Ship logs from HAProxy to logstash
HAProxy generates logs in syslog format, on debian and ubuntu the haproxy package contains the required syslog configuration to generate a haproxy.log file which we will then monitor using filebeat.
Confirm the existance of /etc/rsyslog.d/49-haproxy.conf and /var/log/haproxy.log
If you've recently installed haproxy you may need to restart rsyslog to get additional haproxy config file loaded.
The RPM haproxy default configuration sends it's logs to a syslog daemon listening on localhost via UDP. We need to configure rsyslog to listen on localhost and write a haproxy.log file which we will then monitor using filebeat.
echo "#Rsyslog configuration to listen on localhost for HAProxy log messages #and write them to /var/log/haproxy.log $ModLoad imudp $UDPServerRun 514 $UDPServerAddress 127.0.0.1 local2.* /var/log/haproxy.log" | sudo tee /etc/rsyslog.d/haproxy.conf sudo systemctl restart rsyslog
Confirm the haproxy log file contains entries to process.
Should return the last 10 entries in the file, if you get nothing back or file not found, check haproxy is running and if rsyslog needs reloading.
sudo apt-get install apt-transport-https wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo 'deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main' | sudo tee /etc/apt/sources.list.d/beats.list sudo apt-get update && sudo apt-get install filebeat-oss
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch echo "[elastic-6.x] name=Elastic repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo sudo yum install filebeat-oss
The filebeat config file should be located at
# Paths that should be crawled and fetched. Glob based paths. paths: - /var/log/haproxy.log
Be careful not to specify the same file twice if you are adding multiple paths.
#output.elasticsearch: # # Array of hosts to connect to. # hosts: ["localhost:9200"]
output.logstash: # The Logstash hosts hosts: ["your-logstash-host:your-port"] loadbalance: true ssl.enabled: true
Start filebeat (starting filebeat using this method will display live activity inside the terminal. It will also display any validation errors found in the YAML file):
sudo filebeat -e -c /etc/filebeat/filebeat.yml
Any logs found inside the previously specified directory will be harvested by filebeat (this activity will be displayed in the terminal) and logged to logstash.
You can also start the service without using the
filebeat command but this will not
display the activity in the terminal:
sudo systemctl enable filebeat sudo systemctl start filebeat