Syslog sink #133
Syslog sink #133
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: syedriko The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| pub enum Encoding { | ||
| Text, | ||
| Json, | ||
| Syslog(SyslogConf), | ||
| } |
There was a problem hiding this comment.
extending the enum and adding a new encoding scheme will perhaps break any code which does a match on this enum.
This enum is used in papertrail sink and it does a match on the enum, perhaps this sink should be changed to handle the new encoding type.
This will also force any new sink to consider syslog encoding, is this desired?
There was a problem hiding this comment.
@vimalk78 do you mean 'consider' or 'require'. Does this enum represent the encodings which a sink "may" support or "must" support?
There was a problem hiding this comment.
since it is a part of enum, and if a match is done on the enum the enum MUST be matched on all variants.
There was a problem hiding this comment.
The compiler would've flagged a mismatch between an enum and a non-exhaustive match but it didn't because we don't compile the papertrail sink.
But please consider the larger context. This PR will not become an upstream submission. In the current version of the upstream encodings are handled differently (https://github.com/vectordotdev/vector/tree/master/lib/codecs/src/encoding/format) and the syslog code would live there.
There was a problem hiding this comment.
if this implementation is specifically for us, just to be safe, we should put a feature flag to isolate these changes
#[cfg(feature = "sinks-syslog-rh")]
There was a problem hiding this comment.
in more recent releases, (e.g. master which now is 0.27) , this enum does not exist. What is there is more sophisticated way of specifying EncodingWithFraming , and encoding can be chosen from a much larger set of serializers in SerilizerConfig
One of these is LogFmt , and this code seems to be suggesting that LogFmt can be used as serializer for syslog. So perhaps in future releases, we can reuse what already exists to realize a SyslogEncoder.
| @@ -372,7 +372,8 @@ ocp-logging = [ | |||
| "sinks-prometheus", | |||
| "sinks-gcp", | |||
| "sinks-splunk_hec", | |||
| "sinks-http" | |||
| "sinks-http", | |||
| "sinks-socket", | |||
There was a problem hiding this comment.
so, we are not introducing any new sink for syslog, we are using socket sink with syslog encoding.
There was a problem hiding this comment.
just a thought, perhaps a dedicated sink will give us better control over having parity with fluentd syslog output.
There was a problem hiding this comment.
Right, technically speaking I did not add a new sink, just a new encoding.
|
|
||
| #[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)] | ||
| #[serde(rename_all = "snake_case")] | ||
| pub struct SyslogConf { |
There was a problem hiding this comment.
there are some Syslog structures defined in tests/syslog.rs
It already seems to contain same structures as added here, perhaps chance of reuse.
There was a problem hiding this comment.
probably should consider flipping it around so the tests depend upon code that does not live in "tests"
There was a problem hiding this comment.
In our case the SyslogConf struct reflects the syslog output definition in the CLF and maps directly to the syslog encoding configuration in vector config file, with input validation tied to it. I don't think it's worth the effort trying to combine the two.
| Encoding::Syslog(config) => { | ||
| let mut buf = String::from("<"); | ||
| let pri = get_num_facility(&config.facility, &log) * 8 + get_num_severity(&config.severity, &log); | ||
| buf.push_str(&pri.to_string()); |
There was a problem hiding this comment.
doing push_str so many times does not seem very efficient. We can do some pre-allocation, or use concat_string macro.
https://github.com/hoodie/concatenation_benchmarks-rs#concat_string_macro
There was a problem hiding this comment.
That's an interesting find, there's a benchmark for everything ;)
Agreed, this is naive and I hoped push_str() reallocates exponentially.
| _ => 24, | ||
| }; | ||
| if num == 24 { | ||
| return Err(de::Error::invalid_value(de::Unexpected::Unsigned(num as u64), &"unknown facility")); |
There was a problem hiding this comment.
Isn't this captured by the earlier check?
There was a problem hiding this comment.
The earlier check was for a facility specified as a number, facility = "12", this one is for a name, facility = "user". There's probably space for more elegance here.
| pub enum Encoding { | ||
| Text, | ||
| Json, | ||
| Syslog(SyslogConf), | ||
| } |
There was a problem hiding this comment.
@vimalk78 do you mean 'consider' or 'require'. Does this enum represent the encodings which a sink "may" support or "must" support?
| Syslog(SyslogConf), | ||
| } | ||
|
|
||
| fn add_log_source(log: &LogEvent, buf: &mut String) { |
There was a problem hiding this comment.
This looks kubernetes specific. That seems like a concern for a general syslog sink. Do we need to abstract it someplace else or at least we should add TODO to do something with it when we do an upstream pull
There was a problem hiding this comment.
This PR is not going upstream as is, including for this ^^^ reason.
| } | ||
| } | ||
| Err(_) => { | ||
| let num = match field_value_string.to_uppercase().as_str() { |
There was a problem hiding this comment.
is there some duplication here to deserialization that can be reused?
There was a problem hiding this comment.
Yes, this and deserialization, for both severity and facility are asking for refactoring.
| } | ||
|
|
||
| fn get_timestamp(log: &LogEvent) -> DateTime::<Local> { | ||
| match log.get("@timestamp") { |
There was a problem hiding this comment.
is this specific to our implementation needs for openshift?
There was a problem hiding this comment.
vector defines a timestamp key as part of its log schema in src/config/log_schema.rs we can use that.
pub fn timestamp_key(&self) -> &str {
&self.timestamp_key
}
There was a problem hiding this comment.
This PR is not going upstream as it is, there are things in it that don't make sense outside of our use case.
|
/test unit |
|
/test cluster-logging-operator-e2e-5-6 |
1 similar comment
|
/test cluster-logging-operator-e2e-5-6 |
syedriko
force-pushed
the
syedriko-syslog-sink
branch
from
43b4fd5
to
9eb7fc3
Compare
Initial implementation of the syslog sink
JIRA: https://issues.redhat.com/browse/LOG-2288