The collectd() destination uses the unixsock plugin of the collectd application to send log messages to the collectd system statistics collection daemon. You must install and configure collectd separately before using this destination.
Available in syslog-ng OSE version
collectd();
destination d_collectd { collectd( socket("<path-to-collectd-socket>"), host("${HOST}"), plugin("${PROGRAM}"), type("<type-of-the-collected-metric>"), values("<metric-sent-to-collectd>"), ); };
The following example uses the name of the application sending the log message as the plugin name, and the value of the ${SEQNUM} macro as the value of the metric sent to collectd.
destination d_collectd { collectd( socket("/var/run/collectd-unixsock"), host("${HOST}"), plugin("${PROGRAM}"), type("gauge"), type_instance("seqnum"), values("${SEQNUM}"), ); };
To use the collectd() driver, the scl.conf file must be included in your syslog-ng OSE configuration:
@include "scl.conf"
The collectd() driver is actually a reusable configuration snippet configured to send log messages using the unix-stream() driver. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of this configuration snippet on GitHub.
The collectd() destination has the following options. The plugin() and type() options are required options. You can also set other options of the underlying unix-stream() driver (for example, socket buffer size).
Description: This option enables putting outgoing messages into the disk buffer of the destination to avoid message loss in case of a system failure on the destination side. It has the following options:
reliable() | |||
Type: | yes|no | ||
Default: | no | ||
Description: If set to yes, syslog-ng OSE cannot lose logs in case of reload/restart, unreachable destination or syslog-ng OSE crash. This solution provides a slower, but reliable disk-buffer option. It is created and initialized at startup and gradually grows as new messages arrive. If set to no, the normal disk-buffer will be used. This provides a faster, but less reliable disk-buffer option.
|
disk-buf-size() | |
Type: | number (bytes) |
Default: | |
Description: This is a required option. The maximum size of the disk-buffer in bytes. The minimum value is 1048576 bytes. If you set a smaller value, the minimum value will be used automatically. It replaces the old log-disk-fifo-size() option. |
mem-buf-length() | |
Type: | number (messages) |
Default: | 10000 |
Description: Use this option if the option reliable() is set to no. This option contains the number of messages stored in overflow queue. It replaces the old log-fifo-size() option. It inherits the value of the global log-fifo-size() option if provided. If it is not provided, the default value is 10000 messages. Note that this option will be ignored if the option reliable() is set to yes. |
mem-buf-size() | |
Type: | number (bytes) |
Default: | 163840000 |
Description: Use this option if the option reliable() is set to yes. This option contains the size of the messages in bytes that is used in the memory part of the disk buffer. It replaces the old log-fifo-size() option. It does not inherit the value of the global log-fifo-size() option, even if it is provided. Note that this option will be ignored if the option reliable() is set to no. |
qout-size() | |
Type: | number (messages) |
Default: | 64 |
Description: The number of messages stored in the output buffer of the destination. Note that if you change the value of this option and the disk-buffer already exists, the change will take effect when the disk-buffer becomes empty. |
Options reliable() and disk-buf-size() are required options.
In the following case reliable disk-buffer() is used.
destination d_demo { network( "127.0.0.1" port(3333) disk-buffer( mem-buf-size(10000) disk-buf-size(2000000) reliable(yes) dir("/tmp/disk-buffer") ) ); };
In the following case normal disk-buffer() is used.
destination d_demo { network( "127.0.0.1" port(3333) disk-buffer( mem-buf-length(10000) disk-buf-size(2000000) reliable(no) dir("/tmp/disk-buffer") ) ); };
Type: | number |
Default: | Use global setting (exception: for http() destination, the default is 1). |
Description: Specifies how many lines are flushed to a destination at a time. The syslog-ng OSE application waits for this number of lines to accumulate and sends them off in a single batch. Increasing this number increases throughput as more messages are sent in a single batch, but also increases message latency.
The syslog-ng OSE application flushes the messages if it has sent flush-lines() number of messages, or the queue became empty. If you stop or reload syslog-ng OSE or in case of network sources, the connection with the client is closed, syslog-ng OSE automatically sends the unsent messages to the destination.
For optimal performance when sending messages to an syslog-ng OSE server, make sure that the value of flush-lines() is smaller than the window size set in the log-iw-size() option in the source of your server.
