HAProxy

deb (Debian/Ubuntu/Mint)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-amd64.deb
sudo dpkg -i filebeat-oss-7.8.1-amd64.deb

rpm (CentOS/RHEL/Fedora)

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-x86_64.rpm
sudo rpm -vi filebeat-oss-7.8.1-x86_64.rpm

macOS

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-darwin-x86_64.tar.gz
tar xzvf filebeat-oss-7.8.1-darwin-x86_64.tar.gz

Windows

• Download the filebeat Windows zip file from the official downloads page.
• Extract the contents of the zip file into C:\Program Files.
• Rename the filebeat-<version>-windows directory to filebeat.
• Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
• Run the following commands to install filebeat as a Windows service:

cd 'C:\Program Files\filebeat'
.\install-service-filebeat.ps1

deb (Debian/Ubuntu)

HAProxy generates logs in syslog format, on debian and ubuntu the haproxy package contains the required syslog configuration to generate a haproxy.log file which we will then monitor using filebeat. Confirm the existance of /etc/rsyslog.d/49-haproxy.conf and /var/log/haproxy.log If you've recently installed haproxy you may need to restart rsyslog to get additional haproxy config file loaded.

rpm (Centos/RHEL)

The RPM haproxy default configuration sends it's logs to a syslog daemon listening on localhost via UDP. We need to configure rsyslog to listen on localhost and write a haproxy.log file which we will then monitor using filebeat. Run the following lines of command and then restart rsyslog.

echo '#Rsyslog configuration to listen on localhost for HAProxy log messages 
#and write them to /var/log/haproxy.log
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
local2.*    /var/log/haproxy.log' | sudo tee /etc/rsyslog.d/haproxy.conf

sudo systemctl restart rsyslog

There are several built in filebeat modules you can use. You will need to enable the haproxy module. _deb/rpm__

sudo filebeat modules list
sudo filebeat modules enable haproxy

macOS

cd <EXTRACTED_ARCHIVE>
./filebeat modules list
./filebeat modules enable haproxy

Windows

cd <EXTRACTED_ARCHIVE>
.\filebeat.exe modules list
.\filebeat.exe modules enable haproxy

Additional module configuration can be done using the per module config files located in the modules.d folder, for haproxy we want to configure the haproxy module to read from file, uncomment and edit the var.input line to say

var.input: file

deb/rpm /etc/filebeat/modules.d/haproxy.yml

mac/win <EXTRACTED_ARCHIVE>/modules.d/haproxy.yml

Confirm the haproxy log file contains entries to process.

tail /var/log/haproxy.log

Should return the last 10 entries in the file, if you get nothing back or file not found, check haproxy is running and if rsyslog needs reloading.

deb/rpm /etc/filebeat/filebeat.yml

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

output.logstash:
    hosts: ["your-logstash-host:your-ssl-port"]
    loadbalance: true
    ssl.enabled: true

Let's check the configuration file is syntactically correct by running filebeat directly inside the terminal. If the file is invalid, filebeat will print an error loading config file error message with details on how to correct the problem.

deb/rpm

sudo filebeat -e -c /etc/filebeat/filebeat.yml

macOS

cd <EXTRACTED_ARCHIVE>
./filebeat -e -c filebeat.yml

Windows

cd <EXTRACTED_ARCHIVE>
.\filebeat.exe -e -c filebeat.yml

All Logit stacks come pre-configured with popular Logstash filters. We would recommend that you add HAProxy specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.

