Filebeat haproxy module

What is the correct method to get logs to the filebeat haproxy module? I see it is running udp syslog on port 9001 so I just added

log 127.0.0.1:9001 local0 notice

under the global section, but it looks like it is not expecting syslog type logs with facility/priority?

<133>Dec 6 00:27:54 haproxy[10946]: Health check for server succeeded, reason: Layer7 check passed, code: 200, info: "OK", check duration: 8ms, status: 3/3 UP.

Provided Grok expressions do not match field value:

Filebeat syslog parser does not support RFC5424 yet. See issue #6872. I guess this is what your HAProxy is sending.

I'm wondering if this is related to

My haproxy is configured to use rfc3164 log output, but the syslog facility and priority its logging is throwing it off.

#configured as rfc3164
2018-12-06T19:12:55.360Z ERROR [syslog] syslog/input.go:131 can't not parse event as syslog rfc3164 {"message": "<133>Dec 6 19:12:55 haproxy[18524]: Proxy LBRGS-SBX started.\n"}

#configured as rfc5424
2018-12-06T19:10:16.134Z ERROR [syslog] syslog/input.go:131 can't not parse event as syslog rfc3164 {"message": "<133>1 2018-12-06T19:10:16+00:00 lbrgs01 haproxy 18461 - - Proxy LBRGS-SBX started.\n"}

I think you had it correct. It appears to be the bug you had previously linked (Filebeat syslog parser Dec bug). The facility and severity look good to me in your rfc3164 message. local0 x8 + notice (16x8) +5 = 133.

Looks like that update hasn't made it to release yet. appears to be included with 6.5.3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.