Start your 14-day free trial today & Get 20% Off All Annual Managed ELK Plans
No Credit Card Required
Try Logit.io FreeAlready have an account? Sign In
HAProxy
Ship logs from HAProxy to logstash
Configure Filebeat to ship logs from HAProxy to Logstash and Elasticsearch.
Step 1 - Install Filebeat
deb (Debian/Ubuntu/Mint)
curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.8.1-amd64.deb
sudo dpkg -i -oss-7.8.1-amd64.deb
rpm (CentOS/RHEL/Fedora)
curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.8.1-x86_64.rpm
sudo rpm -vi -oss-7.8.1-x86_64.rpm
macOS
curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.8.1-darwin-x86_64.tar.gz
tar xzvf -oss-7.8.1-darwin-x86_64.tar.gz
Windows
- Download the Windows zip file from the official downloads page.
- Extract the contents of the zip file into C:\Program Files.
- Rename the
-<version>-windowsdirectory to ``. - Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
- Run the following commands to install as a Windows service:
cd 'C:\Program Files\'
.\install-service-.ps1
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-.ps1.
Step 2 - Setup HAProxy Configuration
deb (Debian/Ubuntu)
HAProxy generates logs in syslog format, on debian and ubuntu the haproxy package contains the required syslog configuration to generate a haproxy.log file which we will then monitor using filebeat. Confirm the existance of /etc/rsyslog.d/49-haproxy.conf and /var/log/haproxy.log If you've recently installed haproxy you may need to restart rsyslog to get additional haproxy config file loaded.
rpm (Centos/RHEL)
The RPM haproxy default configuration sends it's logs to a syslog daemon listening on localhost via UDP. We need to configure rsyslog to listen on localhost and write a haproxy.log file which we will then monitor using filebeat. Run the following lines of command and then restart rsyslog.
echo '#Rsyslog configuration to listen on localhost for HAProxy log messages
#and write them to /var/log/haproxy.log
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
local2.* /var/log/haproxy.log' | sudo tee /etc/rsyslog.d/haproxy.conf
sudo systemctl restart rsyslog
There are several built in filebeat modules you can use. You will need to enable the haproxy module. deb/rpm_
sudo filebeat modules list
sudo filebeat modules enable haproxy
macOS
cd <EXTRACTED_ARCHIVE>
./filebeat modules list
./filebeat modules enable haproxy
Windows
cd <EXTRACTED_ARCHIVE>
.\filebeat.exe modules list
.\filebeat.exe modules enable haproxy
Additional module configuration can be done using the per module config files located in the modules.d folder, for haproxy we want to configure the haproxy module to read from file, uncomment and edit the var.input line to say
var.input: file
deb/rpm /etc/filebeat/modules.d/haproxy.yml
mac/win <EXTRACTED_ARCHIVE>/modules.d/haproxy.yml
Step 3 - Confirm the Logging
Confirm the haproxy log file contains entries to process.
tail /var/log/haproxy.log
Should return the last 10 entries in the file, if you get nothing back or file not found, check haproxy is running and if rsyslog needs reloading.
Step 4 - Locate Configuration File
deb/rpm /etc/filebeat/filebeat.yml
Step 5 - Configure Output
We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.
## Comment out elasticsearch output
#output.elasticsearch:
# hosts: ["localhost:9200"]
Step 6 - Validate configuration
Let's check the configuration file is syntactically correct by running directly inside the terminal.
If the file is invalid, will print an error loading config file error message with details on how to correct the problem.
deb/rpm
sudo -e -c /etc//.yml
macOS
cd <EXTRACTED_ARCHIVE>
./ -e -c .yml
Windows
cd <EXTRACTED_ARCHIVE>
.\.exe -e -c .yml
Step 7 - (Optional) Update Logstash Filters
All Logit.io stacks come pre-configured with popular Logstash filters. We would recommend that you add HAProxy specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.
