Getting Data In

How to monitor HAproxy logs of server in Splunk

rahul2gupta
Path Finder

Hi @gcusello ,

Could you please help me to monitor HA proxy logs of server in Splunk. What should be the steps that needs to be carried out.

Also user is saying that "The HAProxy container is set up with rsyslog, using the omfwd module to forward traffic to the relevant IP address that has been set up in the config."

Regards,

Rahul

 

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

if your proxies send their logs to an rsyslog server, the best approach is to have two rsyslog servers with Splunk Universal Forwarder.

Then you need a Load Balancer to distribute traffic between the two rsyslog servers and manage fail tolerance.

The Load Balancer could be an Hardware Load Balancer (better) or also a DNS configuration to have a virtual address that send logs to the two rsyslog servers.

Then Universal Forwarders reads log files and send logs to Splunk.

Otherwise, you can also use two Heavy Forwarders and use their capabilities to ingest syslogs instead of rsyslog server.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @rahul2gupta,

if your proxies send their logs to an rsyslog server, the best approach is to have two rsyslog servers with Splunk Universal Forwarder.

Then you need a Load Balancer to distribute traffic between the two rsyslog servers and manage fail tolerance.

The Load Balancer could be an Hardware Load Balancer (better) or also a DNS configuration to have a virtual address that send logs to the two rsyslog servers.

Then Universal Forwarders reads log files and send logs to Splunk.

Otherwise, you can also use two Heavy Forwarders and use their capabilities to ingest syslogs instead of rsyslog server.

Ciao.

Giuseppe

PickleRick
SplunkTrust
SplunkTrust

I'd have to double-check it but I think DNS-based load balancing will not work with rsyslog.

Anyway, if the HAproxy containers send normal syslog, it just boils down to a typical case of receiving syslog events - be it with rsyslog or sc4s or whatever other solution you want.

Oh, and there is an add-on for HAproxy so the logs should get parsed properly almost out of the box (unless the containerized haproxy massacres them in any way).

0 Karma

rahul2gupta
Path Finder

Thanks @gcusello !

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...