You can configure Fluentd to send a copy of its logs to an external log
aggregator, and not the default Elasticsearch, using the out_forward
plug-in. From there, you can further process log records after the locally
hosted Fluentd has processed them.
The forward
plug-in is supported by Fluentd only.
The out_forward plug-in implements the client side (sender) and the in_forward plug-in implements the server side (receiver).
To configure OpenShift Container Platform to send logs using out_forward, create a configmap called secure-forward
in the openshift-logging
namespace that points to a receiver.
On the receiver, configure the in_forward plug-in to receive the logs from OpenShift Container Platform. For more information on using the in_forward plug-in, see the Fluentd documentation.
Default secure-forward.conf
section
# <store>
# @type forward
# <security>
# self_hostname ${hostname} # ${hostname} is a placeholder.
# shared_key <shared_key_between_forwarder_and_forwardee>
# </security>
# transport tls
# tls_verify_hostname true # Set false to ignore server cert hostname.
# tls_cert_path /path/for/certificate/ca_cert.pem
# <buffer>
# @type file
# path '/var/lib/fluentd/forward'
# queued_chunks_limit_size "#{ENV['BUFFER_QUEUE_LIMIT'] || '1024' }"
# chunk_limit_size "#{ENV['BUFFER_SIZE_LIMIT'] || '1m' }"
# flush_interval "#{ENV['FORWARD_FLUSH_INTERVAL'] || '5s'}"
# flush_at_shutdown "#{ENV['FLUSH_AT_SHUTDOWN'] || 'false'}"
# flush_thread_count "#{ENV['FLUSH_THREAD_COUNT'] || 2}"
# retry_max_interval "#{ENV['FORWARD_RETRY_WAIT'] || '300'}"
# retry_forever true
# # the systemd journald 0.0.8 input plugin will just throw away records if the buffer
# # queue limit is hit - 'block' will halt further reads and keep retrying to flush the
# # buffer to the remote - default is 'exception' because in_tail handles that case
# overflow_action "#{ENV['BUFFER_QUEUE_FULL_ACTION'] || 'exception'}"
# </buffer>
# <server>
# host server.fqdn.example.com # or IP
# port 24284
# </server>
# <server>
# host 203.0.113.8 # ip address to connect
# name server.fqdn.example.com # The name of the server. Used for logging and certificate verification in TLS transport (when host is address).
# </server>
# </store>
Procedure
To send a copy of Fluentd logs to an external log aggregator:
-
Edit the secure-forward.conf
section of the Fluentd configuration map:
$ oc edit configmap/fluentd -n openshift-logging
-
Enter the name, host, and port for your external Fluentd server:
# <server>
# host server.fqdn.example.com # or IP
# port 24284
# </server>
# <server>
# host 203.0.113.8 # ip address to connect
# name server.fqdn.example.com # The name of the server. Used for logging and certificate verification in TLS transport (when host is address).
# </server>
<server>
name externalserver1 (1)
host 192.168.1.1 (2)
port 24224 (3)
</server>
<server> (4)
name externalserver1
host 192.168.1.2
port 24224
</server>
</store>
1 |
Optionally, enter a name for this external aggregator. |
2 |
Specify the host name or IP of the external aggregator. |
3 |
Specify the port of the external aggregator. |
4 |
Optionally, add additional external aggregator. |
-
Add the path to your CA certificate and private key to the secure-forward.conf
section:
# <security>
# self_hostname ${hostname} # ${hostname} is a placeholder. (1)
# shared_key <shared_key_between_forwarder_and_forwardee> (2)
# </security>
# tls_cert_path /path/for/certificate/ca_cert.pem (3)
1 |
Specify the default value of the auto-generated certificate common name (CN). |
2 |
Specify a shared key for authentication. |
3 |
Specify the path to your CA certificate. |
<security>
self_hostname client.fqdn.local
shared_key cluster_logging_key
</security>
tls_cert_path /etc/fluent/keys/ca.crt
To use mTLS, see the Fluentd documentation for information about client certificate and key parameters and other settings.
-
Add certificates to be used in secure-forward.conf
to the existing
secret that is mounted on the Fluentd pods. The your_ca_cert
and
your_private_key
values must match what is specified in secure-forward.conf
in configmap/logging-fluentd
:
$ oc patch secrets/fluentd --type=json \
--patch "[{'op':'add','path':'/data/your_ca_cert','value':'$(base64 -w0 /path/to/your_ca_cert.pem)'}]"
$ oc patch secrets/fluentd --type=json \
--patch "[{'op':'add','path':'/data/your_private_key','value':'$(base64 -w0 /path/to/your_private_key.pem)'}]"
|
Replace your_private_key with a generic name. This is a link to the JSON path,
not a path on your host system.
|
$ oc patch secrets/fluentd --type=json \
--patch "[{'op':'add','path':'/data/ca.crt','value':'$(base64 -w0 /etc/fluent/keys/ca.crt)'}]"
$ oc patch secrets/fluentd --type=json \
--patch "[{'op':'add','path':'/data/ext-agg','value':'$(base64 -w0 /etc/fluent/keys/ext-agg.pem)'}]"
-
Configure the secure-forward.conf
file on the external aggregator to accept messages securely from Fluentd.
When configuring the external aggregator, it must be able to accept messages securely from Fluentd.