You can use the syslog protocol to send a copy of your logs to an external syslog server,
instead of the default Elasticsearch log store. Note the following about this syslog protocol:
-
uses syslog protocol (RFC 3164), not RFC 5424;
-
does not support TLS and thus, is not secure;
-
does not provide Kubernetes metadata, systemd data, or other metadata.
|
This method for forwarding logs is deprecated in OpenShift Container Platform and will be replaced by the Log Forwarding API in a future release.
|
There are two versions of the syslog protocol:
-
out_syslog: The non-buffered implementation, which communicates through UDP, does not buffer data and writes out results immediately.
-
out_syslog_buffered: The buffered implementation, which communicates through TCP, buffers data into chunks.
To configure log forwarding using the syslog protocol, create a configuration file, called syslog.conf
, with the information needed to forward the logs. Then use that file to create a ConfigMap called syslog
in the openshift-logging
namespace, which OpenShift Container Platform uses when forwarding the logs. You are responsible to configure your syslog server to receive the logs from OpenShift Container Platform.
|
Starting with the OpenShift Container Platform 4.3, the process for using the syslog protocol has changed. You now need to create a ConfigMap, as described below.
|
You can forward logs to multiple syslog servers by specifying separate <store>
stanzas in the configuration file.
Sample syslog.conf
<store>
@type syslog_buffered (1)
remote_syslog rsyslogserver.openshift-logging.svc.cluster.local (2)
port 514 (3)
hostname ${hostname} (4)
remove_tag_prefix tag (5)
tag_key ident,systemd.u.SYSLOG_IDENTIFIER (6)
facility local0 (7)
severity info (8)
use_record true (9)
payload_key message (10)
</store>
1 |
The syslog protocol, either: syslog or syslog_buffered . |
2 |
The fully qualified domain name (FQDN) or IP address of the syslog server. |
3 |
The port number to connect on. Defaults to 514 . |
4 |
The name of the syslog server. |
5 |
Removes the prefix from the tag. Defaults to '' (empty). |
6 |
The field to set the syslog key. |
7 |
The syslog log facility or source. |
8 |
The syslog log severity. |
9 |
Determines whether to use the severity and facility from the record if available. |
10 |
Optional. The key to set the payload of the syslog message. Defaults to message .
|
Configuring the payload_key parameter prevents other parameters from being forwarded to the syslog.
|
|
Sample syslog
ConfigMap based on the sample syslog.conf
kind: ConfigMap
apiVersion: v1
metadata:
name: syslog
namespace: openshift-logging
data:
syslog.conf: |
<store>
@type syslog_buffered
remote_syslog syslogserver.openshift-logging.svc.cluster.local
port 514
hostname ${hostname}
remove_tag_prefix tag
tag_key ident,systemd.u.SYSLOG_IDENTIFIER
facility local0
severity info
use_record true
payload_key message
</store>
Procedure
To configure OpenShift Container Platform to forward logs using the syslog protocol:
-
Create a configuration file named syslog.conf
that contains the following
parameters within the <store>
stanza:
-
Specify the syslog protocol type:
@type syslog_buffered (1)
1 |
Specify the protocol to use, either: syslog or syslog_buffered . |
-
Configure the name, host, and port for your external syslog server:
remote_syslog <remote> (1)
port <number> (2)
hostname <name> (3)
1 |
Specify the FQDN or IP address of the syslog server. |
2 |
Specify the port of the syslog server. |
3 |
Specify a name for this syslog server. |
Example output
remote_syslog syslogserver.openshift-logging.svc.cluster.local
port 514
hostname fluentd-server
-
Configure the other syslog variables as needed:
remove_tag_prefix (1)
tag_key <key> (2)
facility <value> (3)
severity <value> (4)
use_record <value> (5)
payload_key message (6)
1 |
Add this parameter to remove the tag field from the syslog prefix. |
2 |
Specify the field to set the syslog key. |
3 |
Specify the syslog log facility or source. For values, see RTF 3164. |
4 |
Specify the syslog log severity. For values, see link:RTF 3164. |
5 |
Specify true to use the severity and facility from the record if available. If true , the container_name , namespace_name , and pod_name are included in the output content. |
6 |
Specify the key to set the payload of the syslog message. Defaults to message . |
Example output
facility local0
severity info
The configuration file appears similar to the following:
<store>
@type syslog_buffered
remote_syslog syslogserver.openshift-logging.svc.cluster.local
port 514
hostname ${hostname}
tag_key ident,systemd.u.SYSLOG_IDENTIFIER
facility local0
severity info
use_record false
</store>
-
Create a ConfigMap named syslog
in the openshift-logging
namespace from the configuration file:
$ oc create configmap syslog --from-file=syslog.conf -n openshift-logging
The Cluster Logging Operator redeploys the Fluentd Pods. If the Pods do not redeploy, you can delete the Fluentd
Pods to force them to redeploy.
$ oc delete pod --selector logging-infra=fluentd