HAProxy Enterprise Documentation 2.5r1

Log-forward

You can create a syslog listener UDP, TCP, or both by using the via the bind and dgram-bind directives. HAProxy Enterprise supports message-based load balancing and forwarding, allowing the transmission and reception of messages over TCP, UDP, or UNIX domain sockets. Each log message can now be processed individually.

This functionality also enables editing the number of connections in backlog, and translating syslog messages to a pool of UDP or TCP syslog servers. This can be implemented through a dedicated section called log-forward, which supports binding on TCP using the bind keyword and on UDP using dgram-bind for both IPv4 and IPv6.

By combining this capability with the log sampling feature, you gain precise control over the forwarding of syslog messages.

Forward log messages

To illustrate, the following example sets up log forwarding using a ring buffer named logbuffer with a maximum length of 1500 characters and a size of 65536 bytes. A ring buffer stores messages in memory and sends them to the destination host. HAProxy Enterprise listens on port 514 for both TCP and UDP syslog messages and forwards them to the syslog server at IP address 192.168.1.100 at TCP port 514. The syslog server is checked for health using the check keyword.

log-forward syslog
  # Listen on TCP port 514
  bind 0.0.0.0:514

  # Listen on UDP port 514
  dgram-bind 0.0.0.0:514

  log ring@logbuffer local0

ring logbuffer
  description "buffer for logs"
  format rfc5424
  maxlen 1500
  size 65536
  timeout connect 10s
  timeout server 20s

  # Sends outgoing messages via TCP
  server logserver 192.168.1.100:514 check

Translate the syslog protocol

You can also translate messages from one format to another. In the below example, all syslog messages received will be translated to the RFC 5424 format, regardless of the syslog format in which they were received. Here, we send messages to the destination server over UDP, since we did not configure a ring buffer.

log-forward syslog-lb
  bind :::7514       # Listen on TCP IPv4/IPv6
  dgram-bind :::7514 # Listen on UDP IPv4/IPv6

  # load balance messages on 2 UDP syslog servers
  log 10.1.0.2:10001 format rfc5424 sample 1:2 local0 info
  log 10.1.0.3:10002 format rfc5424 sample 2:2 local0 info

Global count of received syslog messages

The Runtime API show info command also exposes a new counter called CumRecvLogs, which provides a global count of received syslog messages.

$ echo "show info desc" | \
    sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

    CumRecvLogs: 5:"Total number of log messages received by log-forwarding listeners on this worker process since started"
    Build info: 2.7.0-1.0.0-297.600:"Build info"
    Memmax_bytes: 0:"Worker process's hard limit on memory usage in byes (-m on command line)"
    PoolAlloc_bytes: 143592:"Amount of memory allocated in pools (in bytes)"
    PoolUsed_bytes: 143592:"Amount of pool memory currently used (in bytes)"
    Start_time_sec: 1684208137:"Start time in seconds"
    Tainted: 0:"Experimental features used"

Next up

Ring