Sending Apache access logs to Graylog fails
427 views
Skip to first unread message
Rob Pomeroy
Jan 18, 2017, 1:11:17 PM1/18/17
to Fluentd Google Group
Hi,
I can see the pos_file changing as accesses are logged by Apache. And here's the match:
A colleague and I have worked on this for hours today, trying all sorts of combinations and using netcat to confirm UDP packets are being received. I'm at a lost how to debug this any further. Can anyone suggest anything?
Given two servers, WEB and GRAYLOG, I have a a couple of scenarios working:
- Sending syslog of WEB to GRAYLOG via Fluentd
- Sending /var/log/apache2/access.log on WEB to a file on WEB
When I try to reverse the scenarios (syslog to file and Apache to Graylog) it doesn't work. I'm most interested in sending Apache's access logs to Graylog, using Fluentd.
Here's an example source for Apache:
<source>
@type tail
path /var/log/apache2/access.log
pos_file /var/log/td-agent/apache2.access_log.pos
tag graylog2.apache
format apache2
</source>
I can see the pos_file changing as accesses are logged by Apache. And here's the match:
<match graylog2.**>
@type copy
<store>
type gelf
host 10.2.62.12
port 12201
flush_interval 5s
</store>
<store>
@type stdout
</store>
</match>Can you see anything wrong with that? It doesn't look like GRAYLOG even receives the messages. We're not using a custom log format. They look like this:
10.2.12.153 - - [18/Jan/2017:15:37:39 +0000] "GET / HTTP/1.1" 200 304 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
10.2.12.153 - - [18/Jan/2017:15:37:39 +0000] "GET / HTTP/1.1" 200 303 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
10.2.12.153 - - [18/Jan/2017:15:37:40 +0000] "GET /favicon.ico HTTP/1.1" 404 503 "http://syso-prod-01/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
A colleague and I have worked on this for hours today, trying all sorts of combinations and using netcat to confirm UDP packets are being received. I'm at a lost how to debug this any further. Can anyone suggest anything?
Many thanks!
Rob
Mr. Fiber
Jan 18, 2017, 3:07:02 PM1/18/17
to Fluentd Google Group
Hi,
Thanks for trying fluentd.
I want to know several information.
- Could you paste your entire fluentd logs?
- There is no output from 'stdout' plugin in 'copy' plugin?
Masahiro
--
You received this message because you are subscribed to the Google Groups "Fluentd Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rob Pomeroy
Jan 19, 2017, 8:17:22 AM1/19/17
to Fluentd Google Group
Hi Masahiro,
Why do I have "undefined method `bytesize'"? Do you have any suggestions?
Thanks for your reply. You gave me an idea and I changed my config slightly so that the Apache processing was also going to the "stdout"/td-agent.log. And I can now see an error (though I don't know how to fix it):
2017-01-19 13:12:04 +0000 [warn]: emit transaction failed: error_class=NoMethodError error="undefined method `bytesize' for nil:NilClass" tag="graylog2.apache"
2017-01-19 13:12:04 +0000 [warn]: /etc/td-agent/plugin/out_gelf.rb:60:in `block in format'
2017-01-19 13:12:04 +0000 [warn]: /etc/td-agent/plugin/out_gelf.rb:58:in `each_pair'
2017-01-19 13:12:04 +0000 [warn]: /etc/td-agent/plugin/out_gelf.rb:58:in `format'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/output.rb:284:in `block in format_stream'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/event.rb:130:in `call'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/event.rb:130:in `block in each'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/event.rb:129:in `each'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/event.rb:129:in `each'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/output.rb:283:in `format_stream'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/output.rb:269:in `emit'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/output.rb:42:in `next'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/buffer.rb:199:in `block in emit'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/2.1.0/monitor.rb:211:in `mon_synchronize'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/buffer.rb:193:in `emit'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/output.rb:593:in `block in emit'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/output.rb:592:in `each'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/output.rb:592:in `emit'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/output.rb:42:in `next'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/out_copy.rb:78:in `emit'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/event_router.rb:90:in `emit_stream'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:291:in `receive_lines'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:401:in `call'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:401:in `wrap_receive_lines'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:596:in `call'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:596:in `on_notify'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:427:in `on_notify'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:528:in `call'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:528:in `on_change'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/cool.io-1.4.5/lib/cool.io/loop.rb:88:in `run_once'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/cool.io-1.4.5/lib/cool.io/loop.rb:88:in `run'
2017-01-19 13:12:04 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.31/lib/fluent/plugin/in_tail.rb:275:in `run'
Why do I have "undefined method `bytesize'"? Do you have any suggestions?
Many thanks,
Rob
Mr. Fiber
Jan 19, 2017, 4:07:31 PM1/19/17
to Fluentd Google Group
It seems bug of gelf plugin.
See this patch: https://github.com/emsearcy/fluent-plugin-gelf/pull/30
--
Rob Pomeroy
Jan 20, 2017, 3:26:27 AM1/20/17
to Fluentd Google Group
You're absolutely right. Thanks so much - that has fixed it!
Rob
Rob Pomeroy
Jan 20, 2017, 3:59:10 AM1/20/17
to Fluentd Google Group
Can I ask one last (unrelated) question please? I've gone all through the documentation, and I can't see an explanation for the use of "@" within source and match directive. E.g.:
<source>
@type tail
path /var/log/apache2/access.log
pos_file /var/log/td-agent/apache2.access_log.pos
tag graylog2.apache
format apache2
</source>
and
<source>
type tail
path /var/log/apache2/access.log
pos_file /var/log/td-agent/apache2.access_log.pos
tag graylog2.apache
format apache2
</source>both seem to work the same. What difference does the @ make?
Thanks,
Rob
Mr. Fiber
Jan 20, 2017, 4:16:34 AM1/20/17
to Fluentd Google Group
Rob Pomeroy
Jan 20, 2017, 5:38:34 AM1/20/17
to Fluentd Google Group
Ah great, somehow I'd overlooked this line:
On Friday, 20 January 2017 09:16:34 UTC, repeatedly wrote:
type,idandlog_levelare supported for backward compatibility.
Once again, thanks very much for your help this week. Fluentd was exactly what my company was looking for (to decouple receiving and sending logs to Graylog). We stumbled across it by accident, and have been thoroughly impressed. Much easier than adding logstash and/or redis to the data flow.
Rob
On Friday, 20 January 2017 09:16:34 UTC, repeatedly wrote:
Reply all
Reply to author
Forward
0 new messages