Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for BSD style syslog messages RFC 3164 to syslog input #4593

Open
vit1251 opened this issue Aug 25, 2018 · 6 comments

Comments

Projects
None yet
2 participants
@vit1251
Copy link

commented Aug 25, 2018

Relevant telegraf.conf:

=udp4://:6514

System info:

1.7.3

Steps to reproduce:

  1. Setup UDP input syslog plugin
  2. Setup nginx output in that UDP port

Expected behavior:

Message store in InfluxDB

Actual behavior:

Error in plugin [inputs.syslog]: read udp4 0.0.0.0:6514: i/o timeout

Additional info:

No idea.

@danielnelson danielnelson added the bug label Aug 27, 2018

@danielnelson

This comment has been minimized.

Copy link
Contributor

commented Aug 27, 2018

Can you show your nginx config for sending over UDP?

@vit1251

This comment has been minimized.

Copy link
Author

commented Aug 27, 2018

@danielnelson I setup nginx by manual at address http://nginx.org/en/docs/syslog.html

access_log syslog:server=127.0.0.1:6514,tag=nginx;

I watch tcpdump UDP and view that UDP packet push on lo interface.

@danielnelson

This comment has been minimized.

Copy link
Contributor

commented Aug 27, 2018

I believe the issue is that nginx outputs only in RFC 3164, but the syslog input only does RFC 5424 messages. There is an issue on go-syslog to add support: influxdata/go-syslog#15.

In the meantime I think a workaround would be to use rsyslog to convert between formats.

@vit1251

This comment has been minimized.

Copy link
Author

commented Aug 28, 2018

@danielnelson maybe an interesting fact or my mistake I'm not exactly sure but... after error ocuire I try to make custom message by logger from shell and no message pass in Influx. I guess that parsing goroutine ended and no more ready to receive UDP packet. Perhaps this is a mistake.

@danielnelson

This comment has been minimized.

Copy link
Contributor

commented Aug 28, 2018

I set up rsyslog to forward over UDP:

$ cat /etc/rsyslog.d/50-telegraf.conf
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

*.* @127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format

And then used the logger command from util-linux:

$ logger test

I did get the message, but also an error message:

2018-08-28T20:30:30Z E! Error in plugin [inputs.syslog]: read udp [::]:6514: i/o timeout
syslog,appname=dbn,facility=user,host=debian-stretch-syslog.virt,hostname=debian-stretch-syslog,severity=notice version=1i,severity_code=5i,facility_code=1i,timestamp=1535488225311326000i,message=" test" 1535488225311871493

Afterwards, I am unable to send to this socket. I think we just want to remove the deadline for the UDP socket altogether, I'll put together a pr.

@danielnelson

This comment has been minimized.

Copy link
Contributor

commented Aug 31, 2018

@vit1251 You should be able to craft a message directly now if you use the nightly builds.

@danielnelson danielnelson changed the title Syslog input plugin i/o error on UDP socket Add support for BSD style syslog messages RFC 3164 to syslog input Aug 31, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.