Telegraf: Add support for BSD style syslog messages RFC 3164 to syslog input

Created on 25 Aug 2018  路  8Comments  路  Source: influxdata/telegraf

Relevant telegraf.conf:

=udp4://:6514

System info:

1.7.3

Steps to reproduce:

  1. Setup UDP input syslog plugin
  2. Setup nginx output in that UDP port

Expected behavior:

Message store in InfluxDB

Actual behavior:

Error in plugin [inputs.syslog]: read udp4 0.0.0.0:6514: i/o timeout

Additional info:

No idea.

aresyslog feature request upstream
Source
picture vit1251
👍8

Most helpful comment

go-syslog now supports RFC 3164 as per https://github.com/influxdata/go-syslog/pull/27 (merged feb 3)

picture janitha on 29 Apr 2020
👍3

All 8 comments

Can you show your nginx config for sending over UDP?

danielnelson picture danielnelson on 27 Aug 2018

@danielnelson I setup nginx by manual at address http://nginx.org/en/docs/syslog.html

access_log syslog:server=127.0.0.1:6514,tag=nginx;

I watch tcpdump UDP and view that UDP packet push on lo interface.

vit1251 picture vit1251 on 28 Aug 2018

I believe the issue is that nginx outputs only in RFC 3164, but the syslog input only does RFC 5424 messages. There is an issue on go-syslog to add support: https://github.com/influxdata/go-syslog/issues/15.

In the meantime I think a workaround would be to use rsyslog to convert between formats.

danielnelson picture danielnelson on 28 Aug 2018

@danielnelson maybe an interesting fact or my mistake I'm not exactly sure but... after error ocuire I try to make custom message by logger from shell and no message pass in Influx. I guess that parsing goroutine ended and no more ready to receive UDP packet. Perhaps this is a mistake.

vit1251 picture vit1251 on 28 Aug 2018

I set up rsyslog to forward over UDP:

$ cat /etc/rsyslog.d/50-telegraf.conf
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

*.* @127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format

And then used the logger command from util-linux:

$ logger test

I did get the message, but also an error message:

2018-08-28T20:30:30Z E! Error in plugin [inputs.syslog]: read udp [::]:6514: i/o timeout
syslog,appname=dbn,facility=user,host=debian-stretch-syslog.virt,hostname=debian-stretch-syslog,severity=notice version=1i,severity_code=5i,facility_code=1i,timestamp=1535488225311326000i,message=" test" 1535488225311871493

Afterwards, I am unable to send to this socket. I think we just want to remove the deadline for the UDP socket altogether, I'll put together a pr.

danielnelson picture danielnelson on 28 Aug 2018
👍1

@vit1251 You should be able to craft a message directly now if you use the nightly builds.

danielnelson picture danielnelson on 31 Aug 2018

+1 for adding RFC 3164 style (UDP) syslog receiver to Telegraf.
(Not only) We have tons of network equipment in the field without the capability to send according to RFC5424 format.

NWMichl picture NWMichl on 5 Apr 2020

go-syslog now supports RFC 3164 as per https://github.com/influxdata/go-syslog/pull/27 (merged feb 3)

janitha picture janitha on 29 Apr 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

veerendra2 picture veerendra2  路  3Comments
chench00 picture chench00  路  3Comments
grafanaUser123 picture grafanaUser123  路  3Comments
IxDay picture IxDay  路  3Comments
corentingi picture corentingi  路  3Comments