Remote syslog not working

[scalp42]

Hi @joker1007

I have this simple config:

syslog_docker_input.conf

<source>
  @type syslog
  tag syslog.docker.containers
  port 5140
  protocol_type udp
  <parse>
    message_format rfc3164
  </parse>
  source_hostname_key hostname
  source_address_key source_ip
  priority_key priority
  facility_key facility
  log_level info
</source>

To test, I'm using a simple container printing "hello world" in JSON and using the syslog driver with FluentD syslog input:

docker run --rm --name test --log-driver syslog --log-opt syslog-address=udp://127.0.0.1:5140 --log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}" --log-opt syslog-format=rfc3164  alpine echo '{"hello": "world"}'

I enabled stdout output for syslog.docker.containers.** tags:

syslog_docker_output.conf

<match syslog.docker.containers.**>
  @type stdout
</match>

I can see the logs fine in fluentd logs:

2019-06-18 04:16:11.000000000 +0000 syslog.docker.containers.daemon.info: {"host":"default-ubuntu-1804","ident":"alpine/test/154dd9f55d5e","pid":"16783","message":"{\"hello\": \"world\"}","priority":"info","facility":"daemon","source_ip":"10.0.2.15","hostname":"default-ubuntu-1804.vagrantup.com"}

When I try to use remote_syslog, it doesn't appear the logs are being sent:

syslog_docker_output_papertrail.conf

<match syslog.docker.containers.**>
  @type remote_syslog
  host logs42.papertrailapp.com
  port 42000
  facility user
  severity notice
  program fluentd
  protocol udp
  tls false
  hostname default-ubuntu-1804
  log_level debug
  <format>
    @type single_value
    message_key message
  </format>
</match>

Any chance you have an idea? 🙇

[scalp42]

I just tested with netcat:

nc -l 42000

Changed host to 127.0.0.1 with protocol tcp and nothing is being printed out.

[joker1007]

Do you have any logs (logs of fluentd daemon) about this situation? I cannot guess the cause only by these informations.