search

fluent-plugins-nursery / fluent-plugin-systemd

This is a fluentd input plugin. It reads logs from the systemd journal.
Apache License 2.0
153 stars 43 forks source link

Fluentd not reading journal logs #35

Closed dhawal55 closed 7 years ago

dhawal55 commented 7 years ago

I'm unable to determine my fluentd is not reading my journal logs:

I'm using v0.2.0 of fluent-plugin-systemd and here's my fluentd config:

 <source>
      @type systemd
      tag systemd
      path /var/log/journal
      filters [{ "PRIORITY": [0,1,2,3,4,5,6] }]
      <storage>
        @type local
        persistent true
        path /var/log/systemd.pos
      </storage>
      read_from_head true
      strip_underscores true
    </source>

When I look at fluentd logs, everything looks fine but no journal logs are read:

2017-07-11 16:42:35 +0000 [info]: starting fluentd-0.14.18 pid=1
2017-07-11 16:42:35 +0000 [info]: spawn command to main:  cmdline=["/opt/td-agent/embedded/bin/ruby", "-Eascii-8bit:ascii-8bit", "/usr/sbin/td-agent", "--under-supervisor"]
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-mixin-config-placeholders' version '0.4.0'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-mixin-plaintextformatter' version '0.2.6'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-aws-elasticsearch-service' version '0.1.6'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-elasticsearch' version '1.9.5'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-kafka' version '0.5.5'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-kubernetes_metadata_filter' version '0.27.0'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-mongo' version '0.8.0'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '1.5.5'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-s3' version '0.8.2'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-scribe' version '0.10.14'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-systemd' version '0.2.0'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-td' version '0.10.29'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-td-monitoring' version '0.2.2'
2017-07-11 16:42:35 +0000 [info]: gem 'fluent-plugin-webhdfs' version '0.4.2'
2017-07-11 16:42:35 +0000 [info]: gem 'fluentd' version '0.14.18'
2017-07-11 16:42:35 +0000 [info]: gem 'fluentd' version '0.12.35'
2017-07-11 16:42:35 +0000 [info]: adding match pattern="fluent.**" type="null"
2017-07-11 16:42:35 +0000 [info]: adding filter pattern="kubernetes.**" type="kubernetes_metadata"
2017-07-11 16:42:36 +0000 [info]: adding match pattern="**" type="aws-elasticsearch-service"
2017-07-11 16:42:36 +0000 [info]: adding source type="tail"
2017-07-11 16:42:36 +0000 [info]: adding source type="systemd"
2017-07-11 16:42:36 +0000 [info]: adding source type="tail"
2017-07-11 16:42:36 +0000 [info]: #0 starting fluentd worker pid=10 ppid=1 worker=0
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/apiserver/audit-2017-07-11T05-08-32.246.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/apiserver/audit-2017-07-11T11-36-07.066.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/apiserver/audit.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-apiserver-691905349-mgv64_kube-system_kube-apiserver-7e51a4a7e0f62142ff2283baef2eb21d1dcbbeda9ea1d55690df5de41372bd2a.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-apiserver-691905349-mgv64_kube-system_kube-apiserver-certs-ed10c15ac4d85549d283ca2d502df834c4dfecff36b01a7191b40e5654cc2515.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-apiserver-691905349-mgv64_kube-system_kube-apiserver-e3a38cba0b83f173cfba79d0b6e932463db1480b2236376edeb73f6bb2426223.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-scheduler-2843403865-st7rr_kube-system_kube-scheduler-f48d416a6137390862153285539c726d8b69209140d29f637c4df712daa6e76f.