2

On one VM I have this in /etc/rsyslog.d/50-default.conf

*.* @192.168.29.1:42185 # Default rules for rsyslog.

On the vm with fluentd I have this:

I have this in /etc/td-agent/td-agent.conf

<source> type syslog port 42185 tag rsyslog </source> <match rsyslog.**> type copy <store> # for debug (see /var/log/td-agent.log) type stdout </store> <store> type elasticsearch logstash_format true flush_interval 10s # for testing. </store> </match>

But nothing seems to be getting sent to the remote machine, as I look in /var/log/td-agent.log and I see 

2014-08-08 10:51:10 -0700 [info]: adding source type="syslog" 2014-08-08 10:51:10 -0700 [info]: adding source type="forward" 2014-08-08 10:51:10 -0700 [info]: adding source type="http" 2014-08-08 10:51:10 -0700 [info]: adding source type="debug_agent" 2014-08-08 10:51:10 -0700 [info]: adding match pattern="td.*.*" type="tdlog" 2014-08-08 10:51:10 -0700 [info]: adding match pattern="debug.**" type="stdout" 2014-08-08 10:51:10 -0700 [info]: adding match pattern="rsyslog.**" type="copy" 2014-08-08 10:51:10 -0700 [info]: listening fluent socket on 0.0.0.0:24224 2014-08-08 10:51:10 -0700 [info]: listening dRuby uri="druby://127.0.0.1:24230" object="Engine" 2

I don't know why the logs aren't being sent, and I don't see how to tell if there is something going wrong with rsyslog and it just isn't sending the files.

Improve this question
1
  • Have you tried using tcpdump to see whether the traffic is being received on the remote machine? Commented Aug 9, 2014 at 18:19

1 Answer 1

Reset to default
3

If I'm not mistaken, rsyslog forwards logs over TCP (in the config file, this is listed as "for reliability"), but fluentD's listener defaults to listening on UDP. This change to your fluentD config should allow you to receive the logs on TCP:

<source> type syslog port 42185 protocol_type tcp tag rsyslog </source>

I would check with TCP dump whether the traffic is being received on the agent, if you're still not receiving logs after making this change:

tcpdump -i any port 42185

This should also indicate whether TCP or UDP is being received (only specifying port, and not tcp or udp as well)

EDIT: in addition to this, make sure your rsyslog config is correct: all examples I've seen and used, have a double @@ in the forward rule:

*.* @@192.168.29.1:42185

http://www.rsyslog.com/doc/rsyslog_reliable_forwarding.html

Improve this answer
1
  • Thank you, I got it working. I forgot that tcpdump will also consume the packets, so I wasted some time on that. I think the protocol_type was the final piece missing. Commented Aug 11, 2014 at 17:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.