Type: | number |
Default: | 0 |
Description: The syslog-ng application can store fractions of a second in the timestamps according to the ISO8601 format. The frac-digits() parameter specifies the number of digits stored. The digits storing the fractions are padded by zeros if the original timestamp of the message specifies only seconds. Fractions can always be stored for the time the message was received. Note that syslog-ng can add the fractions to non-ISO8601 timestamps as well.
Description: This option makes it possible to execute external programs when the relevant driver is initialized or torn down. The hook-commands() can be used with all source and destination drivers with the exception of the usertty() and internal() drivers.
NOTE: The syslog-ng OSE application must be able to start and restart the external program, and have the necessary permissions to do so. For example, if your host is running AppArmor or SELinux, you might have to modify your AppArmor or SELinux configuration to enable syslog-ng OSE to execute external applications.
To execute an external program when syslog-ng OSE starts or stops, use the following options:
startup() | |
Type: | string |
Default: | N/A |
Description: Defines the external program that is executed as syslog-ng OSE starts. |
shutdown() | |
Type: | string |
Default: | N/A |
Description: Defines the external program that is executed as syslog-ng OSE stops. |
To execute an external program when the syslog-ng OSE configuration is initiated or torn down, for example, on startup/shutdown or during a syslog-ng OSE reload, use the following options:
setup() | |
Type: | string |
Default: | N/A |
Description: Defines an external program that is executed when the syslog-ng OSE configuration is initiated, for example, on startup or during a syslog-ng OSE reload. |
teardown() | |
Type: | string |
Default: | N/A |
Description: Defines an external program that is executed when the syslog-ng OSE configuration is stopped or torn down, for example, on shutdown or during a syslog-ng OSE reload. |
In the following example, the hook-commands() is used with the network() driver and it opens an iptables port automatically as syslog-ng OSE is started/stopped.
The assumption in this example is that the LOGCHAIN chain is part of a larger ruleset that routes traffic to it. Whenever the syslog-ng OSE created rule is there, packets can flow, otherwise the port is closed.
source { network(transport(udp) hook-commands( startup("iptables -I LOGCHAIN 1 -p udp --dport 514 -j ACCEPT") shutdown("iptables -D LOGCHAIN 1") ) ); };
Type: | string, macro, or template |
Default: | ${HOST} |
Description: The hostname that is passed to collectd. By default, syslog-ng OSE uses the host from the log message as the hostname.
type("gauge"),
Type: | number |
Default: | Use global setting. |
Description: The number of messages that the output queue can store.
Type: | yes or no |
Default: | yes |
Description: Specifies whether connections to destinations should be closed when syslog-ng is reloaded. Note that this applies to the client (destination) side of the syslog-ng connections, server-side (source) connections are always reopened after receiving a HUP signal unless the keep-alive option is enabled for the source.
Type: | string |
Default: |
Description: The name of the plugin that submits the data to collectd. For example:
plugin("${PROGRAM}"),
Type: | string |
Default: |
Description: The name of the plugin-instance that submits the data to collectd.
Type: | path |
Default: | /var/run/collectd-unixsock |
Description: The path to the socket of collectd. For details, see the collectd-unixsock(5) manual page.
type("gauge"),
Type: | yes or no |
Default: | no |
Description: This option controls the SO_BROADCAST socket option required to make syslog-ng send messages to a broadcast address. For details, see the socket(7) manual page.
Type: | yes or no |
Default: | no |
Description: Enables keep-alive messages, keeping the socket open. This only effects TCP and UNIX-stream sockets. For details, see the socket(7) manual page.
Type: | number |
Default: | 0 |
Description: Specifies the size of the socket receive buffer in bytes. For details, see the socket(7) manual page.
Type: | number |
Default: | 0 |
Description: Specifies the size of the socket send buffer in bytes. For details, see the socket(7) manual page.
Type: | seconds |
Default: | 0 (disabled) |
Description: If several identical log messages would be sent to the destination without any other messages between the identical messages (for example, an application repeated an error message ten times), syslog-ng can suppress the repeated messages and send the message only once, followed by the Last message repeated n times. message. The parameter of this option specifies the number of seconds syslog-ng waits for identical messages.
