Hi,
On 2023-10-30 (Mo.) 15:55, Hellwig, Sören wrote:
Hello Support-Team,
we are using the HAProxy as load balancer for our Graylog servers.
Which version of HAProxy?
haproxy -vv
The TCP based protocols works fine, but we have some trouble with the syslog
forwarding.
Our configuration file *haproxy.cfg* looks like this:
log-forward syslog
# accept incomming UDP messages
dgram-bind 10.1.2.50:514 transparent
# log message into ring buffer
log ring@logbuffer format rfc5424 local0
ring logbuffer
description "buffer for syslog"
format rfc5424
maxlen 1200
size 32764
timeout connect 5s
timeout server 10s
# send outgoing messages via TCP
server logserver1 10.1.2.44:1514 log-proto octet-count check
#server logserver1 10.1.2.44:1514 log-proto octet-count check source
0.0.0.0 usesrc clientip
The syslog messages are forwarded to the logserver1 10.1.2.44. Unfortunately
some older Cisco switches did not send the hostname or IP address in the syslog
packet.
Is there any chance to route the client IP though the ringbuffer to the
logserver1?
As HAProxy does not handle the syslog protocl isn't there a option to add this
info into the syslog protocol. A possible solution is to use for this specific
devices a syslog receiver like fluentbit or rsyslog which adds the information
and forwards the log line to haproxy or the destination server.
https://docs.fluentbit.io/manual/pipeline/inputs/syslog
https://docs.fluentbit.io/manual/pipeline/filters/record-modifier
https://docs.fluentbit.io/manual/pipeline/outputs
https://www.rsyslog.com/doc/v8-stable/configuration/modules/idx_input.html
https://www.rsyslog.com/doc/v8-stable/configuration/modules/idx_messagemod.html
https://www.rsyslog.com/doc/v8-stable/configuration/modules/idx_output.html
Just some ideas how to solve the issue.
The command *source* is not allowed in the *ring* section. If I uncomment the
last line no data is send to the logserver1.
Best regards,
Sören Hellwig
Dipl.-Ing. (FH) technische Informatik
Best regards
Alex
