Fluentd
0.12
0.121.0
0.12
0.121.0
  • Introduction
  • Overview
    • Getting Started
    • Installation
    • Life of a Fluentd event
    • Support
    • FAQ
  • Use Cases
    • Centralized App Logging
    • Monitoring Service Logs
    • Data Analytics
    • Connecting to Data Storages
    • Stream Processing
    • Windows Event Collection
    • IoT Data Logger
  • Configuration
    • Config File Syntax
    • Routing Examples
    • Recipes
  • Deployment
    • Logging
    • Monitoring
    • Signals
    • RPC
    • High Availability Config
    • Failure Scenarios
    • Performance Tuning
    • Plugin Management
    • Trouble Shooting
    • Secure Forwarding
    • Fluentd UI
    • Command Line Option
  • Container Deployment
    • Docker Image
    • Docker Logging Driver
    • Docker Compose
    • Kubernetes
  • Input Plugins
    • tail
    • forward
    • secure_forward
    • udp
    • tcp
    • http
    • unix
    • syslog
    • exec
    • scribe
    • multiprocess
    • dummy
    • Others
  • Output Plugins
    • file
    • s3
    • kafka
    • forward
    • secure_forward
    • exec
    • exec_filter
    • copy
    • geoip
    • roundrobin
    • stdout
    • null
    • webhdfs
    • splunk
    • mongo
    • mongo_replset
    • relabel
    • rewrite_tag_filter
    • Others
  • Buffer Plugins
    • memory
    • file
  • Filter Plugins
    • record_transformer
    • grep
    • parser
    • stdout
  • Parser Plugins
    • regexp
    • apache2
    • apache_error
    • nginx
    • syslog
    • ltsv
    • csv
    • tsv
    • json
    • multiline
    • none
  • Formatter Plugins
    • out_file
    • json
    • ltsv
    • csv
    • msgpack
    • hash
    • single_value
  • Developer
    • Plugin Development
    • Community
    • Mailing List
    • Source Code
    • Bug Tracking
    • ChangeLog
    • Logo
  • Articles
    • Store Apache Logs into MongoDB
    • Apache To Riak
    • Store Apache Logs into Amazon S3
    • Before Install
    • Cep Norikra
    • Collect Glusterfs Logs
    • Common Log Formats
    • Docker Logging Efk Compose
    • Docker Logging
    • Filter Modify Apache
    • Forwarding Over Ssl
    • Free Alternative To Splunk By Fluentd
    • Data Collection to Hadoop (HDFS)
    • Data Analytics with Treasure Data
    • Install By Chef
    • Install By Deb
    • Install By Dmg
    • Install By Gem
    • Install By Rpm
    • Install From Source
    • Install On Beanstalk
    • Install On Heroku
    • Java
    • Kinesis Stream
    • Kubernetes Fluentd
    • Monitoring by Prometheus
    • Monitoring by Rest Api
    • Nodejs
    • Performance Tuning Multi Process
    • Performance Tuning Single Process
    • Perl
    • Php
    • Python
    • Quickstart
    • Raspberrypi Cloud Data Logger
    • Recipe Apache Logs To Elasticsearch
    • Recipe Apache Logs To Mongo
    • Recipe Apache Logs To S3
    • Recipe Apache Logs To Treasure Data
    • Recipe Cloudstack To Mongodb
    • Recipe Csv To Elasticsearch
    • Recipe Csv To Mongo
    • Recipe Csv To S3
    • Recipe Csv To Treasure Data
    • Recipe Http Rest Api To Elasticsearch
    • Recipe Http Rest Api To Mongo
    • Recipe Http Rest Api To S3
    • Recipe Http Rest Api To Treasure Data
    • Recipe Json To Elasticsearch
    • Recipe Json To Mongo
    • Recipe Json To S3
    • Recipe Json To Treasure Data
    • Recipe Nginx To Elasticsearch
    • Recipe Nginx To Mongo
    • Recipe Nginx To S3
    • Recipe Nginx To Treasure Data
    • Recipe Syslog To Elasticsearch
    • Recipe Syslog To Mongo
    • Recipe Syslog To S3
    • Recipe Syslog To Treasure Data
    • Recipe Tsv To Elasticsearch
    • Recipe Tsv To Mongo
    • Recipe Tsv To S3
    • Recipe Tsv To Treasure Data
    • Ruby
    • Scala
    • Splunk Like Grep And Alert Email
Powered by GitBook
On this page
  • Installation
  • Example Configurations
  • Minimalist Configuration
  • Multiple Forward Destinations over SSL
  • Secure Sender-Receiver Setup
  • Parameters
  • type
  • port (integer)
  • bind (string)
  • secure (bool)
  • ca_cert_path (string)
  • self_hostname (string)
  • shared_key (string)
  • keepalive (time)
  • send_timeout (time)
  • reconnect_interval (time)
  • read_length (integer)
  • read_interval_msec (integer)
  • socket_interval_msec (integer)
  • Buffered Output Parameters
  • buffer_type
  • buffer_queue_limit, buffer_chunk_limit
  • flush_interval
  • flush_at_shutdown
  • retry_wait, max_retry_wait
  • retry_limit, disable_retry_limit
  • num_threads
  • slow_flush_log_threshold
  • Further Reading

