HAProxy ALOHA Documentation 11.5

Syslog

You can send logs from an HAProxy ALOHA appliance to an external Syslog server.

HAProxy ALOHA generates several types of logs, each of which can be collected and sent to a separate or a shared Syslog server. The types are defined in the table below, where each has a unique name that you will use to configure it.

Name

Description

system

Major operating system events

events

Load balancer events

console

Administration Web UI events

traffic

Traffic traversing all HAProxy ALOHA frontends

https://cdn.haproxy.com/documentation/aloha/11-5/assets/syslog-151b326e0997401b93c294867f8bbd9dd05e3b362fdf39ef7c6ac783034321d9.png

Configure the Syslog server

You must configure a remote Syslog server to receive log entries.

  1. Install a Syslog server such as rsyslog.

    $ sudo apt install rsyslog
  2. Create a file named /etc/rsyslog.d/10-aloha.conf with the directives below.

    Configure rsyslog to listen on all IP addresses at port 514. Store incoming log messages in the file /var/log/aloha.log when they come from the HAProxy ALOHA IP address.

    $ModLoad imudp
    $UDPServerRun 514
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    if $fromhost-ip=='172.16.24.237' then /var/log/aloha.log

    The directives are as follows:

    Directive

    Description

    $ModLoad imudp

    Receive logs over UDP.

    $UDPServerRun 514

    Start on the specified port.

    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

    Use the traditional Syslog format.

    if $fromhost-ip=='172.16.24.237' then /var/log/aloha.log

    Store incoming log messages in the file /var/log/aloha.log when they come from the HAProxy ALOHA IP address. Replace 172.16.24.237 with your own IP address. You can specify several of these directives, or use startswith to match a range of IPs.

  3. Restart the rsyslog server.

    $ sudo systemctl restart rsyslog

Log operating system events

Configure the system log type to send major HAProxy ALOHA operating system events, such as kernel errors, to an external Syslog server.

  1. In the Services tab, click syslog setup.

    https://cdn.haproxy.com/documentation/aloha/11-5/assets/syslog_setup-985a071b13f0e8833fe574c77f52db44a6eecc979a9414aad26685bf4931c143.png
  2. In the service syslog system section, specify the IP address and port of the destination Syslog server.

    Send operating system events to a Syslog server listening at 172.16.24.236 on UDP port 514.

    service syslog system
     server 172.16.24.236:514
  3. Restart the syslog service.

    https://cdn.haproxy.com/documentation/aloha/11-5/assets/syslog_restart-60edbc3d16f5f03100801e98392e90a4759f372d05235ade9e9eb92f2687cdf6.png

    The Message 7010: Last action returns success message displays.

Log load balancer events

Configure the events log type to send errors related to starting/stopping the load balancer, and related errors or warnings, to an external Syslog server.

  1. In the service syslog events section, specify the IP address and port of the destination Syslog server.

    Send load balancer errors to a Syslog server listening at 172.16.24.236 on UDP port 514.

    service syslog events
     server 172.16.24.236:514
  2. Restart the syslog service.

Log administration events

Configure the console log type to send events such as logins to the HAProxy ALOHA command-line interface to an external Syslog server.

  1. In the service syslog console section, specify the IP address and port of the destination Syslog server.

    Send login events to a Syslog server listening at 172.16.24.236 on UDP port 514.

    service syslog console
     server 172.16.24.236:514
  2. Restart the syslog service.

Log traffic from all frontends

Configure the traffic log type to send traffic logs for all frontends to an external Syslog server.

  1. In the service syslog traffic section, specify the IP address and port of the destination Syslog server.

    Send traffic logs to a Syslog server listening at 172.16.24.236 on UDP port 514.

    service syslog traffic
     server 172.16.24.236:514
  2. Restart the syslog service.

Log traffic from a specific frontend

You can log traffic that traverses a specific HAProxy ALOHA frontend.

  1. On the remote rsyslog server, edit the file /etc/rsyslog.d/10-aloha.conf file.

    Append one or more lines similar to the following.

