rsyslog.d/50-default.conf

*.* @192.168.29.1:42185

#  Default rules for rsyslog.

On the vm with fluentd I have this:

I have this in /etc/td-agent/td-agent.conf

<source>
  type syslog
  port 42185
  tag  rsyslog
</source>

<match rsyslog.**>
  type copy
  <store>
    # for debug (see /var/log/td-agent.log)
    type stdout
  </store>
  <store>
    type elasticsearch
    logstash_format true
    flush_interval 10s # for testing.
  </store>
</match>

But nothing seems to be getting sent to the remote machine, as I look in /var/log/td-agent.log and I see

2014-08-08 10:51:10 -0700 [info]: adding source type="syslog"
2014-08-08 10:51:10 -0700 [info]: adding source type="forward"
2014-08-08 10:51:10 -0700 [info]: adding source type="http"
2014-08-08 10:51:10 -0700 [info]: adding source type="debug_agent"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="td.*.*" type="tdlog"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="debug.**" type="stdout"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="rsyslog.**" type="copy"
2014-08-08 10:51:10 -0700 [info]: listening fluent socket on 0.0.0.0:24224
2014-08-08 10:51:10 -0700 [info]: listening dRuby uri="druby://127.0.0.1:24230" object="Engine"
2

I don't know why the logs aren't being sent, and I don't see how to tell if there is something going wrong with rsyslog and it just isn't sending the files.

Best Answer

If I'm not mistaken, rsyslog forwards logs over TCP (in the config file, this is listed as "for reliability"), but fluentD's listener defaults to listening on UDP. This change to your fluentD config should allow you to receive the logs on TCP:

<source>
  type syslog
  port 42185
  protocol_type tcp
  tag  rsyslog
</source>

I would check with TCP dump whether the traffic is being received on the agent, if you're still not receiving logs after making this change:

tcpdump -i any port 42185

This should also indicate whether TCP or UDP is being received (only specifying port, and not tcp or udp as well)

EDIT: in addition to this, make sure your rsyslog config is correct: all examples I've seen and used, have a double @@ in the forward rule:

*.* @@192.168.29.1:42185

http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html

Related Solutions

Linux – What log contains server crashes

Sadly, probably none of them. When there's a kernel panic, there's no logging subsystem left to write logs to, and no file handles to handle them.

The only possible thing would be to redirect console to /dev/ttyS0 and set up another server to log the output from there.

That way, when the kernel panics (if that's what's happening), you'll be able to tail the log from the monitoring server, across the serial port.

Linux – Installing fluentd / Kibana / Elastic Search on Suse Enterprise Linux 11

Ok, here is a procedure I used to install fluentd (from source) starting from a minimal SLES 11 SP3 install in a VirtualBox VM. It is based on this guide.

(1) download SLE-11-SP3-SDK-DVD-x86_64-GM-DVD1.iso (Product: SUSE Linux Enterprise Software Development Kit 11 SP3) from Novell and install using these instructions

$ yast
select Software -> Add-On Products
mount and select DVD1 of the SDK you downloaded from above
install with defaults

Note: this adds SDK repositories, which allow instillation of git, openssl-devel, etc., witch are required to build from source

(2) install build environment (compilers, make, etc.)

$ install -t pattern Basis-Devel

(3) install dependencies

$ zypper install git-core
$ zypper install openssl-devel

(4) download and build ruby from source (the version in the Novell repos is not suitable for fluentd)

$ mkdir -p /opt/install
$ cd /opt/install
$ curl http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p247.tar.gz > ruby-2.0.0-p247.tar.gz
$ tar -xvf ruby-2.0.0-p247.tar.gz
$ cd ruby-2.0.0-p247
$ ./configure
$ ./make install

(5) build and install fluentd

$ cd /opt
$ git clone https://github.com/fluent/fluentd.git
$ cd fluentd/
$ gem install bundler
$ rake build
$ gem install pkg/fluentd-0.10.39.gem
$ fluentd --setup ./fluent
$ fluentd -c ./fluent/fluent.conf -vv &

(6) test fluentd

# test
$ echo '{"json":"message"}' | fluent-cat debug.test

(7) create start-up scripts using Novell's template or a number of other SUSE/ruby init scripts you can find on the Web.

Try running this on your test VM first, but it should work as I've just done it and it worked for me without errors.

-- ab1

Best Answer

Related Solutions

Linux – What log contains server crashes

Linux – Installing fluentd / Kibana / Elastic Search on Suse Enterprise Linux 11

Related Topic