Was this helpful?

  1. Output Plugins

secure_forward

PreviousforwardNextexec

Last updated 5 years ago

Was this helpful?

The out_secure_forward output plugin sends messages via SSL with authentication (cf. ). This document doesn't describe all parameters. If you want to know full features, check the Further Reading section.

Installation

Example Configurations

This section provides some example configurations for out_secure_forward.

Minimalist Configuration

At first, generate private CA file on side of input plugin by secure-forward-ca-generate, then copy that file to output plugin side by safe way (scp, or anyway else).

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  secure true
  ca_cert_path /path/to/certificate/ca_cert.pem

  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

Without hostname ACL (not yet implemented), `self_hostname` is not checked in any state. The `"#{Socket.gethostname}"` placeholder is available for such cases.

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname "#{Socket.gethostname}"
  secure true
  ca_cert_path /path/to/certificate/ca_cert.pem

  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

Multiple Forward Destinations over SSL

When two or more <server>...</server> clauses are specified, out_secure_forward uses these server nodes in a round-robin order. The servers with standby yes are NOT selected until all non-standby servers go down.

If a server requires username & password, set `username` and `password` in the `` section:

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  secure true
  ca_cert_path /path/to/certificate/ca_cert.pem

  <server>
    host first.fqdn.local
    username repeatedly
    password sushi
  </server>
  <server>
    host second.fqdn.local
    username sasatatsu
    password karaage
  </server>
  <server>
    host standby.fqdn.local
    username kzk
    password hawaii
    standby  yes
  </server>
</match>

Use the keepalive parameter to specify keepalive timeouts. For example, the configuration below disconnects and re-connects its SSL connection every hour. By default, keepalive is set to 0 and the connection does NOT get disconnected unless there is a connection issue (This feature is for DNS name updates and refreshing SSL common keys).

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  keepalive 3600
  secure true
  ca_cert_path /path/to/certificate/ca_cert.pem

  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

Secure Sender-Receiver Setup

Example to send and receive several different kinds of logs (format is set to none for simplicity here).

Sender

# td-agent secured client (sender)

<source>
  @type tail
  path /appbase/logs/apache/apache_access_log
  pos_file /var/log/td-agent/tmp/apache.access.pos
  tag apache.access
  format none
</source>

<source>
  @type tail
  path /appbase/logs/apache/apache_error_log
  pos_file /var/log/td-agent/tmp/apache.error.pos
  tag apache.error
  format none
</source>

<source>
  @type tail
  path /appbase/logs/webapp/elastic_search.log
  pos_file /var/log/td-agent/tmp/elastic.search.pos
  tag elastic.search
  format none
</source>

