search

axiomhq / axiom-syslog-proxy

A syslog push interface to Axiom.
https://axiom.co
MIT License
10 stars 4 forks source link

Syslog server can't parse my file #58

Open MatheusMorozetti opened 7 months ago

MatheusMorozetti commented 7 months ago

Hi there!

I followed this instruction for install axiom syslog server: https://axiom.co/docs/send-data/syslog-proxy and I tested with echo -n "tcp message" | nc -w1 localhost 601 and everything is gone fine!

I setup in my /etc/syslog.conf I configured send logs into my syslog server

#maas config
module(load="imfile")
module(load="imtcp")
input(type="imtcp" port="601")
$InputFileName /var/snap/maas/common/log/rsyslog.log
$InputFileTag maas-logs
$InputFileStateFile maas-logs-state
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor

local7.* @localhost:601

But seens Axiom server can't parse my file:

docker logs f551b472a6f5

{"level":"info","ts":1710446128.4934351,"logger":"axiom-syslog-proxy","caller":"cmd/cmd.go:71","msg":"starting","release":"0.7.0","revision":"40b6431","build_date":"2023-08-16T11:44:20Z","build_user":"goreleaser","go_version":"go1.21.0"}
{"level":"info","ts":1710446128.4936218,"logger":"axiom-syslog-proxy","caller":"cmd/cmd.go:106","msg":"started"}
[19:55:28.49] info  axiom-syslog-proxy@logs/input udp.go:18 Started UDP server on udp:[::]:514
[19:55:28.49] info  axiom-syslog-proxy@logs/input tcp.go:23 Started TCP server on tcp:[::]:601
2024/03/14 20:07:34 Unable to parse log line: tcp message
2024/03/14 20:07:39 ingested 1 event(s)
2024/03/14 20:07:40 Unable to parse log line: udp message
2024/03/14 20:07:43 ingested 1 event(s)
2024/03/18 13:25:55 Unable to parse log line: tcp message
2024/03/18 13:25:58 ingested 1 event(s)

How can I handled with that?

lukasmalkmus commented 7 months ago

Hi @MatheusMorozetti!

Have you double checked the dataset? Is there no data inside?

ingested 1 event(s): From what I'm seeing here, the server has actually received the request and processed it.

Unable to parse log line: tcp message: So this is actually an error reported from the command you ran: echo -n "tcp message" | nc -w1 localhost 601. There is a fallback inside the syslog server: If a message reaches it, that is not syslog (like the simple string tcp message or udp message), create a new syslog-like event with the incoming message as the content.

Can you double check if data arrives? Can you share more logs from the syslog proxy?