syslog output: send json to a rsyslog remote server

[atefhaloui]

Is your feature request related to a problem? Please describe. I've tried to send a json log entry through the syslog output without any luck. The structure of the json entry is:

{
  "file":"front/api/myfile.go:689",
  "func":"myfile.MyFunc()",
  "level":"info",
  "msg":"A group of walrus emerges from the ocean",
  "time":"2014-03-10 19:57:38.562264131 -0400 EDT"
}

My parser is:

[PARSER]
    Name         myparser
    Format       json
    Time_Keep    on
    Reserve_Data on

my config file:

[SERVICE]
    flush           1
    daemon          off
    log_level       info
    parsers_file    parsers.conf
    plugins_file    plugins.conf
    http_server     off
    http_listen     0.0.0.0
    http_port       2020
    storage.metrics off

[INPUT]
    Name              tail
    Tag               app
    Path              /var/log/myapp/myapp-streaming.log
    Path_Key          filename
    Parser            myparser
    Mem_Buf_Limit     16MB
    Skip_Long_Lines   off
    Refresh_Interval  1

[FILTER]
    Name nest
    Match *
    Operation nest
    Wildcard file
    Wildcard func
    Wildcard time
    Wildcard level
    Wildcard msg
    Nest_under applog

[FILTER]
    Name record_modifier
    Match *
    Record hostname ${HOSTNAME}
    Record appname myapp
    # debug
    Record severity 7
    # local1
    Record facility 17

[OUTPUT]
    name stdout
    match *

[OUTPUT]
    name                 syslog
    match                *
    host                 localhost
    port                 514
    mode                 udp
    syslog_format        rfc5424
    syslog_maxsize       2048
    syslog_severity_key  severity
    syslog_facility_key  facility
    syslog_hostname_key  hostname
    syslog_appname_key   appname
    syslog_message_key   applog

When I append a new entry to my log file, the message sent is empty :(

echo '{"file":"front/api/myfile.go:689","func":"myfile.MyFunc()","level":"info","msg":"A group of walrus emerges from the ocean",  "time":"2014-03-10 19:57:38.562264131 -0400 EDT"}' >> /var/log/myapp/myapp-streaming.log

My fluent-bit output:

$ fluent-bit/build/bin/fluent-bit -c td-agent-bit.conf
Fluent Bit v1.8.0
* Copyright (C) 2019-2021 The Fluent Bit Authors
* Copyright (C) 2015-2018 Treasure Data
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

[2021/03/20 22:00:41] [ info] [engine] started (pid=57535)
[2021/03/20 22:00:41] [ info] [storage] version=1.1.1, initializing...
[2021/03/20 22:00:41] [ info] [storage] in-memory
[2021/03/20 22:00:41] [ info] [storage] normal synchronization mode, checksum disabled, max_chunks_up=128
[2021/03/20 22:00:41] [ info] [output:syslog:syslog.1] setup done for localhost:514
[2021/03/20 22:00:41] [ info] [sp] stream processor started
[2021/03/20 22:00:41] [ info] [input:tail:tail.0] inotify_fs_add(): inode=783341 watch_fd=1 name=/var/log/myapp/myapp-streaming.log
[0] app: [1616274066.437712895, {"filename"=>"/var/log/myapp/myapp-streaming.log", "applog"=>{"file"=>"front/api/myfile.go:689", "func"=>"myfile.MyFunc()", "level"=>"info", "msg"=>"A group of walrus emerges from the ocean", "time"=>"2014-03-10 19:57:38.562264131 -0400 EDT"}, "hostname"=>"WX-OR6141864", "appname"=>"myapp", "severity"=>"7", "facility"=>"17"}]

and in my rsyslog I have:

4066.611202460:imudp.c        : imudp.c: imudp: epoll_wait() returned with 1 fds
4066.611256639:imudp.c        : imudp.c: imudp: recvmmsg returned 1
4066.611266909:imudp.c        : imudp.c: recv(8,59),acl:1,msg:<143>1 2021-03-20T21:01:06.437712Z WX-OR6141864 myapp - - -
4066.611273770:imudp.c        : parser.c: msg parser: flags 70, from '~NOTRESOLVED~', msg '<143>1 2021-03-20T21:01:06.437712Z WX-OR6141864 myapp - - -'
4066.611278057:imudp.c        : parser.c: parse using parser list 0x563ce6b663a0 (the default list).
4066.611282828:imudp.c        : pmrfc5424.c: Message has RFC5424/syslog-protocol format.
4066.611288398:imudp.c        : parser.c: Parser 'rsyslog.rfc5424' returned 0
4066.611293328:imudp.c        : imudp.c: imudp: recvmmsg returned -1

Describe the solution you'd like The message sent must be the content of the syslog_message_key even if it's a json object. From msgpack_to_syslog, I can see that this function does not accept MSGPACK_OBJECT_MAP for messages while, imho, it should serialize the content of the json object and send it.

[makrelas]

Seems similar to #2717 which was closed (stale)

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.

[danielzhanghl]

hi, I met the similar issue using 1.9.9, is there any workaround for this issue?

[danielzhanghl]

found a "WA" for this, like below, read the content from file, modify some to that, then print that out to another file, reload from that file, send to rsyslog, that is not good one since there is additional read/write to filesystem. but that seems only option before upstream enhance this part.

''' [INPUT]

https://docs.fluentbit.io/manual/pipeline/inputs/tail

Name                      tail
Path                      /tmp/container-log/*.log
Exclude_Path              *.gz,*.zip
storage.type              filesystem
DB                        /tmp/fluentbit.db
Read_from_Head            True
Refresh_Interval          30
Tag                       raw-log
Key                       log

[INPUT]

https://docs.fluentbit.io/manual/pipeline/inputs/tail

Name                      tail
Path                      /tmp/temp-log/*.log
Exclude_Path              *.gz,*.zip
storage.type              filesystem
DB                        /tmp/fluentbit2.db
Read_from_Head            True
Refresh_Interval          30
Tag                       clog

[FILTER] Name record_modifier Match raw-log Record product something

[OUTPUT] Name file Match raw-log Path /tmp/temp-log File temp.log Format plain Mkdir True Match raw-log

[OUTPUT] name syslog match clog host 1.5.4.52 port 2516 mode tcp syslog_format rfc5424 syslog_maxsize 2048 syslog_message_key log '''

[cccsss01]

@danielzhanghl where you ever able to configure this w/o the workaround? I can't seem to get it w/o the workaround? [SERVICE] Flush 1 Daemon Off Log_Level info Parsers_File parsers.conf

[INPUT] Name tail Path /var/log/containers/.log Parser docker Tag kube. Refresh_Interval 5 Rotate_Wait 5 Mem_Buf_Limit 5MB Skip_Long_Lines On DB /var/log/flb_kube.db DB.Sync Normal

[OUTPUT] Name syslog Match * Host Port 514 Mode tcp Syslog_Format RFC3164 syslog_message_key log