You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pipeline/outputs/gelf.md
+63-45Lines changed: 63 additions & 45 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,48 +1,66 @@
1
-
# GELF
1
+
# Graylog Extended Log Format
2
2
3
-
**GELF** is [Graylog](https://www.graylog.org) Extended Log Format. The GELF output plugin allows to send logs in GELF format directly to a Graylog input using TLS, TCP or UDP protocols.
3
+
The _[Graylog](https://www.graylog.org) Extended Log Format (GELF)_ output plugin lets you send logs in GELF format directly to a Graylog input using TLS, TCP, or UDP protocols.
4
4
5
-
The following instructions assumes that you have a fully operational Graylog server running in your environment.
5
+
The following instructions assume that you have a fully operational Graylog server running in your environment.
6
6
7
-
## Configuration Parameters
7
+
## Configuration parameters
8
8
9
-
According to [GELF Payload Specification](https://go2docs.graylog.org/5-0/getting_in_log_data/gelf.html?Highlight=Payload#GELFPayloadSpecification), there are some mandatory and optional fields which are used by Graylog in GELF format. These fields are determined with _Gelf\\_\*\_Key\_ key in this plugin.
9
+
According to the [GELF Payload Specification](https://go2docs.graylog.org/5-0/getting_in_log_data/gelf.html?Highlight=Payload#GELFPayloadSpecification), there are mandatory and optional fields used by Graylog in GELF format. These fields are determined with `Gelf\_*_Key` key in this plugin.
| Match| Pattern to match which tags of logs to be outputted by this plugin||
14
-
| Host| IP address or hostname of the target Graylog server|127.0.0.1|
15
-
| Port| The port that your Graylog GELF input is listening on|12201|
16
-
| Mode| The protocol to use (`tls`, `tcp` or `udp`) |udp|
17
-
|Gelf\_Tag\_Key | Key to be used for tag. (_Optional in GELF_) ||
18
-
| Gelf_Short_Message_Key | A short descriptive message (**MUST be set in GELF**) |short_message |
19
-
| Gelf_Timestamp_Key| Your log timestamp (_SHOULD be set in GELF_) |timestamp|
20
-
| Gelf_Host_Key| Key which its value is used as the name of the host, source or application that sent this message. (**MUST be set in GELF**) |host|
21
-
| Gelf_Full_Message_Key| Key to use as the long message that can i.e. contain a backtrace. (_Optional in GELF_) |full_message |
22
-
| Gelf_Level_Key| Key to be used as the log level. Its value must be in [standard syslog levels](https://en.wikipedia.org/wiki/Syslog#Severity_level) (between 0 and 7). (_Optional in GELF_)| level|
23
-
| Packet_Size| If transport protocol is `udp`, you can set the size of packets to be sent. |1420|
24
-
| Compress| If transport protocol is `udp`, you can set this if you want your UDP packets to be compressed. |true|
25
-
| Workers | The number of [workers](../../administration/multithreading.md#outputs) to perform flush operations for this output. |`0`|
11
+
| Key | Description | Default|
12
+
| --- | ----------- | ------- |
13
+
|`Match`| Pattern to match which tags of logs to be outputted by this plugin. |_none_|
14
+
|`Host`| IP address or hostname of the target Graylog server. |`127.0.0.1`|
15
+
|`Port`| The port that your Graylog GELF input is listening on. |`12201`|
16
+
|`Mode`| The protocol to use. Allowed values:`tls`, `tcp`, `udp`.|`udp`|
17
+
|`Gelf_Tag_Key`| Key to be used for tag. (Optional in GELF.) |_none_|
18
+
|`Gelf_Short_Message_Key`| A short descriptive message. Must be set in GELF. |`short_message`|
19
+
|`Gelf_Timestamp_Key`| Your log timestamp. Should be set in GELF. |`timestamp`|
20
+
|`Gelf_Host_Key`| Key which its value is used as the name of the host, source or application that sent this message. Must be set in GELF. |`host`|
21
+
|`Gelf_Full_Message_Key`| Key to use as the long message that can, for example, contain a backtrace. Optional in GELF. |`full_message`|
22
+
|`Gelf_Level_Key`| Key to be used as the log level. Its value must be in [standard syslog levels](https://en.wikipedia.org/wiki/Syslog#Severity_level) (between `0` and `7`). Optional in GELF.|`level`|
23
+
|`Packet_Size`| If transport protocol is `udp`, you can set the size of packets to be sent. |`1420`|
24
+
|`Compress`| If transport protocol is `udp`, you can set this if you want your UDP packets to be compressed. |`true`|
25
+
|`Workers`| The number of [workers](../../administration/multithreading.md#outputs) to perform flush operations for this output. |`0`|
26
26
27
27
### TLS / SSL
28
28
29
29
The GELF output plugin supports TLS/SSL.