<source>
  @type tail
  path /appbase/logs/webapp/elastic_search_poller.log
  pos_file /var/log/td-agent/tmp/elastic.search.poller.pos
  tag elastic.poller
  format none
</source>

<source>
  @type tail
  path /appbase/logs/webapp/ldap.log
  pos_file /var/log/td-agent/tmp/ldap.log.pos
  tag ldap.log
  format none
</source>



#-- Application Logs

<match apache.*>
  @type copy
  <store>
    @type secure_forward
    shared_key Supers3cr3t
    allow_self_signed_certificate true
    self_hostname frontend01.dev.company.net
    secure true
    ca_cert_path /path/to/certificate/ca_cert.pem

    <server>
      host logserver01.prd.company.net
      port 2514
    </server>
    <server>
      host logserver02.prd.company.net
      port 2514
    </server>
  </store>
</match>

<match elastic.*>
  @type copy
  <store>
    @type secure_forward
    shared_key Supers3cr3t
    allow_self_signed_certificate true
    self_hostname frontend01.dev.company.net
    secure true
    ca_cert_path /path/to/certificate/ca_cert.pem

    <server>
      host logserver01.prd.company.net
      port 2514
    </server>
    <server>
      host logserver02.prd.company.net
      port 2514
    </server>
  </store>
</match>

<match ldap.*>
  @type copy
  <store>
    @type secure_forward
    shared_key Supers3cr3t
    allow_self_signed_certificate true
    self_hostname frontend01.dev.company.net
    secure true
    ca_cert_path /path/to/certificate/ca_cert.pem

    <server>
      host logserver01.prd.company.net
      port 2514
    </server>
    <server>
      host logserver02.prd.company.net
      port 2514
    </server>
  </store>
</match>

#-- NOTE for troubleshooting any actions afer "type copy",
#-- and receive more output in td-agent.log, add:
#--       <store>
#--           @type stdout
#--       </store>


#-- Fluent Internal Logs

<match **>
  @type secure_forward
  shared_key Supers3cr3t
  self_hostname frontend01.dev.company.net
  flush_interval 8s
  secure true
  ca_cert_path /path/to/certificate/ca_cert.pem

  <server>
    host logserver01.prd.company.net
    port 2514
  </server>
  <server>
    host logserver02.prd.company.net
    port 2514
  </server>
</match>

Receiver

# td-agent secured receiver (server)

<source>
  @type secure_forward
  shared_key         Supers3cr3t
  self_hostname      logserver01.prd.company.net
  port 2514
  secure true
  ca_cert_path        /path/to/certificate/ca_cert.pem
  ca_private_key_path /path/to/certificate/ca_key.pem
  ca_private_key_passphrase passphrase_for_private_CA_secret_key
</source>


#-- Application Logs

<match *.access>
  @type file
  append true
  path /appbase/logs/received/access
  time_slice_format %Y%m%d
  time_slice_wait 5m
  time_format %Y%m%dT%H:%M:%S%z
</match>

<match *.error>
  @type file
  append true
  path /appbase/logs/received/error
  time_slice_format %Y%m%d
  time_slice_wait 5m
  time_format %Y%m%dT%H:%M:%S%z
</match>

<match elastic.search>
  @type file
  append true
  path /appbase/logs/received/elastic_search
  time_slice_format %Y%m%d
  time_slice_wait 5m
  time_format %Y%m%dT%H:%M:%S%z
</match>

<match elastic.poller>
  @type file
  append true
  path /appbase/logs/received/elastic_search_poller
  time_slice_format %Y%m%d
  time_slice_wait 5m
  time_format %Y%m%dT%H:%M:%S%z
</match>

<match ldap.*>
  @type file
  append true
  path /appbase/logs/received/ldap
  time_slice_format %Y%m%d
  time_slice_wait 5m
  time_format %Y%m%dT%H:%M:%S%z
</match>


#-- Fluent Internal Logs

<match fluent.info>
  @type file
  append true
  path /appbase/logs/received/fluent-info
</match>

