2

We have an application deployed on AWS EKS cluster, which has a requirement of sending the application error messages to a syslog server.

Our default logs shipper is Fluent Bit, deployed as a Daemonset in the AWS EKS cluster.

Going over the official documentation of Fluent Bit, There is an option for a Syslog input, which allows to collect Syslog messages through a Unix socket server (UDP or TCP) or over the network using TCP or UDP.

But looking over the example in official documentation:

[SERVICE] Flush 1 Log_Level info Parsers_File parsers.conf [INPUT] Name syslog Path /tmp/in_syslog Buffer_Chunk_Size 32000 Buffer_Max_Size 64000 Receive_Buffer_Size 512000 [OUTPUT] Name stdout Match *

It seems that Fluent Bit, Can't receive any Syslog traps (like for example: Kiwi Server), but only performs a tail action, on the Syslog log file (in the example: /tmp/in_syslog).

Did I correctly understand the official documentation?

Improve this question
1
  • I don't believe "syslog traps" are a thing; could you be thinking of SNMP traps? SNMP is not part of syslog. Commented Sep 12, 2024 at 16:11

2 Answers 2

Reset to default
2

It seems you can use Syslog input plugin to configure Fluent Bit to collect Syslog messages through a Unix socket or TCP/UDP socket. Please scroll down in the documentation to see other examples than the file parsing one.

Look at these options:

Parser syslog-rfc3164 Listen 0.0.0.0 Port 5140
Improve this answer
5
  • Thank, In case you are refereeing to the section of "Rsyslog to Fluent Bit: Network mode over TCP", does Fluent Bit will pull the Syslog traps, or will listen to the Syslog traps? Commented Sep 12, 2024 at 14:01
  • 1
    What do you mean by syslog traps? I recall about SNMP traps, but they are a different thing. Commented Sep 12, 2024 at 18:14
  • Sorry for the wrong terminology, as in the scope of Syslog, it should be Syslog Messages, and if I'm not mistaken the Syslog protocol isn't supporting pulling. Commented Sep 12, 2024 at 18:56
  • Fluent Bit will listen for syslog messages from a syslog that will connect to it. This means that you need to configure syslog to connect to Fluent Bit and also configure Fluent Bit to start a port in listening mode. Commented Sep 14, 2024 at 2:48
  • Traditionally, syslogd is collecting log messages from various sources and send them to files or remote syslog servers. It doesn't store the messages into a DB, so you can't poll it. Commented Sep 14, 2024 at 2:48
1

It seems that Fluent Bit, Can't receive any Syslog [..] but only performs a tail action [..]

Did I correctly understand the official documentation?

Nope. As Mircea Vutcovici wrote you do can have Fluent Bit listen to a tcp/udp port and have it act as a syslog server. It is explained in the docs, though I had to add a parser line so rfc3164 is used instead of the default rfc5424. And the doc shows an example for tcp, but it seems udp is more common which I had to use.

https://docs.fluentbit.io/manual/pipeline/inputs/syslog#rsyslog_to_fluentbit_network

Fluent Bit can even forward those syslog messages to another (e.g. cloud) server. Especially handy if the server needs some form of authentication which syslog does not has built in.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.