Skip to content

Latest commit

 

History

History
124 lines (106 loc) · 5.39 KB

cluster-logging-collector-legacy-syslog.adoc

File metadata and controls

124 lines (106 loc) · 5.39 KB
Raw

Forwarding logs using the legacy syslog method

You can use the syslog RFC3164 protocol to send logs to destinations outside of your {product-title} cluster by creating a configuration file and config map. You are responsible for configuring the external log aggregator, such as a syslog server, to receive the logs from {product-title}.

Important

This method for forwarding logs is deprecated in {product-title} and will be removed in a future release.

There are two versions of the syslog protocol:

  • out_syslog: The non-buffered implementation, which communicates through UDP, does not buffer data and writes out results immediately.

  • out_syslog_buffered: The buffered implementation, which communicates through TCP and buffers data into chunks.

To send logs using the syslog protocol, create a configuration file called syslog.conf, with the information needed to forward the logs. Then, use that file to create a config map called syslog in the openshift-logging project, which {product-title} uses when forwarding the logs.

Prerequisites

  • You must have a logging server that is configured to receive the logging data using the specified protocol or format.

Sample syslog configuration file
<store>
@type syslog_buffered
remote_syslog rsyslogserver.example.com
port 514
hostname ${hostname}
remove_tag_prefix tag
facility local0
severity info
use_record true
payload_key message
rfc 3164
</store>

You can configure the following syslog parameters. For more information, see the syslog RFC3164.

  • facility: The syslog facility. The value can be a decimal integer or a case-insensitive keyword:

    • 0 or kern for kernel messages

    • 1 or user for user-level messages, the default.

    • 2 or mail for the mail system

    • 3 or daemon for the system daemons

    • 4 or auth for the security/authentication messages

    • 5 or syslog for messages generated internally by syslogd

    • 6 or lpr for the line printer subsystem

    • 7 or news for the network news subsystem

    • 8 or uucp for the UUCP subsystem

    • 9 or cron for the clock daemon

    • 10 or authpriv for security authentication messages

    • 11 or ftp for the FTP daemon

    • 12 or ntp for the NTP subsystem

    • 13 or security for the syslog audit logs

    • 14 or console for the syslog alert logs

    • 15 or solaris-cron for the scheduling daemon

    • 1623 or local0local7 for locally used facilities

  • payloadKey: The record field to use as payload for the syslog message.

  • rfc: The RFC to be used for sending logs using syslog.

  • severity: The syslog severity to set on outgoing syslog records. The value can be a decimal integer or a case-insensitive keyword:

    • 0 or Emergency for messages indicating the system is unusable

    • 1 or Alert for messages indicating action must be taken immediately

    • 2 or Critical for messages indicating critical conditions

    • 3 or Error for messages indicating error conditions

    • 4 or Warning for messages indicating warning conditions

    • 5 or Notice for messages indicating normal but significant conditions

    • 6 or Informational for messages indicating informational messages

    • 7 or Debug for messages indicating debug-level messages, the default

  • tag: The record field to use as a tag on the syslog message.

  • trimPrefix: The prefix to remove from the tag.

Procedure

To configure {product-title} to forward logs using the legacy configuration methods:

  1. Create a configuration file named syslog.conf and specify parameters similar to the following within the <store> stanza:

    <store>
@type <type> (1)
remote_syslog <syslog-server> (2)
port 514 (3)
hostname ${hostname}
remove_tag_prefix <prefix> (4)
facility <value>
severity <value>
use_record <value>
payload_key message
rfc 3164 (5)
</store>

    1. Specify the protocol to use, either: syslog or syslog_buffered.

    2. Specify the FQDN or IP address of the syslog server.

    3. Specify the port of the syslog server.

    4. Optional: Specify the appropriate syslog parameters, for example:

      • Parameter to remove the specified tag field from the syslog prefix.

      • Parameter to set the specified field as the syslog key.

      • Parameter to specify the syslog log facility or source.

      • Parameter to specify the syslog log severity.

      • Parameter to use the severity and facility from the record if available. If true, the container_name, namespace_name, and pod_name are included in the output content.

      • Parameter to specify the key to set the payload of the syslog message. Defaults to message.

    5. With the legacy syslog method, you must specify 3164 for the rfc value.

  2. Create a config map named syslog in the openshift-logging project from the configuration file:

    $ oc create configmap syslog --from-file=syslog.conf -n openshift-logging

The Red Hat OpenShift Logging Operator redeploys the Fluentd pods. If the pods do not redeploy, you can delete the Fluentd pods to force them to redeploy.

$ oc delete pod --selector logging-infra=fluentd