红帽全球峰会This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.6.2. Forwarding logs using the syslog protocol
You can use the syslog protocol to send a copy of your logs to an external syslog server, instead of the default Elasticsearch log store. Note the following about this syslog protocol:
- uses syslog protocol (RFC 3164), not RFC 5424;
- does not support TLS and thus, is not secure;
- does not provide Kubernetes metadata, systemd data, or other metadata.
This method for forwarding logs is deprecated in OpenShift Container Platform and will be replaced by the Log Forwarding API in a future release.
There are two versions of the syslog protocol:
- out_syslog: The non-buffered implementation, which communicates through UDP, does not buffer data and writes out results immediately.
- out_syslog_buffered: The buffered implementation, which communicates through TCP, buffers data into chunks.
To configure log forwarding using the syslog protocol, create a configuration file, called syslog.conf, with the information needed to forward the logs. Then use that file to create a ConfigMap called syslog in the openshift-logging namespace, which OpenShift Container Platform uses when forwarding the logs. You are responsible to configure your syslog server to receive the logs from OpenShift Container Platform.
Starting with the OpenShift Container Platform 4.3, the process for using the syslog protocol has changed. You now need to create a ConfigMap, as described below.
You can forward logs to multiple syslog servers by specifying separate <store> stanzas in the configuration file.
Sample syslog.conf
- 1
- The syslog protocol, either:
syslogorsyslog_buffered. - 2
- The fully qualified domain name (FQDN) or IP address of the syslog server.
- 3
- The port number to connect on. Defaults to
514. - 4
- The name of the syslog server.
- 5
- Removes the prefix from the tag. Defaults to
''(empty). - 6
- The field to set the syslog key.
- 7
- The syslog log facility or source.
- 8
- The syslog log severity.
- 9
- Determines whether to use the severity and facility from the record if available.
- 10
- Optional. The key to set the payload of the syslog message. Defaults to
message.注意Configuring the
payload_keyparameter prevents other parameters from being forwarded to the syslog.
Sample syslog ConfigMap based on the sample syslog.conf
Procedure
To configure OpenShift Container Platform to forward logs using the syslog protocol:
Create a configuration file named
syslog.confthat contains the following parameters within the<store>stanza:Specify the syslog protocol type:
@type syslog_buffered
@type syslog_buffered1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Specify the protocol to use, either:
syslogorsyslog_buffered.
Configure the name, host, and port for your external syslog server:
remote_syslog <remote> port <number> hostname <name>
remote_syslog <remote>1 port <number>2 hostname <name>3 Copy to Clipboard Copied! Toggle word wrap Toggle overflow For example:
Example output
remote_syslog syslogserver.openshift-logging.svc.cluster.local port 514 hostname fluentd-server
remote_syslog syslogserver.openshift-logging.svc.cluster.local port 514 hostname fluentd-serverCopy to Clipboard Copied! Toggle word wrap Toggle overflow Configure the other syslog variables as needed:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Add this parameter to remove the
tagfield from the syslog prefix. - 2
- Specify the field to set the syslog key.
- 3
- Specify the syslog log facility or source. For values, see RTF 3164.
- 4
- Specify the syslog log severity. For values, see link:RTF 3164.
- 5
- Specify
trueto use the severity and facility from the record if available. Iftrue, thecontainer_name,namespace_name, andpod_nameare included in the output content. - 6
- Specify the key to set the payload of the syslog message. Defaults to
message.
Example output
facility local0 severity info
facility local0 severity infoCopy to Clipboard Copied! Toggle word wrap Toggle overflow The configuration file appears similar to the following:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Create a ConfigMap named
syslogin theopenshift-loggingnamespace from the configuration file:oc create configmap syslog --from-file=syslog.conf -n openshift-logging
$ oc create configmap syslog --from-file=syslog.conf -n openshift-loggingCopy to Clipboard Copied! Toggle word wrap Toggle overflow The Cluster Logging Operator redeploys the Fluentd Pods. If the Pods do not redeploy, you can delete the Fluentd Pods to force them to redeploy.
oc delete pod --selector logging-infra=fluentd
$ oc delete pod --selector logging-infra=fluentdCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}