Fluentbit Sumo Logic

From UVOO Tech Wiki
Revision as of 17:33, 27 May 2023 by Busk (talk | contribs)
Jump to navigation Jump to search

Syslog & Sumo

Docs

docker-compose.yaml

version: "3.7"

services:
  fluent-bit:
    image: fluent/fluent-bit
    ports:
      - "16443:5140"
    volumes:
      - ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf

fluent-bit.conf

[SERVICE]
    Flush        1
    Parsers_File parsers.conf

[INPUT]
    Name        tcp
    Listen      0.0.0.0
    Port        5170
    Chunk_Size  32
    Buffer_Size 64
    Format      json


[INPUT]
    Name     syslog
    # Parser   syslog-rfc3164
    Parser   syslog-rfc5424
    Listen   0.0.0.0
    Port     5140
    Mode     tcp

[INPUT]
    Name     syslog
    Parser   syslog-rfc5424
    Listen   0.0.0.0
    Port     5140
    Mode     udp

[OUTPUT]
    Name      stdout
    Match     *

[OUTPUT]
    Name                 opentelemetry
    Match                *
    Host                 endpoint1.collection.us2.sumologic.com
    Port                 443
    Metrics_uri          /receiver/v1/otlp/Za...A4mw==/v1/metrics
    Logs_uri             /receiver/v1/otlp/Za...A4mw==/v1/logs
    Traces_uri           /receiver/v1/otlp/Za..4mw==/v1/traces
    Log_response_payload True
    Tls                  On

send.sh

ip="172.19.0.2"
logger --tcp --port 5140 -n $ip "Test message tcp1"
logger --udp --port 5140 -n $ip "Test message udp1"
echo '{"key 1": 123456789, "key 2": "abcdefg"}' | nc -q 3 127.0.0.1 5170

Query

_collector=mycollector | where host = "myhost"

Parsers & Notes

 # Parser   syslog-rfc3164
# [PARSER]
#     Name        syslog-rfc5424
#     Format      regex
#     Regex       ^\<(?<pri>[0-9]{1,5})\>1 (?<time>[^ ]+) (?<host>[^ ]+) (?<ident>[^ ]+) (?<pid>[-0-9]+) (?<msgid>[^ ]+) (?<extradata>(\[(.*)\]|-)) (?<message>.+)$
#     Time_Key    time
#     Time_Format %Y-%m-%dT%H:%M:%S.%L
#     Time_Keep   On
#     Types pid:integer
Retrieved from "https://tech.uvoo.io/index.php?title=Fluentbit_Sumo_Logic&oldid=4263"