Setup HAProxy Configuration

deb (Debian/Ubuntu)

HAProxy generates logs in syslog format, on debian and ubuntu the haproxy package contains the required syslog configuration to generate a haproxy.log file which we will then monitor using filebeat.

Confirm the existance of /etc/rsyslog.d/49-haproxy.conf and /var/log/haproxy.log

If you've recently installed haproxy you may need to restart rsyslog to get additional haproxy config file loaded.

rpm (Centos/RHEL)

The RPM haproxy default configuration sends it's logs to a syslog daemon listening on localhost via UDP. We need to configure rsyslog to listen on localhost and write a haproxy.log file which we will then monitor using filebeat.

echo "#Rsyslog configuration to listen on localhost for HAProxy log messages 
#and write them to /var/log/haproxy.log
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1

local2.*    /var/log/haproxy.log" | sudo tee /etc/rsyslog.d/haproxy.conf

sudo systemctl restart rsyslog

Confirm the logging

Confirm the haproxy log file contains entries to process.

tail /var/log/haproxy.log

Should return the last 10 entries in the file, if you get nothing back or file not found, check haproxy is running and if rsyslog needs reloading.

Install filebeat

deb (Debian/Ubuntu/Mint)

sudo apt-get install apt-transport-https
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo 'deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main' | sudo tee /etc/apt/sources.list.d/beats.list

sudo apt-get update && sudo apt-get install filebeat-oss

rpm (CentOS/RHEL/Fedora)

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
echo "[elastic-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo

sudo yum install filebeat-oss

Configure filebeat

The filebeat config file should be located at

/etc/filebeat/filebeat.yml
  1. Line 28: You should find the paths that filebeat will monitor, add the haproxy.log
# Paths that should be crawled and fetched. Glob based paths.
paths:
   - /var/log/haproxy.log

Be careful not to specify the same file twice if you are adding multiple paths.

  1. Line 143: Comment out the output.elasticsearch section.
#output.elasticsearch:
#  # Array of hosts to connect to.
#  hosts: ["localhost:9200"]
  1. Line 153: Add in the details for your stack.
output.logstash:
    # The Logstash hosts
    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true
  1. Save and close the file.

Start Logging

Start filebeat (starting filebeat using this method will display live activity inside the terminal. It will also display any validation errors found in the YAML file):

sudo filebeat -e -c /etc/filebeat/filebeat.yml

Any logs found inside the previously specified directory will be harvested by filebeat (this activity will be displayed in the terminal) and logged to logstash.

You can also start the service without using the filebeat command but this will not display the activity in the terminal:

sudo systemctl enable filebeat
sudo systemctl start filebeat