Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for BSD style syslog messages RFC 3164 to syslog input #4593

Closed
vit1251 opened this issue Aug 25, 2018 · 8 comments · Fixed by #8454
Closed

Add support for BSD style syslog messages RFC 3164 to syslog input #4593

vit1251 opened this issue Aug 25, 2018 · 8 comments · Fixed by #8454
Labels
area/syslog feature request Requests for new plugin and for new features to existing plugins platform/bsd upstream bug or issues that rely on dependency fixes

Comments

@vit1251
Copy link

vit1251 commented Aug 25, 2018

Relevant telegraf.conf:

=udp4://:6514

System info:

1.7.3

Steps to reproduce:

  1. Setup UDP input syslog plugin
  2. Setup nginx output in that UDP port

Expected behavior:

Message store in InfluxDB

Actual behavior:

Error in plugin [inputs.syslog]: read udp4 0.0.0.0:6514: i/o timeout

Additional info:

No idea.
@danielnelson danielnelson added the bug unexpected problem or unintended behavior label Aug 27, 2018
@danielnelson
Copy link
Contributor

Can you show your nginx config for sending over UDP?

@vit1251
Copy link
Author

vit1251 commented Aug 27, 2018
edited
Loading

@danielnelson I setup nginx by manual at address http://nginx.org/en/docs/syslog.html

access_log syslog:server=127.0.0.1:6514,tag=nginx;

I watch tcpdump UDP and view that UDP packet push on lo interface.

@danielnelson
Copy link
Contributor

I believe the issue is that nginx outputs only in RFC 3164, but the syslog input only does RFC 5424 messages. There is an issue on go-syslog to add support: influxdata/go-syslog#15.

In the meantime I think a workaround would be to use rsyslog to convert between formats.

@danielnelson danielnelson added feature request Requests for new plugin and for new features to existing plugins upstream bug or issues that rely on dependency fixes and removed bug unexpected problem or unintended behavior labels Aug 27, 2018
@vit1251
Copy link
Author

vit1251 commented Aug 28, 2018

@danielnelson maybe an interesting fact or my mistake I'm not exactly sure but... after error ocuire I try to make custom message by logger from shell and no message pass in Influx. I guess that parsing goroutine ended and no more ready to receive UDP packet. Perhaps this is a mistake.

@danielnelson
Copy link
Contributor

I set up rsyslog to forward over UDP:

$ cat /etc/rsyslog.d/50-telegraf.conf
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

*.* @127.0.0.1:6514;RSYSLOG_SyslogProtocol23Format

And then used the logger command from util-linux:

$ logger test

I did get the message, but also an error message:

2018-08-28T20:30:30Z E! Error in plugin [inputs.syslog]: read udp [::]:6514: i/o timeout
syslog,appname=dbn,facility=user,host=debian-stretch-syslog.virt,hostname=debian-stretch-syslog,severity=notice version=1i,severity_code=5i,facility_code=1i,timestamp=1535488225311326000i,message=" test" 1535488225311871493

Afterwards, I am unable to send to this socket. I think we just want to remove the deadline for the UDP socket altogether, I'll put together a pr.

@danielnelson danielnelson mentioned this issue Aug 28, 2018
Merged
3 tasks
@danielnelson
Copy link
Contributor

@vit1251 You should be able to craft a message directly now if you use the nightly builds.

@danielnelson danielnelson changed the title Syslog input plugin i/o error on UDP socket Add support for BSD style syslog messages RFC 3164 to syslog input Aug 31, 2018
@danielnelson danielnelson mentioned this issue Sep 14, 2018
Closed
@danielnelson danielnelson mentioned this issue Oct 22, 2018
Closed
@danielnelson danielnelson mentioned this issue May 8, 2019
Closed
@danielnelson danielnelson mentioned this issue Aug 28, 2019
Closed
3 tasks
@russorat russorat added this to the 1.14.0 milestone Nov 1, 2019
@leodido leodido mentioned this issue Feb 13, 2020
Closed
@sjwang90 sjwang90 modified the milestones: 1.14.0, 1.15.0 Mar 6, 2020
@NWMichl
Copy link

NWMichl commented Apr 5, 2020

+1 for adding RFC 3164 style (UDP) syslog receiver to Telegraf.
(Not only) We have tons of network equipment in the field without the capability to send according to RFC5424 format.

@janitha
Copy link

janitha commented Apr 29, 2020

go-syslog now supports RFC 3164 as per influxdata/go-syslog#27 (merged feb 3)

@sjwang90 sjwang90 modified the milestones: 1.15.0, 1.16.0 Jun 26, 2020
@sjwang90 sjwang90 modified the milestones: 1.16.0, Planned Sep 28, 2020
@thepacketgeek thepacketgeek mentioned this issue Nov 22, 2020
Merged
3 tasks
@sjwang90 sjwang90 removed this from the Planned milestone Jan 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/syslog feature request Requests for new plugin and for new features to existing plugins platform/bsd upstream bug or issues that rely on dependency fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Migrate syslog/v2 to syslog/v3 (adds RFC3164 support to inputs.syslog) (#4593)
7 participants
@vit1251 @janitha @danielnelson @russorat @sjwang90 @helenosheaa @NWMichl