GELF UDP Syslog output to Graylog2

[Maria Blagoeva]

Hello all :)

I am forwarding from couple of servers (rsyslog forwarding) through FluentD (gelf plugin) daemon to Graylog2 using the standard setup and noticed that the messages coming through are with the below content(graylog UI):

message
1 2017-08-24T23:25:01.737373+03:00 host-0 CRON 29720 - - pam_env(cron:session): Unable to open env file: /etc/default/locale: No such file or directory

It seems gelf protocol of FluentD adds additional info, I already posted a question in the graylog2 community, but they say it should be one of the programs forwarding the messages.

CanI strip the bold part of the message somehow? Is it a valid gelf addition or I have something configured wrongly? Below is the td-agent configuration file:

<source>
  type syslog
  format none
  port 5144
  tag test
</source>
<match **>
  type copy
  <store>
    type gelf
    host 192.168.0.2
    port 12201
    flush_interval 5s
  </store>
</match>

Is there a way to directly use udp as output store with fluentd? Thanks in advance.

[Mr. Fiber]

> It seems gelf protocol of FluentD adds additional info,

No. You use none parser in syslog plugin, so this is raw your syslog message.

Fluentd doesn't add such info.

> CanI strip the bold part of the message somehow?

Yes. You can write your filter or use some trick like this:

https://github.com/repeatedly/fluent-plugin-record-modifier#ruby-code-trick-for-complex-logic

Masahiro

--
You received this message because you are subscribed to the Google Groups "Fluentd Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Maria Blagoeva]

Thanks, Masahiro

I will try also the listed approaches, but have some additional questions, if I may, just to see if I have understood correctly. I removed the formatter from the config file, so now I have:

<source>
  type syslog
  port 5144
  tag hatchery

</source>
<match **>
  type copy
  <store>
    type gelf
    host 192.168.0.2
    port 12201
    flush_interval 5s
  </store>

  <store>
     type stdout
  </store>
</match>

and the rsyslog:

*.* @192.168.0.253:5144 #udp fluentd gelf forwarding. From the output I can see that everything is parsed now correctly (maybe I shouldn't have forced rfc5424 explicitly with ?):

2017-08-25 16:00:02 +0300 host.authpriv.info: {"host":"host-0","ident":"CRON","pid":"23032","message":"pam_unix(cron:session): session closed for user root"}

but now I wonder how can I obtain the full message:

Aug 25 16:02:01 host-0 CRON[25134]: pam_unix(cron:session): session closed for user root

Again with filters? The reason is that the fluentd will obtain information from servers behind a NAT server, so need to somehow grep the hostnames of that servers for trackability purposes.

Thanks a lot for your suggestions.

Maria

To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+u...@googlegroups.com.

[Maria Blagoeva]

I played a bit with the setup, just to see how can I keep to original host. And it seems that along the way something is overwritten, but not know at which point yet. When I have the fluentd intercepting all rsyslog messages, from the stdout I can see that the original host is kept:

2017-08-27 21:17:01 +0300 rsyslog.authpriv.info: {"host":"host0","ident"
:"CRON","pid":"1617","message":"pam_unix(cron:session): session closed for user
root"}

On the graylog web UI it does not, so I tried from the same server where fluentd is installed to pass valid request, so that I can see of the host gets overwritten, but it did not:

echo -n '{ "version": "1.1", "host": "example.org", "short_message": "A short message", "level": 5, "_some_info": "foo" }' | nc -w1 -u 192.168.0.2 12201

The example.org source has been visualized. My next step is to dump the traffic and see, but gelf seems encrypted and I am fairly new to it. Any thoughts? Thanks in advance.

[Maria Blagoeva]

I messed around further with the forwarding and now I realize why my question could be confusing (even stupid, frankly). Anyhow, just for the sake of the thread, for having fluentd as relay to central logging server and keeping the original sender IP the include_source_host parameter should be used. This way the graylog also recognizes it and you can filter and/or search based on that.

The official docs as of version 0.12, say it is deprecated, but the source_hostname_key parameter did not work at all in my case. Thanks again.

[Mr. Fiber]

> The official docs as of version 0.12, say it is deprecated, but the source_hostname_key parameter did not work at all in my case.

What does this mean?

No field added into record?

I tested and worked.

- log

2017-08-29 12:20:50 +0900 [info]: reading config file path="syslog_test.conf"
2017-08-29 12:20:50 +0900 [info]: starting fluentd-0.12.40
[...]
2017-08-29 12:20:50 +0900 [info]: using configuration file: <ROOT>
  <source>
    @type syslog
    port 5170
    tag test.syslog
    source_hostname_key orig_host
    with_priority true
  </source>
  <match test.**>
    @type stdout
  </match>
</ROOT>
2017-08-29 12:20:50 +0900 [info]: listening syslog socket on 0.0.0.0:5170 with udp
2017-02-28 12:00:00 +0900 test.syslog.user.alert: {"host":"192.168.0.1","ident":"fluentd","pid":"11111","message":"[error] Syslog test","orig_host":"localhost"}

- test ruby script

require 'socket'
require 'json'

log = "<9>Feb 28 12:00:00 192.168.0.1 fluentd[11111]: [error] Syslog test\n"
us = UDPSocket.open
sa = Socket.pack_sockaddr_in(5170, '0.0.0.0')
us.send(log, 0, sa)
us.close

To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+unsubscribe@googlegroups.com.