Skip to content

Commit b76914e

Browse files
corporatemaxcorporatemax
committed
add section for syslog-drain-url protocols
fix command format and reformulate certificate combinations add hint for certificate troubleshooting with openssl fix typo style edits for consistency within the docs make CA necessary
1 parent 6ad9965 commit b76914e

File tree

1 file changed

+16
-0
lines changed

1 file changed

+16
-0
lines changed

services/log-management.html.md.erb

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,22 @@ You can create a syslog drain service and bind apps to it using Cloud Foundry Co
124124
$ cf create-user-provided-service DRAIN-NAME -l SYSLOG-URL -p '{"ca":"-----BEGIN CERTIFICATE-----\nMIIH...-----END CERTIFICATE-----", "cert":"-----BEGIN CERTIFICATE-----\nMIIH...-----END CERTIFICATE-----","key":"-----BEGIN PRIVATE KEY-----\nMIIE...-----END PRIVATE KEY-----"}'
125125
</pre>
126126

127+
When setting up your syslog drain, it is important to choose the correct scheme for your SYSLOG-URL:
128+
129+
* Use the syslog-tls scheme for endpoints that require TLS or mTLS.
130+
* Use the syslog scheme for endpoints that do not require TLS.
131+
* Use the https scheme when shipping logs to an HTTPS endpoint.
132+
133+
If you need to use TLS or mTLS, ensure that you provide the necessary CA certificate. Additionally to the CA certificate for mTLS configuration, both the client certificate and the key must be provided.
134+
135+
Ensure that certificates and keys are PEM-encoded as specified in RFC-1422. They should be provided as string values, with new lines represented by the `\n` character, and must not have trailing new lines. You can convert a PEM-encoded certificate string to a format processable by the syslog agent on the Diego cell using the following command:
136+
137+
<pre class="terminal">
138+
$ awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert.pem | sed 's/\\n$//' | tr -d '\n'
139+
</pre>
140+
141+
The `cf create-user-provided-service` command accepts any JSON payload without validating the certificates or credentials while creating the syslog drain. There is no error message for wrong certificates or credentials in the cf CLI; you can only validate in your target log service if your syslog drain was configured correctly. To troubleshoot your certificates, you can use the openssl command line tool.
142+
127143
For more information, see [User-provided service instances](./user-provided.html).
128144

129145
2. To bind an app to the service instance, do one of these:

0 commit comments

Comments
 (0)