Mustafa Uysal

I'm traveling light, it's au revoir…

Sending HAProxy logs to Graylog

I just finished the setup of a brand new Graylog 3 server and wanted to share my configuration for sending HAProxy logs. I’m not digging into the server setup. It’s super simple; you can find out docker-compose configuration on the official docs. https://docs.graylog.org/en/3.0/pages/installation/docker.html

Don’t be stingy for the ram; give the proper space for god’s sake. (depends on your data for sure)

Here is the configuration that I use:

# Create an additional socket in haproxy's chroot in order to allow logging via
# /dev/log to chroot'ed HAProxy processes
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
$AddUnixListenSocket /var/lib/haproxy/dev/log
# Send HAProxy messages to a dedicated logfile
if $programname startswith 'haproxy' then /var/log/haproxy.log
if $syslogtag contains 'haproxy' then @192.168.1.10:1514;GRAYLOGRFC5424
&~
view raw 49-haproxy.conf hosted with ❤ by GitHub
.
.
.
defaults
mode http
log global
log-format {"haproxy_clientIP":"%ci","haproxy_clientPort":"%cp","haproxy_dateTime":"%t","haproxy_frontendNameTransport":"%ft","haproxy_backend":"%b","haproxy_serverName":"%s","haproxy_Tw":"%Tw","haproxy_Tc":"%Tc","haproxy_Tt":"%Tt","haproxy_bytesRead":"%B","haproxy_terminationState":"%ts","haproxy_actconn":%ac,"haproxy_FrontendCurrentConn":%fc,"haproxy_backendCurrentConn":%bc,"haproxy_serverConcurrentConn":%sc,"haproxy_retries":%rc,"haproxy_srvQueue":%sq,"haproxy_backendQueue":%bq,"haproxy_backendSourceIP":"%bi","haproxy_backendSourcePort":"%bp"}
option httplog
.
.
.
.
.
.
view raw haproxy.cfg hosted with ❤ by GitHub
  1. add “log-format” to your haproxy configuration and then reload the service.
  2. change IP address and make sure the port mapped properly on the docker configuration.
  3. restart rsyslog service
Go On Popcorn GIF - Find & Share on GIPHY
now you can watch the stream πŸ™‚

remember: “iptables -L” is your friend πŸ˜‰

4 responses

  1. Felipe Avatar

    how about graylog configuration part?
    should it be a GELF ? RAW syslog ? and how is the parse done?
    pelase share
    thx

    1. mustafauysal Avatar
      mustafauysal

      Syslog UDP. You can use extractors for parsing.

      1. Chandra Avatar
        Chandra

        Can you also explain process for haproxy enterprise edition

        1. mustafauysal Avatar
          mustafauysal

          I have no experience with the enterprise edition. However, I don’t think it will be any different.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.