Hello,
I am trying to configure telegraf(v1.20.4) to collect syslog messages from a centOS server and see partial(best_effort=true) or no metrics(best_effort=false) collected in the output file. The OS has syslog-ng configured and was restricted to install rsyslog (so I cannot have rsyslog installed here, which would have made my job easy). I am using telegraf syslog input plugin to collect syslog messages via udp @ port 6514, summarizing below the my system setup and environement details.
OS
$ uname -r
5.10.74-200.1644.tis.rt.el7.x86_64
$ cat /etc/*release
CentOS Linux release 7.6.1810 (Core)
Telegraf 1.20.4
Plugin Configuration
[[inputs.syslog]]
server = “udp://127.0.0.1:6514”
keep_alive_period = “5m”
read_timeout = “0”
trailer = “LF”
best_effort = false
syslog_standard = “RFC3164”
syslog-ng
$ sudo syslog-ng --version
syslog-ng 3.5.6
syslog-ng.conf
destination remote_log_server {udp(“127.0.0.1” port(6514));};
log { source(s_src); destination(remote_log_server); };
metrics.out
With best_effort=true, the following metrics with limited tags are available
syslog,facility=daemon,facility_code=3,severity=info,severity_code=6 Nb=1i 1663848572734957383
With best_effort=false, there are no metrics and error logs seen.
packet capture:
To debug I post a message to syslog and the comand and correpsonfing packetcapture of message as below;
$ logger -p local3.crit “This is a test Critical syslog generated by the simulator” -t simulator
<154>Sep 23 11:18:58.000 controller-0 simulator: This is a test Critical syslog generated by the simulator
I am not sure of the problem may be telegraf syslog parser is not able to parse the message completely.
Please let me know If I am missing something in the configuration or any other suggestion.
Note that initially I tried this with a TCP based syslog forwarding, but was facing below error, so switched to udp based on the suggestion from this issue#4482
2022-09-21T06:37:38Z E! [inputs.syslog] Error in plugin: found ILLEGAL(<), expecting a MSGLEN
Thanks,
Saravanan G