6.2. Forwarding logs using the syslog protocol
You can use the syslog protocol to send a copy of your logs to an external syslog server, instead of the default Elasticsearch log store. Note the following about this syslog protocol:
- uses syslog protocol (RFC 3164), not RFC 5424;
- does not support TLS and thus, is not secure;
- does not provide Kubernetes metadata, systemd data, or other metadata.
This method for forwarding logs is deprecated in OpenShift Container Platform and will be replaced by the Log Forwarding API in a future release.
There are two versions of the syslog protocol:
- out_syslog: The non-buffered implementation, which communicates through UDP, does not buffer data and writes out results immediately.
- out_syslog_buffered: The buffered implementation, which communicates through TCP, buffers data into chunks.
To configure log forwarding using the syslog protocol, create a configuration file, called syslog.conf, with the information needed to forward the logs. Then use that file to create a ConfigMap called syslog in the openshift-logging namespace, which OpenShift Container Platform uses when forwarding the logs. You are responsible to configure your syslog server to receive the logs from OpenShift Container Platform.
Starting with the OpenShift Container Platform 4.3, the process for using the syslog protocol has changed. You now need to create a ConfigMap, as described below.
You can forward logs to multiple syslog servers by specifying separate <store> stanzas in the configuration file.
Sample syslog.conf
<store> @type syslog_buffered 1 remote_syslog rsyslogserver.openshift-logging.svc.cluster.local 2 port 514 3 hostname ${hostname} 4 remove_tag_prefix tag 5 tag_key ident,systemd.u.SYSLOG_IDENTIFIER 6 facility local0 7 severity info 8 use_record true 9 payload_key message 10 </store>
- 1
- The syslog protocol, either:
syslogorsyslog_buffered. - 2
- The fully qualified domain name (FQDN) or IP address of the syslog server.
- 3
- The port number to connect on. Defaults to
514. - 4
- The name of the syslog server.
- 5
- Removes the prefix from the tag. Defaults to
''(empty). - 6
- The field to set the syslog key.
- 7
- The syslog log facility or source.
- 8
- The syslog log severity.
- 9
- Determines whether to use the severity and facility from the record if available.
- 10
- Optional. The key to set the payload of the syslog message. Defaults to
message.注意Configuring the
payload_keyparameter prevents other parameters from being forwarded to the syslog.
Sample syslog ConfigMap based on the sample syslog.conf
kind: ConfigMap
apiVersion: v1
metadata:
name: syslog
namespace: openshift-logging
data:
syslog.conf: |
<store>
@type syslog_buffered
remote_syslog syslogserver.openshift-logging.svc.cluster.local
port 514
hostname ${hostname}
remove_tag_prefix tag
tag_key ident,systemd.u.SYSLOG_IDENTIFIER
facility local0
severity info
use_record true
payload_key message
</store>
Procedure
To configure OpenShift Container Platform to forward logs using the syslog protocol:
Create a configuration file named
syslog.confthat contains the following parameters within the<store>stanza:Specify the syslog protocol type:
@type syslog_buffered 1- 1
- Specify the protocol to use, either:
syslogorsyslog_buffered.
Configure the name, host, and port for your external syslog server:
remote_syslog <remote> 1 port <number> 2 hostname <name> 3
For example:
Example output
remote_syslog syslogserver.openshift-logging.svc.cluster.local port 514 hostname fluentd-server
Configure the other syslog variables as needed:
remove_tag_prefix 1 tag_key <key> 2 facility <value> 3 severity <value> 4 use_record <value> 5 payload_key message 6
- 1
- Add this parameter to remove the
tagfield from the syslog prefix. - 2
- Specify the field to set the syslog key.
- 3
- Specify the syslog log facility or source. For values, see RTF 3164.
- 4
- Specify the syslog log severity. For values, see link:RTF 3164.
- 5
- Specify
trueto use the severity and facility from the record if available. Iftrue, thecontainer_name,namespace_name, andpod_nameare included in the output content. - 6
- Specify the key to set the payload of the syslog message. Defaults to
message.
Example output
facility local0 severity info
The configuration file appears similar to the following:
<store> @type syslog_buffered remote_syslog syslogserver.openshift-logging.svc.cluster.local port 514 hostname ${hostname} tag_key ident,systemd.u.SYSLOG_IDENTIFIER facility local0 severity info use_record false </store>
Create a ConfigMap named
syslogin theopenshift-loggingnamespace from the configuration file:$ oc create configmap syslog --from-file=syslog.conf -n openshift-logging
The Cluster Logging Operator redeploys the Fluentd Pods. If the Pods do not redeploy, you can delete the Fluentd Pods to force them to redeploy.
$ oc delete pod --selector logging-infra=fluentd
