Re: AW: [EXT] Re: AW: Re: Question about syslog forwarding with HAProxy with keeping the client IP

Aleksandar Lazic Wed, 01 Nov 2023 18:55:14 -0700

Hi Sören.

On 2023-11-01 (Mi.) 18:18, Hellwig, Sören wrote:

Hello Alex,


I can compile the version 2.8.3 from source and install the actual release of 
the 2.8 LTS version.


Yes you can but this will not solve the issue.

Have you read the full mail from the first answer, there are some suggestionshow to solve the issue?

Best regards,
Sören Hellwig


Regards
Alex

-----Ursprüngliche Nachricht-----
Von: Aleksandar Lazic <al-hapr...@none.at>
Gesendet: Mittwoch, 1. November 2023 15:36
An: Hellwig, Sören <s.hell...@uke.de>; haproxy@formilux.org
Betreff: [EXT] Re: AW: Re: Question about syslog forwarding with HAProxy with 
keeping the client IP



On 2023-11-01 (Mi.) 15:17, Hellwig, Sören wrote:

Hello Aleksandar,

thank you for your reply. We are using HAproxy under SLES 15 SP4 and here is 
the version info:

srvkdgrllbp01:/etc/haproxy # haproxy -vv HAProxy version 2.8.0-fdd8154
2023/05/31 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.0.html


Uff that's old. Can you update?
Have you seen the rest of the answer in the previous mail, also?

Regards
Alex

Running on: Linux 5.14.21-150400.24.81-default #1 SMP PREEMPT_DYNAMIC
Tue Aug 8 14:10:43 UTC 2023 (90a74a8) x86_64 Build options :
    TARGET  = linux-glibc
    CPU     = generic
    CC      = cc
    CFLAGS  = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement 
-Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 
-Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member 
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered 
-Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int 
-Wno-atomic-alignment
    OPTIONS = USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1
    DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY
+CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE
-LIBATOMIC +LIBCRYPT +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH
-MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL
-OPENSSL_WOLFSSL -OT +PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL
-PROCCTL -PROMEX -PTHREAD_EMULATION -QUIC +RT +SHM_OPEN +SLZ +SSL
-STATIC_PCRE -STATIC_PCRE2 +SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY
-WURFL -ZLIB

Default settings :
    bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
Built with OpenSSL version : OpenSSL 1.1.1l  24 Aug 2021 SUSE release
SUSE_OPENSSL_RELEASE Running on OpenSSL version : OpenSSL 1.1.1l  24
Aug 2021 SUSE release 150400.7.53.1 OpenSSL library supports TLS
extensions : yes OpenSSL library supports SNI : yes OpenSSL library
supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version :
Lua 5.3.6 Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with
transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND Built with PCRE version : 8.45 2021-06-15 Running on PCRE
version : 8.45 2021-06-15 PCRE library supports JIT : no (USE_PCRE_JIT
not set) Encrypted password support via crypt(3): yes Built with gcc
compiler version 7.5.0

Available polling systems :
        epoll : pref=300,  test result OK
         poll : pref=200,  test result OK
       select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
           h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
         fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
    <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
           h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
    <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
         none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
          [BWLIM] bwlim-in
          [BWLIM] bwlim-out
          [CACHE] cache
          [COMP] compression
          [FCGI] fcgi-app
          [SPOE] spoe
          [TRACE] trace

Best regards,
Sören Hellwig

-----Ursprüngliche Nachricht-----
Von: Aleksandar Lazic <al-hapr...@none.at>
Gesendet: Montag, 30. Oktober 2023 17:58
An: Hellwig, Sören <s.hell...@uke.de>; haproxy@formilux.org
Betreff: [EXT] Re: Question about syslog forwarding with HAProxy with
keeping the client IP

Hi,

On 2023-10-30 (Mo.) 15:55, Hellwig, Sören wrote:

Hello Support-Team,

we are using the HAProxy as load balancer for our Graylog servers.


Which version of HAProxy?

haproxy -vv

The TCP based protocols works fine, but we have some trouble with the
syslog forwarding.

Our configuration file *haproxy.cfg* looks like this:

log-forward syslog

           # accept incomming UDP messages

           dgram-bind 10.1.2.50:514 transparent

           # log message into ring buffer

           log ring@logbuffer format rfc5424 local0

ring logbuffer

           description "buffer for syslog"

           format rfc5424

           maxlen 1200

           size 32764

           timeout connect 5s

           timeout server 10s

           # send outgoing messages via TCP

           server logserver1 10.1.2.44:1514 log-proto octet-count
check

           #server logserver1 10.1.2.44:1514 log-proto octet-count
check source
0.0.0.0 usesrc clientip

The syslog messages are forwarded to the logserver1 10.1.2.44.
Unfortunately some older Cisco switches did not send the hostname or
IP address in the syslog packet.

Is there any chance to route the client IP though the ringbuffer to the 
logserver1?


As HAProxy does not handle the syslog protocl isn't there a option to add this 
info into the syslog protocol. A possible solution is to use for this specific 
devices a syslog receiver like fluentbit or rsyslog which adds the information 
and forwards the log line to haproxy or the destination server.

https://docs.fluentbit.io/manual/pipeline/inputs/syslog
https://docs.fluentbit.io/manual/pipeline/filters/record-modifier
https://docs.fluentbit.io/manual/pipeline/outputs

https://www.rsyslog.com/doc/v8-stable/configuration/modules/idx_input.
html
https://www.rsyslog.com/doc/v8-stable/configuration/modules/idx_messag
emod.html
https://www.rsyslog.com/doc/v8-stable/configuration/modules/idx_output
.html

Just some ideas how to solve the issue.

The command *source* is not allowed in the *ring* section.  If I
uncomment the last line no data is send to the logserver1.

Best regards,

Sören Hellwig

Dipl.-Ing. (FH) technische Informatik


Best regards
Alex

Re: AW: [EXT] Re: AW: Re: Question about syslog forwarding with HAProxy with keeping the client IP

Reply via email to