Edit your Logstash filters by choosing Stack > Settings > Logstash Filters

if [fileset][module] == "haproxy" {
  grok {
    match => {
      "message" => [
      "%{HAPROXY_DATE:[haproxy][request_date]} %{IPORHOST:[haproxy][source]} %{PROG:[haproxy][process_name]}(?:\[%{POSINT:[haproxy][pid]}\])?: %{GREEDYDATA} %{IPORHOST:[haproxy][client][ip]}:%{POSINT:[haproxy][client][port]} %{WORD} %{IPORHOST:[haproxy][destination][ip]}:%{POSINT:[haproxy][destination][port]} \(%{WORD:[haproxy][frontend_name]}/%{WORD:[haproxy][mode]}\)",
      "(%{NOTSPACE:[haproxy][process_name]}\[%{NUMBER:[haproxy][pid:int}\]: )?%{IP:[haproxy][client][ip]}:%{NUMBER:[haproxy][client][port:int} \[%{NOTSPACE:[haproxy][request_date]}\] %{NOTSPACE:[haproxy][frontend_name]} %{NOTSPACE:[haproxy][backend_name]}/%{NOTSPACE:[haproxy][server_name]} %{NUMBER:[haproxy][http][request][time_wait_ms:int}/%{NUMBER:[haproxy][total_waiting_time_ms:int}/%{NUMBER:[haproxy][connection_wait_time_ms:int}/%{NUMBER:[haproxy][http][request][time_wait_without_data_ms:int}/%{NUMBER:[haproxy][http][request][time_active_ms:int} %{NUMBER:[haproxy][http][response][status_code:int} %{NUMBER:[haproxy][bytes_read:int} %{NOTSPACE:[haproxy][http][request][captured_cookie]} %{NOTSPACE:[haproxy][http][response][captured_cookie]} %{NOTSPACE:[haproxy][termination_state]} %{NUMBER:[haproxy][connections][active:int}/%{NUMBER:[haproxy][connections][frontend:int}/%{NUMBER:[haproxy][connections][backend:int}/%{NUMBER:[haproxy][connections][server:int}/%{NUMBER:[haproxy][connections][retries:int} %{NUMBER:[haproxy][server_queue:int}/%{NUMBER:[haproxy][backend_queue:int} (\{%{DATA:[haproxy][http][request][captured_headers]}\} \{%{DATA:[haproxy][http][response][captured_headers]}\} |\{%{DATA}\} )?\"%{GREEDYDATA:[haproxy][http][request][raw_request_line]}\"",
      "(%{NOTSPACE:[haproxy][process_name]}\[%{NUMBER:[haproxy][pid:int}\]: )?%{IP:[haproxy][client][ip]}:%{NUMBER:[haproxy][client][port:int} \[%{NOTSPACE:[haproxy][request_date]}\] %{NOTSPACE:[haproxy][frontend_name]}/%{NOTSPACE:[haproxy][bind_name]} %{GREEDYDATA:[haproxy][error_message]}",
      "%{HAPROXY_DATE} %{IPORHOST:[haproxy][source]} (%{NOTSPACE:[haproxy][process_name]}\[%{NUMBER:[haproxy][pid:int}\]: )?%{IP:[haproxy][client][ip]}:%{NUMBER:[haproxy][client][port:int} \[%{NOTSPACE:[haproxy][request_date]}\] %{NOTSPACE:[haproxy][frontend_name]} %{NOTSPACE:[haproxy][backend_name]}/%{NOTSPACE:[haproxy][server_name]} %{NUMBER:[haproxy][total_waiting_time_ms:int}/%{NUMBER:[haproxy][connection_wait_time_ms:int}/%{NUMBER:[haproxy][tcp][processing_time_ms:int} %{NUMBER:[haproxy][bytes_read:int} %{NOTSPACE:[haproxy][termination_state]} %{NUMBER:[haproxy][connections][active:int}/%{NUMBER:[haproxy][connections][frontend:int}/%{NUMBER:[haproxy][connections][backend:int}/%{NUMBER:[haproxy][connections][server:int}/%{NUMBER:[haproxy][connections][retries:int} %{NUMBER:[haproxy][server_queue:int}/%{NUMBER:[haproxy][backend_queue:int}"
      ]
    }
    pattern_definitions => {
      "HAPROXY_DATE" => "(%{MONTHDAY}[/-]%{MONTH}[/-]%{YEAR}:%{HOUR}:%{MINUTE}:%{SECOND})|%{SYSLOGTIMESTAMP}"
      }
  }
  date {
    match => [
      "[haproxy][request_date]",
      "dd/MMM/yyyy:HH:mm:ss.SSS",
      "dd/MMM/yyyy:HH:mm:ss",
      "MMM dd HH:mm:ss"
    ]
    target => "@timestamp"
  }
  geoip {
    source => "[haproxy][client][ip]"
    target => "[haproxy][geoip]"
  }
}

Ok, time to start ingesting data!

deb/rpm

sudo systemctl enable filebeat
sudo systemctl start filebeat

HAProxy (High Availability Proxy) is an open-source software load balancer for proxying HTTP & TCP based applications. As the tool offers high availability by default it is well suited for high traffic websites.

HAProxy is the de-facto proxy server powering many of the web’s most popular sites & is often the default deployment in most cloud platforms. For most Linux distributions it is the reference load-balancer recommended for container orchestration (E.G Kubernetes).

HAProxy logs hold data on HTTP queries, error codes & how long the request took to send, if it was queued and how long for, how long the TCP connection took to establish, as well as information on response size and cookies, among other valuable insights for reporting & security. These logs can be difficult to process for analysis at scale & so a log analyser will likely be required to process HAProxy logs efficiently.

Requests & traffic for HTTP & TCP based applications are spread across multiple servers when HAProxy is used. The proxy is well known for its flexibility & the tool’s logs can be used in a log management solution such as Logit for easy identification of critical issues within an application.

The Logit platform offers a complete solution for centralising your log files from multiple applications and servers and provides a HAProxy log analyser as standard. You can also use our Kibana integrations to visualise key server metrics from both frontend and backend applications for fast error resolution & troubleshooting.

Followed our HAProxy log configuration guide and are still encountering issues? We're here to help you get started. Feel free to reach out by contacting our support team by visiting our dedicated Help Centre or via live chat & we'll be happy to assist.