HAProxy

Ship logs from HAProxy to logstash

1

Setup HAProxy Configuration

HAProxy is a network device, so it can only transmit log information via the syslog protocol. To configure HAProxy to ship logs to an ELK stack, you need to follow two steps. First, configure HAProxy's logging capabilities so that it can transmit the logs to a local rsyslog server. Then, you need to ship the logs from rsyslog to Logit.io.

global
   # will send it to the localhost on port 514 over UDP, we set the facility to 'local1'
   log 127.0.0.1:514 len 4096 local1

# HTTP Defaults
defaults HTTP
   # refer to the global log definition
   log global
   # disable logging of normal, successful connections
   option dontlog-normal
   mode http
   # Enable logging of HTTP request, session state and timers
   option httplog

listen INPUT_NAME_HTTP
   bind :PORT

   server SERVER_NAME SERVER_ADDRESS:PORT

# TCP Defaults
defaults TCP
   # refer to the global log definition
   log global
   # disable logging of normal, successful connections
   option dontlog-normal
   mode tcp
   # Enable advanced logging of TCP connections with session state and timers
   option tcplog

listen INPUT_NAME_TCP
   bind :PORT

   server SERVER_NAME SERVER_ADDRESS:PORT
2

Download SSL Certificate

Download star.logit.io.crt file and place in /etc/rsyslog.d/keys/ca.d/ or another directory

https://cdn.logit.io/star.logit.io.crt

3

RSyslog

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/star.logit.io.crt

$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logit.io

        
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
$ModLoad imudp
$UDPServerAddress 0.0.0.0 # listen on the localhost , protocol UDP
$UDPServerRun 514 # listen on port 514, protocol UDP
$KLogPermitNonKernelFacility on
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog

# the logit.io syslog template,
$template HAProxyLogitFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [type=haproxy] %msg%\n"

# Send messages to Logit over TCP using the template.
*.* @@your-logstash-host:your-port;HAProxyLogitFormat

Notes

  • If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
  • Ensure you have @@ not a single @ infront of the host. This is so TCP is used.
Other sources
Start free trial