Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-7257

[receiver.syslog] facility attribute value is incorrect when sending logs to logstore

XMLWordPrintable

    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • NEW
    • NEW
    • Release Note Not Required
    • Log Collection - Sprint 271, Log Collection - Sprint 272

      Description:
      When configuring collector as syslog server and and forward logs to lokistack, facillity value is received as 'user' instead of 'local0'  

      1st CLF spec:

      spec:
  inputs:
    - name: syslog
      receiver:
        port: 6514
        type: syslog
      type: receiver
  managementState: Managed
  outputs:
    - lokiStack:
        authentication:
          token:
            from: serviceAccount
        target:
          name: lokistack-71049
          namespace: openshift-logging
      name: lokistack
      tls:
        ca:
          key: ca-bundle.crt
          secretName: lokistack-secret-71049
      type: lokiStack
  pipelines:
    - inputRefs:
        - syslog
      name: forward-to-lokistack
      outputRefs:
        - lokistack
  serviceAccount:
    name: logcollector-71049

      2nd CLF spec:
      spec:

        inputs:
    - application:
        includes:
          - namespace: e2e*
      name: app-input-namespace
      type: application
  managementState: Managed
  outputs:
    - name: external-syslog
      syslog:
        facility: local0
        rfc: RFC5424
        severity: informational
        url: 'tls://instance-71049-syslog.openshift-logging.svc:6514'
      tls:
        ca:
          key: ca-bundle.crt
          secretName: clf-syslog-secret
      type: syslog
  pipelines:
    - inputRefs:
        - infrastructure
        - audit
        - app-input-namespace
      name: forward-to-external-syslog
      outputRefs:
        - external-syslog
  serviceAccount:
    name: clf-2acjcpcl

      Logs received at Loki:

      {
   "facility":"user",
   "host":"<hidden>",
   "hostname":"<hidden>",
   "kubernetes":
{       "container_name":"",       "namespace_name":"",       "pod_name":""    }
,
   "log_source":"node",
   "log_type":"infrastructure",
   "message":"{\"@timestamp\":\"2025-05-28T13:13:51.751+00:00\",\"app_name\":\"auditd\",\"audit.linux\":
{\"record_id\":\"4110\",\"type\":\"BPF\"}
,\"facility\":\"local0\",\"hostname\":\"ip-10-0-84-136.us-east-2.compute.internal\",\"level\":\"default\",\"log_source\":\"auditd\",\"log_type\":\"audit\",\"message\":\"type=BPF msg=audit(1748438031.751:4110): prog-id=2153 op=LOAD\",\"msg_id\":\"auditd\",\"openshift\":{\"cluster_id\":\"<hidden>\",\"sequence\":1748466377844832069},\"proc_id\":\"-\",\"severity\":\"informational\",\"timestamp\":\"2025-05-28T13:13:51.751Z\"}",
   "severity":"info",
   "source_ip":"::ffff:10.129.1.81",
   "source_type":"syslog",
   "version":1
}

       

      How reproducible: Always

      CLO version: cluster-logging-rhel9-operator/images/v6.2.3-7

      Steps to reproduce:
      a) Deploy LokiStack
      b) Create the collector as syslog server and forward logs to lokistack

      Expected Result: Facility value should be 'local0'

      Actual result: Facility value is 'user'

      Additional Info: This issue is not seen on latest prod release Logging 6.2.2

              vparfono Vitalii Parfonov
              rhn-support-kbharti Kabir Bharti
              Kabir Bharti Kabir Bharti
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: