Uploaded image for project: 'Docs for Red Hat Developers'
  1. Docs for Red Hat Developers
  2. RHDEVDOCS-3258

Pick daemon name from the record when using syslog forwarding with addLogSource field

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • Logging 5.2
    • None
    • Logging
    • None
    • devex docs #212 Dec 23-Jan 13, devex docs #213 Jan 13-Feb 3, devex docs #214 Feb 3-Feb 24, devex docs #215 Feb 24-Mar 17, devex docs #216 Mar 17-Apr 7, devex docs #217 Apr 7-Apr 28, devex docs #218 Apr 28-May 19, devex docs #219 May 19-Jun 9, devex docs #220 Jun 9-Jun 30
    • 3
    • Documentation (Ref Guide, User Guide, etc.)
    • Undefined

      What is the problem that your customer is facing?

      Log forwarding using the syslog protocol with addLogSource field can not report who outputted logs in journal log.

      o Current behavior for syslog forwarded messages:

      <134>Jan 12 16:18:59 worker0 fluentd: I0112 16:18:57.831175 1763 setters.go:77] Using node IP: "192.168.200.13"
=> The fixed "fluentd" string is printed in every log message. So customers can not identify which daemon printed this message.

      o Expected behavior for syslog forwarded messages:

      <134>Jan 12 16:18:59 worker0 hyperkube[1763]: I0112 16:18:57.831175 1763 setters.go:77] Using node IP: "192.168.200.13"
=> The daemon name should be included in every log message.

      What is the business impact, if any, if this request will not be made available?

      The daemon name is an important information to troubleshoot cluster issues.
      If this feature is not implemented, customers don't have no way to identify which process sends logs when using syslog forwarding.

      What are your expectations for this feature

      This feature is implemented in the legacy syslog forwarding feature.
      The "systemd.u.SYSLOG_IDENTIFIER" in journal log record is the important key to identify the daemon name.

      This same feature is also required in the Log Forwarding API.

      The following steps is how to print the daemon name in the legacy syslog forwarding feature:

      1. Deploy ClusterLogging with "clusterlogging.openshift.io/logforwardingtechpreview: enabled"
2. Prepare an external syslog server
3. Apply the following config map on openshift-logging, then check if the external syslog server receives messages from ClusterLogging

    ---
    kind: ConfigMap
    apiVersion: v1
    metadata:
      name: syslog
      namespace: openshift-logging
    data:
      syslog.conf: |
        <store>
         @type syslog_buffered
         remote_syslog 192.168.122.1  
         port 514
         hostname rhocp4
         remove_tag_prefix tag
         tag_key ident,systemd.u.SYSLOG_IDENTIFIER
         facility local0
         severity debug
         use_record true
         payload_key message
        </store>
    ---
4. Apply the following LogForwarding object
    ---
    apiVersion: logging.openshift.io/v1alpha1
    kind: LogForwarding
    metadata:
      name: instance
    spec:
      disableDefaultForwarding: true
      outputs:
        - name: user-created-es
          type: elasticsearch
          endpoint: elasticsearch.openshift-logging.svc:9200
          secret:
            name: fluentd
      pipelines:
        - name: app-pipeline
          inputSource: logs.app
          outputRefs:
            - user-created-es
        - name: infra-pipeline
          inputSource: logs.infra
          outputRefs:
            - user-created-es
        - name: audit-pipeline
          inputSource: logs.audit
          outputRefs:
            - user-created-es
    ---
5. Check if external syslog server receives messages with daemon names from ClusterLogging

       

            landerso@redhat.com Libby Anderson
            rdlugyhe Rolfe Dlugy-Hegwer
            Anping Li Anping Li
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: