On one VM I have this in /etc/rsyslog.d/50-default.conf
*.* @192.168.29.1:42185
# Default rules for rsyslog.
On the vm with fluentd I have this:
I have this in /etc/td-agent/td-agent.conf
<source>
type syslog
port 42185
tag rsyslog
</source>
<match rsyslog.**>
type copy
<store>
# for debug (see /var/log/td-agent.log)
type stdout
</store>
<store>
type elasticsearch
logstash_format true
flush_interval 10s # for testing.
</store>
</match>
But nothing seems to be getting sent to the remote machine, as I look in /var/log/td-agent.log and I see
2014-08-08 10:51:10 -0700 [info]: adding source type="syslog"
2014-08-08 10:51:10 -0700 [info]: adding source type="forward"
2014-08-08 10:51:10 -0700 [info]: adding source type="http"
2014-08-08 10:51:10 -0700 [info]: adding source type="debug_agent"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="td.*.*" type="tdlog"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="debug.**" type="stdout"
2014-08-08 10:51:10 -0700 [info]: adding match pattern="rsyslog.**" type="copy"
2014-08-08 10:51:10 -0700 [info]: listening fluent socket on 0.0.0.0:24224
2014-08-08 10:51:10 -0700 [info]: listening dRuby uri="druby://127.0.0.1:24230" object="Engine"
2
I don't know why the logs aren't being sent, and I don't see how to tell if there is something going wrong with rsyslog
and it just isn't sending the files.
Best Answer
If I'm not mistaken, rsyslog forwards logs over TCP (in the config file, this is listed as "for reliability"), but fluentD's listener defaults to listening on UDP. This change to your fluentD config should allow you to receive the logs on TCP:
I would check with TCP dump whether the traffic is being received on the agent, if you're still not receiving logs after making this change:
This should also indicate whether TCP or UDP is being received (only specifying
port
, and nottcp
orudp
as well)EDIT: in addition to this, make sure your rsyslog config is correct: all examples I've seen and used, have a double
@@
in the forward rule:http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html