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/filebeat-j77lr_utils_mtail-5c9fd5e3da3f2f3481ef9dad8ff9e1519e40b15301ebec35d9ca554ca30c6933.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-controller-manager-3483369422-sr70f_kube-system_kube-controller-manager-c0b8fc7726c2e061ff58ccc9a1440a1ebaf0fa859bf16670161e1ca98ece2735.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube2iam-fws2m_kube-system_kube2iam-a12483e11d47da4d9b7921e7e505c607a23dda582670483ac688da0e9975a810.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/checkpoint-installer-nzrv0_kube-system_checkpoint-installer-d3306302fd0d5913d12cecf47e6cf32d3c52a7fbee668b18c8ee9de0d72c3425.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-flannel-78n4t_kube-system_install-cni-607280a9d91d4246175f4c7234a94475f78b1d9561570b71bb2f0a3653e56a15.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube2iam-fws2m_kube-system_kube2iam-214a2fad45a08f486658da11dda2ab5ec94a3fcca95bf9235e3bed92ae989026.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/node-problem-detector-ccn62_utils_node-problem-detector-e612875bf76304204081b5035720ea56a3bced13e5c6b73b5bd2039c38cbd404.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-proxy-36h0q_kube-system_kube-proxy-certs-06cfa5cfc74820286d959185957e53132b3d34499df3635ac5f0912225f9fa6f.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-controller-manager-3483369422-sr70f_kube-system_kube-controller-manager-077dbf430fe8d378e61345c0d407d379aafdca1948243c17f5ccf8c572e54412.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/fluentd-zhbwb_utils_fluentd-67d889e7f5e6f82176eb1a6963ed782d40f81f0917503b4d62f794e01f836366.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/node-exporter-etcd-79m4q_monitoring_node-exporter-9d9cff481824895361bc5383cfd5a570ec4fd0f4e02d4d3f472bb358ce72130b.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-flannel-78n4t_kube-system_kube-flannel-59d6cc8529fee663dafcf41155d2e12d9e194c7c4029da4f41d7478c48d6b22d.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/filebeat-j77lr_utils_filebeat-310b2ce0175c39277e70a7b333a77220f902a7da7a233d0ec466cb09fe31ae36.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-proxy-36h0q_kube-system_kube-proxy-bfd66f3b7263f07cc6d04253d39fd54dad2691170f50082fe7a5bef81eeb0765.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-scheduler-2843403865-st7rr_kube-system_kube-scheduler-84b9e10f118eca2488a946c6d5e148416d913971d0d6487f9c2a51c3fa570e73.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/pod-checkpointer-ip-172-16-198-15.us-west-2.compute.internal_kube-system_checkpoint-2b38afa4eadc1b0367edc37482076a0f3faf476eacdbd40cd7736091e078e57a.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/fluentd-6zmqb_utils_fluentd-325cda21aa13232c1edc85817dc0d21e3c48acebf54bd164c14e3ea4ceacfa24.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/rescheduler-v0.3.0-712020263-fw8fg_kube-system_rescheduler-1ecb0a4df97c3c5e84aa6eb16b656275531ed952b4f3b44d18a85958f360cd7f.log
2017-07-11 16:42:36 +0000 [info]: #0 following tail of /var/log/containers/kube-apiserver-691905349-mgv64_kube-system_etcd-client-certs-4cb97b0572d0b61e71f7b942ef9c0e162ba00dd35eb8bc5967caaab310a5db7b.log
2017-07-11 16:42:36 +0000 [info]: #0 fluentd worker is now running worker=0
2017-07-11 16:42:41 +0000 [info]: #0 Connection opened to Elasticsearch cluster => {:host=>"search-xxxxx.us-west-2.es.amazonaws.com", :port=>443, :scheme=>"https", :aws_elasticsearch_service=>{:credentials=>#<Aws::Credentials access_key_id="xxxxxxx">, :region=>"us-west-2"}}
2017-07-11 16:42:47 +0000 [info]: #0 detected rotation of /var/log/containers/fluentd-zhbwb_utils_fluentd-67d889e7f5e6f82176eb1a6963ed782d40f81f0917503b4d62f794e01f836366.log; waiting 5 seconds