    Capture messages from Syslog facilities local0 and local1, and write them to the frontend1-traffic.log and frontend2-traffic.log file.

    local0.* /var/log/frontend1-traffic.log
    local1.* /var/log/frontend2-traffic.log
  2. On HAProxy ALOHA, add the following directive to a frontend section:

    log <Syslog server IP address>:<port>

    Send log messages to facility local0 to an rsyslog server listening at 172.16.24.236 on UDP port 514.

    frontend webservice
       bind :80
       mode http
       log 172.16.24.236:514 local0
       option httplog
       default_backend webfarm

Test the setup

  1. Make a web request either to:

    • the HAProxy ALOHA Web UI,

    • a HAProxy ALOHA frontend,

    $ curl http://172.16.24.237:8080
  2. Inspect the logs on your rsyslog server.

    $ sudo less /var/log/aloha.log
    Jan 13 11:12:58 ALOHA1 alohactl2[15685] ALOHA1# /opt/bin/alohactl2 -S root l7_dump
    Jan 13 11:12:58 ALOHA1 alohactl2[15722] ALOHA1# /opt/bin/alohactl2 -S root l4_dump
    Jan 13 11:13:04 ALOHA1 alohactl2[15859] ALOHA1# /opt/bin/alohactl2 -S root l7_dump
    Jan 13 11:52:27 172.16.24.237 haproxy[9522]: 172.29.1.90:46714 [13/Jan/2022:11:52:27.745] webservice webfarm/websrv1 0/0/0/1/1 200 818 - - --NI 1/1/0/0/0 0/0 "GET / HTTP/1.1"
    $ sudo less /var/log/frontend1-traffic.log
    Jan 13 14:09:38 172.16.24.237 haproxy[18201]: 172.29.1.90:40710 [13/Jan/2022:14:09:38.751] webservice webfarm/websrv1 0/0/0/1/1 200 818 - - --NI 1/1/0/0/0 0/0 "GET / HTTP/1.1"
    Jan 13 14:23:09 172.16.24.237 haproxy[18201]: 172.29.1.90:45748 [13/Jan/2022:14:23:09.407] webservice webfarm/websrv1 0/0/0/1/1 404 304 - - --NI 1/1/0/0/0 0/0 "GET /8080 HTTP/1.1"
    Jan 13 14:23:50 172.16.24.237 haproxy[18201]: Proxy webservice stopped (cumulated conns: FE: 2, BE: 0).
    Jan 13 14:25:21 172.16.24.237 haproxy[19247]: 172.29.1.90:37120 [13/Jan/2022:14:25:21.318] webservice webfarm/websrv1 0/0/0/0/0 200 602 - - --NI 1/1/0/0/0 0/0 "GET / HTTP/1.1"
    Jan 13 14:25:21 172.16.24.237 haproxy[19247]: 172.29.1.90:37120 [13/Jan/2022:14:25:21.548] webservice webfarm/websrv1 0/0/0/0/0 404 351 - - --VN 1/1/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
    Jan 13 14:25:37 172.16.24.237 haproxy[19247]: 172.29.1.90:37224 [13/Jan/2022:14:25:37.052] webservice webfarm/websrv1 0/0/0/0/0 200 818 - - --NI 1/1/0/0/0 0/0 "GET / HTTP/1.1"

Syslog service reference

The syslog service in the Services tab supports the following configuration directives:

Directive

Description

console_level <level>

Sets the maximum Syslog severity level to send to the console.

keyid <key>

An identier to use for a second Syslog server.

listen <local IP[:port]>

Collect UDP log messages from the given local IP address and optional port.

listen_kernel

Collect kernel messages.

[no] listen_unix

Collect (or do not collect if prefixed with no) messages from /dev/log.

output "buffer"|<filename>

Records log messages to either a ring buffer or to a file.

rotate <number>

The number of log files to keep before rotating them.

server <remote IP:port>

The IP address and port of a remote Syslog server that will receive log messages.

size <kb>

The maximum size in kilobytes of the buffer or file when output "buffer" or output <filename> is set.


Next up

Security
HAProxyConf 2022 - Call for papers