<match fluent.warn>
  @type file
  append true
  path /appbase/logs/received/fluent-warn
</match>

Parameters

type

This parameter is required. Its value must be secure_forward.

port (integer)

The default value is 24284.

bind (string)

The default value is 0.0.0.0.

secure (bool)

Indicate published connection is secure or not. Specify yes (or true) if secure encryption needed.

ca_cert_path (string)

The file path of private CA certificate file. This file must be shared with input plugin. The default is blank, but this parameter must be specified except for the case to use certificates signed by public CA.

self_hostname (string)

Default value of the auto-generated certificate common name (CN).

shared_key (string)

Shared key between nodes..

keepalive (time)

The duration for keepalive. If this parameter is not specified, keepalive is disabled.

send_timeout (time)

The send timeout value for sockets. The default value is 60 seconds.

reconnect_interval (time)

The interval between SSL reconnects. The default value is 5 seconds.

read_length (integer)

The number of bytes read per nonblocking read. The default value is 8MB=810241024 bytes.

read_interval_msec (integer)

The interval between the non-blocking reads, in milliseconds. The default value is 50.

socket_interval_msec (integer)

The interval between SSL reconnects in milliseconds. The default value is 200.

Buffered Output Parameters

For advanced usage, you can tune Fluentd's internal buffering mechanism with these parameters.

buffer_type

buffer_queue_limit, buffer_chunk_limit

flush_interval

The interval between data flushes. The default is 60s. The suffixes "s" (seconds), "m" (minutes), and "h" (hours) can be used.

flush_at_shutdown

If set to true, Fluentd waits for the buffer to flush at shutdown. By default, it is set to true for Memory Buffer and false for File Buffer.

retry_wait, max_retry_wait

The initial and maximum intervals between write retries. The default values are 1.0 seconds and unset (no limit). The interval doubles (with +/-12.5% randomness) every retry until max_retry_wait is reached.

Since td-agent will retry 17 times before giving up by default (see the retry_limit parameter for details), the sleep interval can be up to approximately 131072 seconds (roughly 36 hours) in the default configurations.

retry_limit, disable_retry_limit

The limit on the number of retries before buffered data is discarded, and an option to disable that limit (if true, the value of retry_limit is ignored and there is no limit). The default values are 17 and false (not disabled). If the limit is reached, buffered data is discarded and the retry interval is reset to its initial value (retry_wait).

num_threads

The number of threads to flush the buffer. This option can be used to parallelize writes into the output(s) designated by the output plugin. Increasing the number of threads improves the flush throughput to hide write / network latency. The default is 1.

slow_flush_log_threshold

The threshold for checking chunk flush performance. The default value is 20.0 seconds. Note that parameter type is float, not time.

If chunk flush takes longer time than this threshold, fluentd logs warning message like below:

2016-12-19 12:00:00 +0000 [warn]: buffer flush took longer time than slow_flush_log_threshold: elapsed_time = 15.0031226690043695 slow_flush_log_threshold=10.0 plugin_id="foo"

log_level option

The log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.

Further Reading

out_secure_forward is not included in either td-agent package or fluentd gem. In order to install it, please refer to the article.

The buffer type is memory by default () for the ease of testing, however file () buffer type is always recommended for the production deployments. If you use file buffer type, buffer_path parameter is required.

The length of the chunk queue and the size of each chunk, respectively. Please see the article for the basic buffer structure. The default values are 64 and 8m, respectively. The suffixes "k" (KB), "m" (MB), and "g" (GB) can be used for buffer_chunk_limit.

Please see the for further details.

If this article is incorrect or outdated, or omits critical information, please . is a open source project under . All components are available under the Apache 2 License.

Plugin Management
buf_memory
buf_file
Buffer Plugin Overview
logging article
fluent-plugin-secure-forward repository
let us know
Fluentd
Cloud Native Computing Foundation (CNCF)
in_secure_forward