I'm running this on CoreOS v1437.3.0

errm commented 7 years ago

Some things I would check first...

1) Do you have journal files in /var/log/journal ? 2) Is /var/log/journal mounted into whatever container you are using correctly 3) Does the user you are running fluentd as have the correct permission to read /var/log/journal 4) Is there a mismatch between the version of libsystemd writing the journal on the host, and inside your fluentd container ...

harobed commented 7 years ago

My docker-compose:

  fluentd:
    image: harobed/fluentd-with-plugins:latest
    command: fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --log /fluentd/log/fluentd.log
    restart: unless-stopped
    ports:
      - 5140:5140/udp
      - 9880:9880
    volumes:
      - ./fluentd-config/:/fluentd/etc/
      - ./fluentd-log/:/fluentd/log/
      - ./fluentd-pos/:/fluentd/pos/
      - /var/log/journal/:/var/log/journal/
    networks:
      - elk

fluentd configuration:

<system>
  log_level debug
</system>

<source>
  @type systemd
  path /var/log/journal
  <storage>
    @type local
    persistent true
    path /fluentd/log/journald.pos
  </storage>
  tag journal
  read_from_head false
</source>

<match **>
  @type copy

  <store>
    @type file
    path /fluentd/log/output
    buffer_type file
    buffer_path /fluentd/log/output.buffer
    append false
    flush_interval 5s
  </store>

  <store>
    @type elasticsearch
    host elasticsearch
    buffer_type memory
    flush_interval 1s
    logstash_dateformat %Y%m%d
    port 9200
    logstash_format true
    type_name fluentd
    index_name logstash
    include_tag_key true
    tag_key _key
    buffer_chunk_limit 512k
    reload_connections false
    reconnect_on_error true
    max_retry_wait 60
    disable_retry_limit
  </store>
</match>

my fluentd dockerfile:

FROM fluent/fluentd:v0.14-debian-onbuild

RUN buildDeps="sudo make gcc g++ libc-dev ruby-dev" \
 && apt-get update \
 && apt-get install -y --no-install-recommends $buildDeps \
 && sudo gem install \
        fluent-plugin-elasticsearch \
        fluent-plugin-systemd \
 && sudo gem sources --clear-all \
 && SUDO_FORCE_REMOVE=yes \
    apt-get purge -y --auto-remove \
                  -o APT::AutoRemove::RecommendsImportant=false \
                  $buildDeps \
 && rm -rf /var/lib/apt/lists/* \
           /home/fluent/.gem/ruby/2.3.0/cache/*.gem

/etc/systemd/journald.conf config

SystemMaxUse=400M
SystemMaxFileSize=100M
Storage=persistent
SyncIntervalSec=30s

OS:

# cat /etc/debian_version
8.8

fluentd have root access in Docker container.

# docker-compose exec fluentd ls /var/log/journal/8e26deeb0bd34f98a71d544e8005065b -lha
total 8.1M
drwxr-sr-x 2 root 102 4.0K Jul 18 11:52 .
drwxr-sr-x 3 root 102 4.0K Jul 18 11:52 ..
-rw-r----- 1 root 102 8.0M Jul 18 13:02 system.journal

After:

# curl http://127.0.0.1:5601/ -I
HTTP/1.1 200 OK
kbn-name: kibana
kbn-version: 5.5.0
cache-control: no-cache
Date: Tue, 18 Jul 2017 13:06:53 GMT
Connection: keep-alive

with journalctl -xf I see:

Jul 18 15:06:53 server-elk dockerd[25573]: {"type":"response","@timestamp":"2017-07-18T13:06:53Z","tags":[],"pid":8,"method":"head","statusCode":200,"req":{"url":"/","method":"head","headers":{"user-agent":"curl/7.38.0","host":"127.0.0.1:5601","accept":"*/*"},"remoteAddress":"172.18.0.1","userAgent":"172.18.0.1"},"res":{"statusCode":200,"responseTime":2,"contentLength":9},"message":"HEAD / 200 2ms - 9.0B"}

nothing in fluentd-log/output.20170718_6.log and nothing in ElasticSearch.

Same subject here: https://groups.google.com/forum/#!topic/fluentd/CDsC-3ildpQ and https://fluent-all.slack.com/archives/C0CTT63EE/p1500377777737071

Best regards, Stéphane

harobed commented 7 years ago

Fixed with

    environment:
      - FLUENT_UID=0

in my docker-compose.yml

errm commented 7 years ago

@dhawal55 did you manage to fix your issue?

cihangirbesiktas commented 7 years ago

I could not get the logs with the following configuration in Centos 7 host.

<system>
  log_level debug
</system>
<source>
  @type systemd
  tag journal
  path /var/log/journal
  read_from_head true
  <storage>
    @type local
    persistent true
    path /var/log/td-agent/journal.pos
  </storage>
</source>
<match journal>
  @type file
  path /tmp/fluentd/journal.json
  format json
  include_time_key true
  time_key @timestamp
  timezone +00:00
  include_tag_key true
  tag_key log_source
</match>
MattMencel commented 7 years ago

@cihangirbesiktas did you figure this out? I'm having the same issue on centos 7.

cihangirbesiktas commented 7 years ago

@MattMencel yes, it is due to td-agent user not having enough permissions, after I changed the service user as root, it worked properly.

MattMencel commented 7 years ago

Ah good catch. Might be better to add td-agent to the systemd-journal group than to run it as root? https://serverfault.com/questions/717725/journalctl-access-for-non-root-users