Ship HAProxy logs

HAProxy is a network device, so it needs to transfer logs using the syslog protocol. To ship HAProxy logs to an ELK stack, you’ll first need to configure HAProxy logging to transmit the logs to a local rsyslog server. From there, you can ship the logs from rsyslog to Logz.io.

Guided configuration

Before you begin, you’ll need: root access, rsyslog 5.8.0 or later

Configure HAProxy

Copy this text to your HAProxy configuration (/etc/haproxy/haproxy.cfg by default).

global
  log 127.0.0.1:514 len 4096 local1 # Send logs to localhost port 514 over UDP, facility set to ‘local1’

defaults HTTP # HTTP Defaults
  log global # refer to the global log definition
  option dontlog-normal # disable logging of normal, successful connections
  mode http
  option httplog # Enable logging of HTTP request, session state and timers

listen INPUT_NAME_HTTP
  bind :PORT

  server SERVER_NAME SERVER_ADDRESS:PORT

defaults TCP # TCP Defaults
  log global # refer to the global log definition
  option dontlog-normal # disable logging of normal, successful connections
  mode tcp
  option tcplog # Enable advanced logging of TCP connections, session state and timers

listen INPUT_NAME_TCP
  bind :PORT

  server SERVER_NAME SERVER_ADDRESS:PORT

Configure rsyslog

Copy this text to your rsyslog configuration (/etc/rsyslog.conf by default).

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
$ModLoad imudp
$UDPServerAddress 0.0.0.0 # listen on the localhost , protocol UDP
$UDPServerRun 514 # listen on port 514, protocol UDP
$KLogPermitNonKernelFacility on
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog

# the logz.io syslog template,
$template HAProxyLogzioFormat,"[<<LOG-SHIPPING-TOKEN>>] <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [type=haproxy] %msg%\n"

# Send messages to Logz over TCP using the template.
*.* @@<<LISTENER-HOST>>:5000;HAProxyLogzioFormat

Restart rsyslog

sudo service rsyslog restart

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you don’t see your logs, see log shipping troubleshooting.