Edit your Logstash filters by choosing Stack > Settings > Logstash Filters
if [fileset][module] == "haproxy" {
grok {
match => {
"message" => [
"%{HAPROXY_DATE:[haproxy][request_date]} %{IPORHOST:[haproxy][source]} %{PROG:[haproxy][process_name]}(?:\[%{POSINT:[haproxy][pid]}\])?: %{GREEDYDATA} %{IPORHOST:[haproxy][client][ip]}:%{POSINT:[haproxy][client][port]} %{WORD} %{IPORHOST:[haproxy][destination][ip]}:%{POSINT:[haproxy][destination][port]} \(%{WORD:[haproxy][frontend_name]}/%{WORD:[haproxy][mode]}\)",
"(%{NOTSPACE:[haproxy][process_name]}\[%{NUMBER:[haproxy][pid:int}\]: )?%{IP:[haproxy][client][ip]}:%{NUMBER:[haproxy][client][port:int} \[%{NOTSPACE:[haproxy][request_date]}\] %{NOTSPACE:[haproxy][frontend_name]} %{NOTSPACE:[haproxy][backend_name]}/%{NOTSPACE:[haproxy][server_name]} %{NUMBER:[haproxy][http][request][time_wait_ms:int}/%{NUMBER:[haproxy][total_waiting_time_ms:int}/%{NUMBER:[haproxy][connection_wait_time_ms:int}/%{NUMBER:[haproxy][http][request][time_wait_without_data_ms:int}/%{NUMBER:[haproxy][http][request][time_active_ms:int} %{NUMBER:[haproxy][http][response][status_code:int} %{NUMBER:[haproxy][bytes_read:int} %{NOTSPACE:[haproxy][http][request][captured_cookie]} %{NOTSPACE:[haproxy][http][response][captured_cookie]} %{NOTSPACE:[haproxy][termination_state]} %{NUMBER:[haproxy][connections][active:int}/%{NUMBER:[haproxy][connections][frontend:int}/%{NUMBER:[haproxy][connections][backend:int}/%{NUMBER:[haproxy][connections][server:int}/%{NUMBER:[haproxy][connections][retries:int} %{NUMBER:[haproxy][server_queue:int}/%{NUMBER:[haproxy][backend_queue:int} (\{%{DATA:[haproxy][http][request][captured_headers]}\} \{%{DATA:[haproxy][http][response][captured_headers]}\} |\{%{DATA}\} )?\"%{GREEDYDATA:[haproxy][http][request][raw_request_line]}\"",
"(%{NOTSPACE:[haproxy][process_name]}\[%{NUMBER:[haproxy][pid:int}\]: )?%{IP:[haproxy][client][ip]}:%{NUMBER:[haproxy][client][port:int} \[%{NOTSPACE:[haproxy][request_date]}\] %{NOTSPACE:[haproxy][frontend_name]}/%{NOTSPACE:[haproxy][bind_name]} %{GREEDYDATA:[haproxy][error_message]}",
"%{HAPROXY_DATE} %{IPORHOST:[haproxy][source]} (%{NOTSPACE:[haproxy][process_name]}\[%{NUMBER:[haproxy][pid:int}\]: )?%{IP:[haproxy][client][ip]}:%{NUMBER:[haproxy][client][port:int} \[%{NOTSPACE:[haproxy][request_date]}\] %{NOTSPACE:[haproxy][frontend_name]} %{NOTSPACE:[haproxy][backend_name]}/%{NOTSPACE:[haproxy][server_name]} %{NUMBER:[haproxy][total_waiting_time_ms:int}/%{NUMBER:[haproxy][connection_wait_time_ms:int}/%{NUMBER:[haproxy][tcp][processing_time_ms:int} %{NUMBER:[haproxy][bytes_read:int} %{NOTSPACE:[haproxy][termination_state]} %{NUMBER:[haproxy][connections][active:int}/%{NUMBER:[haproxy][connections][frontend:int}/%{NUMBER:[haproxy][connections][backend:int}/%{NUMBER:[haproxy][connections][server:int}/%{NUMBER:[haproxy][connections][retries:int} %{NUMBER:[haproxy][server_queue:int}/%{NUMBER:[haproxy][backend_queue:int}"
]
}
pattern_definitions => {
"HAPROXY_DATE" => "(%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP}"
}
}
date {
match => [
"[haproxy][request_date]",
"dd/MMM/yyyy:HH:mm:ss.SSS",
"dd/MMM/yyyy:HH:mm:ss",
"MMM dd HH:mm:ss"
]
target => "@timestamp"
}
geoip {
source => "[haproxy][client][ip]"
target => "[haproxy][geoip]"
}
}
Step 8 - Start filebeat
Ok, time to start ingesting data!
deb/rpm
sudo systemctl enable filebeat
sudo systemctl start filebeat
Step 9 - HAproxy Logs Overview
HAProxy (High Availability Proxy) is an open-source software load balancer for proxying HTTP & TCP based applications. As the tool offers high availability by default it is well suited for high traffic websites.
HAProxy is the de-facto proxy server powering many of the web’s most popular sites & is often the default deployment in most cloud platforms. For most Linux distributions it is the reference load-balancer recommended for container orchestration (E.G Kubernetes).
HAProxy logs hold data on HTTP queries, error codes & how long the request took to send, if it was queued and how long for, how long the TCP connection took to establish, as well as information on response size and cookies, among other valuable insights for reporting & security. These logs can be difficult to process for analysis at scale & so a log analyser will likely be required to process HAProxy logs efficiently.
Requests & traffic for HTTP & TCP based applications are spread across multiple servers when HAProxy is used. The proxy is well known for its flexibility & the tool’s logs can be used in a log management solution such as Logit.io for easy identification of critical issues within an application.
The Logit.io platform offers a complete solution for centralising your log files from multiple applications and servers and provides a HAProxy log analyser as standard. You can also use our Kibana integrations to visualise key server metrics from both frontend and backend applications for fast error resolution & troubleshooting.
Followed our HAProxy log configuration guide and are still encountering issues? We're here to help you get started. Feel free to reach out by contacting our support team by visiting our dedicated Help Centre or via live chat & we'll be happy to assist.
