Hello,
On 05/04/2023 09:39, Scharfenberg, Carsten wrote:
Hello,
I’m trying to setup haproxy RFC5424 logging to localhost and
forwarding to a central log aggregator with rsyslog.
Although this setup sounds quite straight forward and common to me,
it’s really hard to setup due to weak documentation of both – haproxy
and rsyslog – in this context and a lack of examples.
Nevertheless I’ve succeeded after some hours of trial-and-error…
Only my settings do not work in case of SSL handshake problems. In
this case I still get standard log messages from haproxy. Is it
possible to setup RFC5424 also for this case?
These are my settings:
global
log localhost:1514 format rfc5424 local0
log-send-hostname
[…]
defaults
log global
log-format-sd %{+E}o[my_sdid@12345\ client_ip=\"%ci\"\
client_port=\"%cp\"\ haproxy_frontend=\"%ft\"\ haproxy_backend=\"%b\"\
haproxy_server=\"%s\"\ haproxy_time_receive=\"%TR\"\
haproxy_time_queue=\"%Tc\"\ haproxy_time_response=\"%Tr\"\
haproxy_time_total=\"%Ta\"\ http_status_code=\"%ST\"\
bytes_read=\"%B\"\ haproxy_termination_state=\"%ts\"\
haproxy_total_connections=\"%ac\"\
haproxy_frontend_connections=\"%fc\"\
haproxy_backend_connections=\"%bc\"\
haproxy_server_connections=\"%sc\"\ haproxy_server_retries=\"%rc\"\
haproxy_server_queue=\"%sq\"\ haproxy_backend_queue=\"%bq\"\
http_request_headers=\"%hr\"\ http_response_headers=\"%hs\"\
http_request_method=\"%HM\"\ http_version=\"%HV\"\
http_request_path=\"%HPO\"\ http_request_query=\"%HQ\"]
option httplog
[…]
frontend my_frontend
mode http
bind 1.2.3.4:443 ssl […]
[…]
backend my_backend
[…]
A “normal” log message looks like this:
<134>1 2023-04-05T09:00:14.893116+02:00 my_host haproxy 94107 -
[my_sdid@12345 client_ip="4.3.2.1" client_port="65344"
haproxy_frontend="my_frontend~" haproxy_backend="my_backend"
haproxy_server="my_server01" haproxy_time_receive="0"
haproxy_time_queue="1" haproxy_time_response="4"
haproxy_time_total="5" http_status_code="200" bytes_read="168"
haproxy_termination_state="--" haproxy_total_connections="1"
haproxy_frontend_connections="1" haproxy_backend_connections="0"
haproxy_server_connections="0" haproxy_server_retries="0"
haproxy_server_queue="0" haproxy_backend_queue="0"
http_request_headers="{my_user_agent}" http_response_headers=""
http_request_method="GET" http_version="HTTP/1.1"
http_request_path="/path" http_request_query="?query=foo"]
4.3.2.1:65344 [05/Apr/2023:09:00:14.887] my_frontend~
my_backend/my_server01 0/0/1/4/5 200 168 - - ---- 1/1/0/0/0 0/0
{my_user_agent} "GET /path?query=foo HTTP/1.1"
In case the SSL handshake fails (e.g. because of a simple TCP
connection check):
<134>1 2023-04-05T09:00:14.047002+02:00 my_host haproxy 94107 - -
4.3.2.1:65341 [05/Apr/2023:09:00:13.996] my_frontend/1: Connection
closed during SSL handshake
You might want to have a look at the "error-log-format" option that
would allow you to define a dedicated log-format in case of SSL
handshake errors (among others). The log line you have corresponds
precisely to the legacy error log format that is used if no specific
'error-log-format' is defined.
Regards
Rémi Le Breton
