Hello,
I'm trying to setup haproxy RFC5424 logging to localhost and forwarding to a
central log aggregator with rsyslog.
Although this setup sounds quite straight forward and common to me, it's really
hard to setup due to weak documentation of both - haproxy and rsyslog - in this
context and a lack of examples.
Nevertheless I've succeeded after some hours of trial-and-error...
Only my settings do not work in case of SSL handshake problems. In this case I
still get standard log messages from haproxy. Is it possible to setup RFC5424
also for this case?
These are my settings:
global
log localhost:1514 format rfc5424 local0
log-send-hostname
[...]
defaults
log global
log-format-sd %{+E}o[my_sdid@12345\ client_ip=\"%ci\"\ client_port=\"%cp\"\
haproxy_frontend=\"%ft\"\ haproxy_backend=\"%b\"\ haproxy_server=\"%s\"\
haproxy_time_receive=\"%TR\"\ haproxy_time_queue=\"%Tc\"\
haproxy_time_response=\"%Tr\"\ haproxy_time_total=\"%Ta\"\
http_status_code=\"%ST\"\ bytes_read=\"%B\"\ haproxy_termination_state=\"%ts\"\
haproxy_total_connections=\"%ac\"\ haproxy_frontend_connections=\"%fc\"\
haproxy_backend_connections=\"%bc\"\ haproxy_server_connections=\"%sc\"\
haproxy_server_retries=\"%rc\"\ haproxy_server_queue=\"%sq\"\
haproxy_backend_queue=\"%bq\"\ http_request_headers=\"%hr\"\
http_response_headers=\"%hs\"\ http_request_method=\"%HM\"\
http_version=\"%HV\"\ http_request_path=\"%HPO\"\ http_request_query=\"%HQ\"]
option httplog
[...]
frontend my_frontend
mode http
bind 1.2.3.4:443 ssl [...]
[...]
backend my_backend
[...]
A "normal" log message looks like this:
<134>1 2023-04-05T09:00:14.893116+02:00 my_host haproxy 94107 - [my_sdid@12345
client_ip="4.3.2.1" client_port="65344" haproxy_frontend="my_frontend~"
haproxy_backend="my_backend" haproxy_server="my_server01"
haproxy_time_receive="0" haproxy_time_queue="1" haproxy_time_response="4"
haproxy_time_total="5" http_status_code="200" bytes_read="168"
haproxy_termination_state="--" haproxy_total_connections="1"
haproxy_frontend_connections="1" haproxy_backend_connections="0"
haproxy_server_connections="0" haproxy_server_retries="0"
haproxy_server_queue="0" haproxy_backend_queue="0"
http_request_headers="{my_user_agent}" http_response_headers=""
http_request_method="GET" http_version="HTTP/1.1" http_request_path="/path"
http_request_query="?query=foo"] 4.3.2.1:65344 [05/Apr/2023:09:00:14.887]
my_frontend~ my_backend/my_server01 0/0/1/4/5 200 168 - - ---- 1/1/0/0/0 0/0
{my_user_agent} "GET /path?query=foo HTTP/1.1"
In case the SSL handshake fails (e.g. because of a simple TCP connection check):
<134>1 2023-04-05T09:00:14.047002+02:00 my_host haproxy 94107 - - 4.3.2.1:65341
[05/Apr/2023:09:00:13.996] my_frontend/1: Connection closed during SSL handshake
Thanks and Regards,
Carsten
