Type: Spike
Resolution: Done
Priority: Blocker
Fix Version/s: Logging 5.6.0
Affects Version/s: None
Component/s: Log Collection
Labels:
- no-doc
- no-qe
- no-rn
- spike

Story Points:
3
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Vector LogForwarding to Syslog
Docs QE Status:
NEW
QE Status:
NEW

Sprint:
Log Collection - Sprint 223, Log Collection - Sprint 224

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Summary

Review vector's open issue related to implementing forwarding to syslog and determine:

the state of affairs
is there a place for us to contribute

Acceptance Criteria

Summarize syslog findings
Create JIRA cards for follow-on work

Notes

There's indeed no syslog sink in the vector codebase There was a PR https://github.com/vectordotdev/vector/pull/7106 , but it was not merged due to the foundation code having been removed from under it.

There is a syslog source, built on top of a syslog parser crate, which also includes a syslog serializer, which can be used in the new syslog sink

There're traits and impls ("base classes") for different types of sinks. The one most closely fitting what the syslog sink needs is SocketSink.
The https://issues.redhat.com/browse/LOG-2914 epic carries the follow-up stories for this spike.

blocks

LOG-2288 Support syslog for vector in CLO

Closed

is related to

LOG-2715 Add a unique cluster name or identifier to the log record

Closed

Aleksandar Lazic added a comment - 2022/08/11 9:07 PM

syedriko_sub@redhat.com that sounds quite good, thank for the information.

Aleksandar Lazic added a comment - 2022/08/11 9:07 PM syedriko_sub@redhat.com that sounds quite good, thank for the information.

Sergey Yedrikov added a comment - 2022/08/11 8:05 PM

alazic@redhat.com The current thinking is that the syslog sink will be based on the socket sink and will inherit socket's TLS configuration: https://vector.dev/docs/reference/configuration/sinks/socket/#tls. It does allow for a custom CA, via the ca_file variable.

Sergey Yedrikov added a comment - 2022/08/11 8:05 PM alazic@redhat.com The current thinking is that the syslog sink will be based on the socket sink and will inherit socket's TLS configuration: https://vector.dev/docs/reference/configuration/sinks/socket/#tls. It does allow for a custom CA, via the ca_file variable.

Aleksandar Lazic added a comment - 2022/08/11 6:19 PM

Hi. It would be very nice to have options to define a secret for customers Certificate Authority, is there such a concept in Vector to have own Certificate Authoritys for TLS connections?

We have such a config in the current logging setup, for example.

outputs:
  - name: out-syslog
    secret:
      name: siem-ca
    syslog:
      facility: local1
      rfc: RFC3164
      severity: info
    type: syslog
    url: tls://syslog01.isec.domain.com:1999

Aleksandar Lazic added a comment - 2022/08/11 6:19 PM Hi. It would be very nice to have options to define a secret for customers Certificate Authority, is there such a concept in Vector to have own Certificate Authoritys for TLS connections? We have such a config in the current logging setup, for example. outputs: - name: out-syslog secret: name: siem-ca syslog: facility: local1 rfc: RFC3164 severity: info type: syslog url: tls: //syslog01.isec.domain.com:1999

Sergey Yedrikov added a comment - 2022/08/09 8:14 PM

Jeffrey Cantrill added a comment - 2022/08/09 8:02 PM

syedriko_sub@redhat.com one issue to consider is our existing API which allows for 2 different RFC specs. Assuming we can get syslog impl in vector, it may be that we do not have feature parity (nor want) with fluentd in this regard. We need to support our syslog option as best as possible and drop anything that otherwise does not make sense

Jeffrey Cantrill added a comment - 2022/08/09 8:02 PM syedriko_sub@redhat.com one issue to consider is our existing API which allows for 2 different RFC specs. Assuming we can get syslog impl in vector, it may be that we do not have feature parity (nor want) with fluentd in this regard. We need to support our syslog option as best as possible and drop anything that otherwise does not make sense

Assignee:: Sergey Yedrikov

Reporter:: Jeffrey Cantrill

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022/08/08 8:24 PM

Updated:: 2022/08/30 12:39 AM

Resolved:: 2022/08/30 12:39 AM

[spike] Investigate vector changes required to enable forwarding to syslog

Summary

Acceptance Criteria

Notes

[LOG-2904] [spike] Investigate vector changes required to enable forwarding to syslog

Details

Description

Summary

Acceptance Criteria

Notes

Attachments

Issue Links

Easy Agile Planning Poker

Activity

[LOG-2904] [spike] Investigate vector changes required to enable forwarding to syslog

Collapse comment: Aleksandar Lazic added a comment - 2022/08/11 9:07 PM

Expand comment: Aleksandar Lazic added a comment - 2022/08/11 9:07 PM

Collapse comment: Sergey Yedrikov added a comment - 2022/08/11 8:05 PM

Expand comment: Sergey Yedrikov added a comment - 2022/08/11 8:05 PM

Collapse comment: Aleksandar Lazic added a comment - 2022/08/11 6:19 PM

Expand comment: Aleksandar Lazic added a comment - 2022/08/11 6:19 PM

Collapse comment: Sergey Yedrikov added a comment - 2022/08/09 8:14 PM

Expand comment: Sergey Yedrikov added a comment - 2022/08/09 8:14 PM

Collapse comment: Jeffrey Cantrill added a comment - 2022/08/09 8:02 PM

Expand comment: Jeffrey Cantrill added a comment - 2022/08/09 8:02 PM

People

Dates