Type: | number |
Default: | 0 |
Description: Sets the maximum number of messages sent to the destination per second. Use this output-rate-limiting functionality only when using disk-buffer as well to avoid the risk of losing messages. Specifying 0 or a lower value sets the output limit to unlimited.
Type: | string or template |
Default: |
Description: Identifies the type and number of values passed to collectd. For details, see the types.db manual page. For example:
type("gauge"),
Type: | string, macro,or template |
Default: | U |
Description: Colon-separated list of the values to send to collectd. For example:
values("${SEQNUM}"),
|
Caution:
This destination is deprecated and will be removed from a future version of syslog-ng OSE. We recommend using the elasticsearch-http: Sending messages to Elasticsearch HTTP Bulk API destination instead. |
Starting with version
Note the following limitations when using the syslog-ng OSE elasticsearch2 destination:
This destination is only supported on the Linux platform.
Since syslog-ng OSE uses Java libraries, the elasticsearch2 destination has significant memory usage.
The log messages of the underlying client libraries are available in the internal() source of syslog-ng OSE.
@module mod-java @include "scl.conf" elasticsearch2( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") cluster("syslog-ng") );
The following example defines an elasticsearch2 destination that sends messages in transport mode to an Elasticsearch server running on the localhost, using only the required parameters.
@module mod-java @include "scl.conf" destination d_elastic { elasticsearch2( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") ); };
The following example sends 10000 messages in a batch, in transport mode, and includes a custom unique ID for each message.
@module mod-java @include "scl.conf" options { threaded(yes); use-uniqid(yes); }; source s_syslog { syslog(); }; destination d_elastic { elasticsearch2( index("syslog-ng_${YEAR}.${MONTH}.${DAY}") type("test") cluster("syslog-ng") client-mode("transport") custom-id("${UNIQID}") flush-limit("10000") ); }; log { source(s_syslog); destination(d_elastic); flags(flow-control); };
The following example send messages to Elasticsearch over HTTP using its REST API:
@include "scl.conf" source s_network { network(port(5555)); }; destination d_elastic { elasticsearch2( client-mode("http") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") ); }; log { source(s_network); destination(d_elastic); flags(flow-control); };
Verify the certificate of the Elasticsearch server and perform certificate authentication (this is actually a mutual, certificate-based authentication between the syslog-ng OSE client and the Elasticsearch server):
destination d_elastic { elasticsearch2( client-mode("https") cluster("es-syslog-ng") index("x201") cluster-url("http://192.168.33.10:9200") type("slng_test_type") flush-limit("0") http-auth-type("clientcert") java-keystore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-keystore-password("password-to-your-keystore") java-truststore-filepath("&lt;path-to-your-java-keystore&gt;.jks") java-truststore-password("password-to-your-keystore") ); };
To install the software required for the elasticsearch2 destination, see Prerequisites.
For details on how the elasticsearch2 destination works, see How syslog-ng OSE interacts with Elasticsearch.
For the list of options, see Elasticsearch2 destination options (DEPRECATED).
The elasticsearch2() driver is actually a reusable configuration snippet configured to receive log messages using the Java language-binding of syslog-ng OSE. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of the elasticsearch configuration snippet on GitHub. For details on extending syslog-ng OSE in Java, see the Getting started with syslog-ng development guide.
If you delete all Java destinations from your configuration and reload syslog-ng, the JVM is not used anymore, but it is still running. If you want to stop JVM, stop syslog-ng and then start syslog-ng again.
To send messages from syslog-ng OSE to Elasticsearch, complete the following steps.
Download and install the Java Runtime Environment (JRE), 2.x (or newer). The syslog-ng OSEelasticsearch2 destination is tested and supported when using the Oracle implementation of Java. Other implementations are untested and unsupported, they may or may not work as expected.
This step is only required if you use the elasticsearch2 destination in node mode or transport mode.
Download the Elasticsearch libraries (version 2.x or newer from the 2.x line) from https://www.elastic.co/downloads/elasticsearch.
This step is only required if you use the elasticsearch2 destination in node mode or transport mode.
Extract the Elasticsearch libraries into a temporary directory, then collect the various .jar files into a single directory (for example, /opt/elasticsearch/lib/) where syslog-ng OSE can access them. You must specify this directory in the syslog-ng OSE configuration file. The files are located in the lib directory and its subdirectories of the Elasticsearch release package.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center