30
-
For more details about the properties available and general configuration, see [TLS/SSL](../../administration/transport-security.md).
30
+
For information about the properties available and general configuration, see [TLS/SSL](../../administration/transport-security.md).
31
31
32
32
## Notes
33
33
34
-
* If you're using Fluent Bit to collect Docker logs, note that Docker places your log in JSON under key `log`. So you can set `log` as your `Gelf_Short_Message_Key` to send everything in Docker logs to Graylog. In this case, you need your `log` value to be a string; so don't parse it using JSON parser.
35
-
* The order of looking up the timestamp in this plugin is as follows:
36
-
1. Value of `Gelf_Timestamp_Key` provided in configuration
37
-
2. Value of `timestamp` key
38
-
3. If you're using [Docker JSON parser](../parsers/json.md), this parser can parse time and use it as timestamp of message. If all above fail, Fluent Bit tries to get timestamp extracted by your parser.
39
-
4. Timestamp does not set by Fluent Bit. In this case, your Graylog server will set it to the current timestamp (now).
40
-
* Your log timestamp has to be in [UNIX Epoch Timestamp](https://en.wikipedia.org/wiki/Unix_time) format. If the `Gelf_Timestamp_Key` value of your log is not in this format, your Graylog server will ignore it.
41
-
* If you're using Fluent Bit in Kubernetes and you're using [Kubernetes Filter Plugin](../filters/kubernetes.md), this plugin adds `host` value to your log by default, and you don't need to add it by your own.
42
-
* The `version` of GELF message is also mandatory and Fluent Bit sets it to 1.1 which is the current latest version of GELF.
43
-
* If you use `udp` as transport protocol and set `Compress` to `true`, Fluent Bit compresses your packets in GZIP format, which is the default compression that Graylog offers. This can be used to trade more CPU load for saving network bandwidth.
34
+
Be aware that the following items can require changes to your configuration.
44
35
45
-
## Configuration File Example
36
+
### Docker logs
37
+
38
+
If you're using Fluent Bit to collect Docker logs, be aware that Docker places your log in JSON under key `log`. Set `log` as your `Gelf_Short_Message_Key` to send everything in Docker logs to Graylog. In this case, you need your `log` value to be a string, so don't parse it using JSON parser.
39
+
40
+
### Timestamps
41
+
42
+
The order of looking up the timestamp in this plugin is as follows:
43
+
44
+
1. Value of `Gelf_Timestamp_Key` provided in configuration.
45
+
1. Value of `timestamp` key,
46
+
1. If you're using [Docker JSON parser](../parsers/json.md), this parser can parse time and use it as timestamp of message. If these steps fail, Fluent Bit tries to get timestamp extracted by your parser.
47
+
1. Timestamp isn't set by Fluent Bit. In this case, your Graylog server will set it to the current timestamp (now).
48
+
49
+
Your log timestamp has to be in [Unix Epoch Timestamp](https://en.wikipedia.org/wiki/Unix_time) format. If the `Gelf_Timestamp_Key` value of your log isn't in this format, your Graylog server will ignore it.
50
+
51
+
### Kubernetes
52
+
53
+
If you're using Fluent Bit in Kubernetes and you're using [Kubernetes Filter Plugin](../filters/kubernetes.md), this plugin adds `host` value to your log by default, and you don't need to add it by your own.
