6.2. Forwarding logs using the syslog protocol

You can use the syslog protocol to send a copy of your logs to an external syslog server, instead of the default Elasticsearch log store. Note the following about this syslog protocol:

  • uses syslog protocol (RFC 3164), not RFC 5424;
  • does not support TLS and thus, is not secure;
  • does not provide Kubernetes metadata, systemd data, or other metadata.
注意

This method for forwarding logs is deprecated in OpenShift Container Platform and will be replaced by the Log Forwarding API in a future release.

There are two versions of the syslog protocol:

  • out_syslog: The non-buffered implementation, which communicates through UDP, does not buffer data and writes out results immediately.
  • out_syslog_buffered: The buffered implementation, which communicates through TCP, buffers data into chunks.

To configure log forwarding using the syslog protocol, create a configuration file, called syslog.conf, with the information needed to forward the logs. Then use that file to create a ConfigMap called syslog in the openshift-logging namespace, which OpenShift Container Platform uses when forwarding the logs. You are responsible to configure your syslog server to receive the logs from OpenShift Container Platform.

重要

Starting with the OpenShift Container Platform 4.3, the process for using the syslog protocol has changed. You now need to create a ConfigMap, as described below.

You can forward logs to multiple syslog servers by specifying separate <store> stanzas in the configuration file.

Sample syslog.conf

<store>
@type syslog_buffered 1
remote_syslog rsyslogserver.openshift-logging.svc.cluster.local 2
port 514 3
hostname ${hostname} 4
remove_tag_prefix tag 5
tag_key ident,systemd.u.SYSLOG_IDENTIFIER 6
facility local0 7
severity info 8
use_record true 9
payload_key message 10
</store>

1
The syslog protocol, either: syslog or syslog_buffered.
2
The fully qualified domain name (FQDN) or IP address of the syslog server.
3
The port number to connect on. Defaults to 514.
4
The name of the syslog server.
5
Removes the prefix from the tag. Defaults to '' (empty).
6
The field to set the syslog key.
7
The syslog log facility or source.
8
The syslog log severity.
9
Determines whether to use the severity and facility from the record if available.
10
Optional. The key to set the payload of the syslog message. Defaults to message.
注意

Configuring the payload_key parameter prevents other parameters from being forwarded to the syslog.

Sample syslog ConfigMap based on the sample syslog.conf

kind: ConfigMap
apiVersion: v1
metadata:
  name: syslog
  namespace: openshift-logging
data:
  syslog.conf: |
    <store>
     @type syslog_buffered
     remote_syslog syslogserver.openshift-logging.svc.cluster.local
     port 514
     hostname ${hostname}
     remove_tag_prefix tag
     tag_key ident,systemd.u.SYSLOG_IDENTIFIER
     facility local0
     severity info
     use_record true
     payload_key message
    </store>

Procedure

To configure OpenShift Container Platform to forward logs using the syslog protocol:

  1. Create a configuration file named syslog.conf that contains the following parameters within the <store> stanza:

    1. Specify the syslog protocol type: 

      @type syslog_buffered 1
      1
      Specify the protocol to use, either: syslog or syslog_buffered.

    2. Configure the name, host, and port for your external syslog server: 

      remote_syslog <remote> 1
port <number> 2
hostname <name> 3
      1
      Specify the FQDN or IP address of the syslog server.
      2
      Specify the port of the syslog server.
      3
      Specify a name for this syslog server.

      For example:

      Example output

      remote_syslog syslogserver.openshift-logging.svc.cluster.local
port 514
hostname fluentd-server

    3. Configure the other syslog variables as needed: 

      remove_tag_prefix 1
tag_key <key> 2
facility <value>  3
severity <value>  4
use_record <value> 5
payload_key message 6
      1
      Add this parameter to remove the tag field from the syslog prefix.
      2
      Specify the field to set the syslog key.
      3
      Specify the syslog log facility or source. For values, see RTF 3164.
      4
      Specify the syslog log severity. For values, see link:RTF 3164.
      5
      Specify true to use the severity and facility from the record if available. If true, the container_name, namespace_name, and pod_name are included in the output content.
      6
      Specify the key to set the payload of the syslog message. Defaults to message.

      Example output

      facility local0
severity info

      The configuration file appears similar to the following: 

      <store>
@type syslog_buffered
remote_syslog syslogserver.openshift-logging.svc.cluster.local
port 514
hostname ${hostname}
tag_key ident,systemd.u.SYSLOG_IDENTIFIER
facility local0
severity info
use_record false
</store>

  2. Create a ConfigMap named syslog in the openshift-logging namespace from the configuration file: 

    $ oc create configmap syslog --from-file=syslog.conf -n openshift-logging

    The Cluster Logging Operator redeploys the Fluentd Pods. If the Pods do not redeploy, you can delete the Fluentd Pods to force them to redeploy. 

    $ oc delete pod --selector logging-infra=fluentd