Add hostname/IP of event source to record
1,083 views
Skip to first unread message
Lee Wilson
May 31, 2015, 3:57:34 PM5/31/15
to flu...@googlegroups.com
Evening everyone,
Just started out with fluentd and I'm trying to get one of my ADSL routers to log to it which is working but annoyingly the router doesn't send either the hostname or date/time in the syslog message, for example:
May 31 20:36:37 kernel: klogd started: BusyBox
May 31 20:36:40 kernel: PacketFilter: Drop SPT=12345 DPT=443 LEN=51 UDP packet from [br0] x.x.x.x:12345 to x.x.x.x:443
The date/time isn't an issue as fluentd sorts this out by itself but how can I record the source IP (or hostname) of the device sending the event. Is it possible for fluentd to read this from the TCP/UDP packet header or does it just rely on the info contained in the message?
I'm currently using the in_syslog plugin and have set format to 'none' to get the basic message output to a file. Tried using the record_reformer plugin and adding the {$hostname} variable but that is obviously just the host running fluentd.
Thanks for any help.
Lee
Mr. Fiber
May 31, 2015, 5:29:37 PM5/31/15
to flu...@googlegroups.com
Hi,
How about setting include_source_host / source_host_key parameters?
I forgot to add these parameters to document so just added.
Masahiro
--
You received this message because you are subscribed to the Google Groups "Fluentd Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lee Wilson
Jun 1, 2015, 3:08:56 PM6/1/15
to flu...@googlegroups.com
Thanks Masahiro, that did the trick.
Here's what I setup:
<source>
type syslog
format none
port 514
bind 0.0.0.0
include_source_host true
source_host_key event_source
tag net.syslog
</source>
<match net.syslog.**>
@type file
path /var/log/net.syslog
@id net_syslog
</match>
Ending up with this very nicely:
2015-06-01T19:53:38+01:00 net.syslog.daemon.info {"message":"Jun 1 19:59:09 kernel: PacketFilter: Drop TCP packet from [eth0] x.x.x.x:31111 to x.x.x.x:80","event_source":"x.x.x.x"}
2015-06-01T19:57:03+01:00 net.syslog.daemon.notice {"message":"Jun 1 20:02:35 kernel: klogd: exiting","event_source":"x.x.x.x"}
Bit more tweaking to do but liking it so far.
Thanks again
Reply all
Reply to author
Forward
0 new messages