HAProxy
Ship logs from HAProxy to logstash
Step 1 - Setup HAProxy Configuration
deb (Debian/Ubuntu)
HAProxy generates logs in syslog format, on debian and ubuntu the haproxy package contains the required syslog configuration to generate a haproxy.log file which we will then monitor using filebeat.
Confirm the existance of /etc/rsyslog.d/49-haproxy.conf and /var/log/haproxy.log
If you've recently installed haproxy you may need to restart rsyslog to get additional haproxy config file loaded.
rpm (Centos/RHEL)
The RPM haproxy default configuration sends it's logs to a syslog daemon listening on localhost via UDP. We need to configure rsyslog to listen on localhost and write a haproxy.log file which we will then monitor using filebeat.
echo "#Rsyslog configuration to listen on localhost for HAProxy log messages
#and write them to /var/log/haproxy.log
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
local2.* /var/log/haproxy.log" | sudo tee /etc/rsyslog.d/haproxy.conf
sudo systemctl restart rsyslog
Step 2 - Confirm the logging
Confirm the haproxy log file contains entries to process.
tail /var/log/haproxy.log
Should return the last 10 entries in the file, if you get nothing back or file not found, check haproxy is running and if rsyslog needs reloading.
Step 3 - Install filebeat
deb (Debian/Ubuntu/Mint)
sudo apt-get install apt-transport-https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo 'deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main' | sudo tee /etc/apt/sources.list.d/beats.list
sudo apt-get update && sudo apt-get install filebeat-oss
rpm (CentOS/RHEL/Fedora)
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
echo "[elastic-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo
sudo yum install filebeat-oss
Step 4 - Configure filebeat
The filebeat config file should be located at
/etc/filebeat/filebeat.yml
- Line 28: You should find the paths that filebeat will monitor, add the haproxy.log
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/haproxy.log
Be careful not to specify the same file twice if you are adding multiple paths.
- Line 143: Comment out the output.elasticsearch section.
#output.elasticsearch:
# # Array of hosts to connect to.
# hosts: ["localhost:9200"]
- Line 153: Add in the details for your stack.
output.logstash:
# The Logstash hosts
hosts: ["your-logstash-host:your-port"]
loadbalance: true
ssl.enabled: true
- Save and close the file.
Step 5 - Start Logging
Start filebeat (starting filebeat using this method will display live activity inside the terminal. It will also display any validation errors found in the YAML file):
sudo filebeat -e -c /etc/filebeat/filebeat.yml
Any logs found inside the previously specified directory will be harvested by filebeat (this activity will be displayed in the terminal) and logged to logstash.
You can also start the service without using the filebeat command but this will not
display the activity in the terminal:
sudo systemctl enable filebeat
sudo systemctl start filebeat