Vector vs. Fluentd message format incompatibility when forwarding logs to syslog in RHOL 6

Solution Verified - Updated -

Issue

  • Log messages format, forwarded to syslog, is incompatible when using Vector compared to Fluentd being in Vector the message value quoted and in Fluentd without quotes

  • After migrating from Fluentd to Vector, the third-party integrity tool parsing the logs received in the syslog server is broken cause by the message field being quoted.

  • Vector message is surrounded with quotes:

    "message":"{'event type': 'Logging Configuration Change', 'userName': 'TE Test', 'event': 'test log event', 'log_type': 'openshift_audit'}"

  • Fluentd message is not surrounded with quotes:

    "message": {'event type': 'Logging Configuration Change', 'userName': 'TE Test', 'event': 'test log event', 'log_type': 'openshift_audit'}

Environment

  • Red Hat OpenShift Container Platform (RHOCP) 4
  • Red Hat OpenShift Logging (RHOL)
    • 5.8.19 and higher
    • 5.9.12 and higher
    • 6
  • Fluentd
  • Vector
  • Configured with log forwarding to syslog

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content