syslog_forwarder job from syslog/11.7.7
Github source:
c8610e0
or
master branch
Properties¶
logging
¶
format
¶
timestamp
¶Format for timestamp in log file forwarder logs. Valid values are ‘deprecated’ and ‘rfc3339’.
- Default
deprecated
syslog
¶
address
¶IP or DNS address of the syslog server.
- Example
logs4.papertrail.com
blackbox
¶
limit_cpu
¶limit goprocess to a single cpu via gomaxprocs
- Default
true
log_filename
¶If set to true, log lines are also tagged with filename in the format /.
- Default
false
source_dir
¶directory with subdirectories containing log files. log lines will be tagged with subdirectory name.
- Default
/var/vcap/sys/log
ca_cert
¶Trusted CAs. Necessary if TLS is enabled AND signing CA is not present in instance cert store. Overrides instance cert store if set.
- Example
|+ -----BEGIN CERTIFICATE----- MIIClTCCAf4CCQDc6hJtvGB8RjANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMC... -----END CERTIFICATE-----
custom_rule
¶Custom rsyslog rule for event forwarder. This will be inserted before the forwarding rule. See further discussion and examples in example-custom-rules.md at the top level of the release repo.
- Default
""
director
¶BOSH Director name
- Default
""
fallback_servers
¶List of fallback servers to be used if the primary syslog server is down. Only tcp or relp protocols are supported. Each list entry should consist of “address”, “transport” and “port” keys.
- Default
[]- Example
- address: logs5.papertrail.com port: 44312 transport: tcp
filter_legacy_vcap_messages
¶Drop messages with an app name that starts with “vcap.” This is intended to prevent near-identical duplicates when using forward_files with legacy Cloud Foundry jobs, which generally use tee to send logs to syslog directly in addition to writing them to the filesystem. This should probably be set to true in any deployment of Cloud Foundry Application Runtime. This may be on by default in the future, though this would be a breaking/major version change.
- Default
false
forward_files
¶If enabled, use BlackBox to forward logs.
- Default
true
heuristically_filter_debug_messages
¶Drop messages with an msg that start with “DEBUG”. This is intended to prevent high-volume, low-value debug logs from overwhelming syslog receivers, while still allowing the UAA job to log its debug messages to disk for support-enablement purposes. While this may impact other logs, most other jobs are not generally configured to emit debug logs, and anyone who wants to filter out UAA’s debug volume likely doesn’t mind losing the other debug volume, too. This filter is necessarily heuristic/string-based because syslog PRI information is not meaningful in logs produced by blackbox.
- Default
false
max_message_size
¶Sets the $MaxMessageSize configuration flag for rsyslog.
- Default
8k
migration
¶
disabled
¶Deprecated. Allows systems that cannot modify their deployment topology to use this release. Do not use if you’re not already relying on this capability. If true, does not forward syslogs, and does not require any other properties be provided. Overrides all other configuration.
- Default
false
permitted_peer
¶Accepted fingerprint (SHA1) or name of remote peer. Only used if TLS is enabled. If not specified, will use the configured forwarding address.
- Example
'*.papertrail.com'
port
¶Port of the syslog server.
- Default
514
queue_checkpoint_interval
¶write bookkeeping information on checkpoints (every n records)
- Default
100
queue_discard_mark
¶After this number of messages are queued, purge messages whose severity is greater than or equal to DiscardSeverity.
- Default
97500
queue_discard_severity
¶This discards queued messages of this severity or higher when the
queue_discard_mark
is reached. Setting this to ‘0’ will discard all queued messages when thequeue_discard_mark
is reached.
- Default
0
queue_file_name
¶Spill to disk if queue is full.
- Default
agg_backlog
queue_high_water_mark
¶Num messages. Assuming avg size of 512B, this is 4MiB. (If this is reached, messages will spill to disk until the low watermark is reached).
- Default
80000
queue_low_water_mark
¶Number of messages. Assuming avg size of 512B, this is 1MiB.
- Default
2000
queue_max_disk_space
¶Max size for disk queue.
- Default
128m
queue_save_on_shutdown
¶Save in-memory data to disk if rsyslog shuts down. Must be “on” or “off”
- Default
true
queue_size
¶Store no more than this number syslog messages in memory.
- Default
100000
queue_timeout_enqueue
¶Discard messages if the queue + disk is full
- Default
0
respect_file_permissions
¶If enabled, log files will be forwarded if and only if they satisfy any of the following: - world-readable - readable by the syslog user - readable by the vcap group (note: the vcap user is insufficient, it must be the group.)
- Default
false
resume_interval
¶When action is suspended (dest not connected), retry after this number of seconds
- Default
10
tls_enabled
¶Set this to true to enable TLS.
- Default
false
transport
¶One of
udp
,tcp
,relp
.
- Default
tcp
use_tcp_for_file_forwarding_local_transport
¶If enabled, Blackbox will use TCP rather than UDP when forwarding loglines from files to the local rsyslog. Does not affect forwarding to remote addresses. This prevents truncation of log lines over 1KB, but may have undesirable performance impact.
- Default
false
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/syslog_forwarder/
directory
(learn more).
bin/blackbox_ctl
(fromblackbox_ctl.erb
)bin/drain
(fromdrain.erb
)bin/pre-start
(frompre-start.erb
)config/blackbox_config.yml
(fromblackbox_config.yml.erb
)config/ca_cert.pem
(fromca_cert.pem.erb
)config/syslog-release-custom-rules.conf
(fromsyslog-release-custom-rules.conf.erb
)config/syslog-release-debug-filter.conf
(fromsyslog-release-debug-filter.conf.erb
)config/syslog-release-file-exclusion.conf
(fromsyslog-release-file-exclusion.conf.erb
)config/syslog-release-forwarding-rules.conf
(fromsyslog-release-forwarding-rules.conf.erb
)config/syslog-release-forwarding-setup.conf
(fromsyslog-release-forwarding-setup.conf.erb
)config/syslog-release-vcap-filter.conf
(fromsyslog-release-vcap-filter.conf.erb
)config/syslog-release.conf
(fromsyslog-release.conf.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.