Filebeat haproxy module


(Mark Bassett) #1

What is the correct method to get logs to the filebeat haproxy module? I see it is running udp syslog on port 9001 so I just added

log 127.0.0.1:9001 local0 notice

under the global section, but it looks like it is not expecting syslog type logs with facility/priority?

<133>Dec 6 00:27:54 haproxy[10946]: Health check for server succeeded, reason: Layer7 check passed, code: 200, info: "OK", check duration: 8ms, status: 3/3 UP.

Provided Grok expressions do not match field value:


(Steffen Siering) #2

Filebeat syslog parser does not support RFC5424 yet. See issue #6872. I guess this is what your HAProxy is sending.


(Mark Bassett) #3

I'm wondering if this is related to


(Mark Bassett) #4

My haproxy is configured to use rfc3164 log output, but the syslog facility and priority its logging is throwing it off.

#configured as rfc3164
2018-12-06T19:12:55.360Z ERROR [syslog] syslog/input.go:131 can't not parse event as syslog rfc3164 {"message": "<133>Dec 6 19:12:55 haproxy[18524]: Proxy LBRGS-SBX started.\n"}

#configured as rfc5424
2018-12-06T19:10:16.134Z ERROR [syslog] syslog/input.go:131 can't not parse event as syslog rfc3164 {"message": "<133>1 2018-12-06T19:10:16+00:00 lbrgs01 haproxy 18461 - - Proxy LBRGS-SBX started.\n"}


(Philip Nunn) #5

I think you had it correct. It appears to be the bug you had previously linked (Filebeat syslog parser Dec bug). The facility and severity look good to me in your rfc3164 message. local0 x8 + notice (16x8) +5 = 133.


(Mark Bassett) #6

Looks like that update hasn't made it to release yet. appears to be included with 6.5.3