54
+
55
+
### Version
56
+
57
+
The `version` of GELF message is also mandatory and Fluent Bit sets it to 1.1 which is the current latest version of GELF.
58
+
59
+
### Compression
60
+
61
+
If you use `udp` as transport protocol and set `Compress` to `true`, Fluent Bit compresses your packets in GZIP format, which is the default compression that Graylog offers. This can be used to trade more CPU load for saving network bandwidth.
62
+
63
+
## Configuration file example
46
64
47
65
If you're using Fluent Bit for shipping Kubernetes logs, you can use something like this as your configuration file:
48
66
@@ -66,7 +84,7 @@ pipeline:
66
84
db: /var/log/flb_kube.db
67
85
mem_buf_limit: 5MB
68
86
refresh_interval: 10
69
-
87
+
70
88
filters:
71
89
- name: kubernetes
72
90
match: 'kube.*'
@@ -75,12 +93,12 @@ pipeline:
75
93
keep_log: off
76
94
annotations: off
77
95
labels: off
78
-
96
+
79
97
- name: nest
80
98
match: '*'
81
99
operation: lift
82
100
nested_under: log
83
-
101
+
84
102
outputs:
85
103
- name: gelf
86
104
match: 'kube.*'
@@ -137,35 +155,35 @@ pipeline:
137
155
{% endtab %}
138
156
{% endtabs %}
139
157
140
-
By default, GELF tcp uses port 12201 and Docker places your logs in `/var/log/containers` directory. The logs are placed in value of the `log` key. For example, this is a log saved by Docker:
158
+
By default, GELF TCP uses port `12201` and Docker places your logs in `/var/log/containers` directory. The logs are placed in value of the `log` key. For example, this is a log saved by Docker:
141
159
142
160
```text
143
161
...
144
162
{"log":"{\"data\": \"This is an example.\"}","stream":"stderr","time":"2019-07-21T12:45:11.273315023Z"}
145
163
...
146
164
```
147
165
148
-
If you use [Tail Input](../inputs/tail.md) and use a Parser like the `docker` parser shown above, it decodes your message and extracts `data` (and any other present) field. This is how this log in [stdout](standard-output.md) looks like after decoding:
166
+
If you use [Tail Input](../inputs/tail.md) and use a Parser like the `docker` parser shown previously, it decodes your message and extracts `data` (and any other present) field. This is how this log in [stdout](standard-output.md) looks like after decoding:
149
167
150
168
```text
151
169
...
152
170
[0] kube.log: [1565770310.000198491, {"log"=>{"data"=>"This is an example."}, "stream"=>"stderr", "time"=>"2019-07-21T12:45:11.273315023Z"}]
153
171
...
154
172
```
155
173
156
-
Now, this is what happens to this log:
174
+
This is what happens to the log:
157
175
158
176
1. Fluent Bit GELF plugin adds `"version": "1.1"` to it.
159
-
2. The [Nest Filter](../filters/nest.md), unnests fields inside `log` key. In our example, it puts `data` alongside `stream` and `time`.
160
-
3. We used this `data` key as`Gelf_Short_Message_Key`; so GELF plugin changes it to `short_message`.
6. Any custom field (not present in [GELF Payload Specification](https://go2docs.graylog.org/5-0/getting_in_log_data/gelf.html?Highlight=Payload#GELFPayloadSpecification).) is prefixed by an underline.
177
+
1. The [Nest Filter](../filters/nest.md), unnests fields inside `log` key. In the example, it puts `data` alongside `stream` and `time`.
178
+
1. The `data` key was`Gelf_Short_Message_Key`, so GELF plugin changes it to `short_message`.
1. Any custom field (not present in [GELF Payload Specification](https://go2docs.graylog.org/5-0/getting_in_log_data/gelf.html?Highlight=Payload#GELFPayloadSpecification).) is prefixed by an underline.
164
182
165
-
Finally, this is what our Graylog server input sees:
183
+
Finally, this is what the Graylog server input sees:
166
184
167
185
```text
168
186
...
169
187
{"version":"1.1", "short_message":"This is an example.", "host": "<Your Node Name>", "_stream":"stderr", "timestamp":1565770310.000199}
0 commit comments