Fluentd
Search…
Before Installation
Before installing Fluentd, make sure that your environment is properly set up to avoid any inconsistencies at a later stage.
Follow these recommendations:
    Set Up NTP
    Increase the Maximum Number of File Descriptors
    Optimize the Network Kernel Parameters

Set Up NTP

It is highly recommended that you set up an NTP daemon (e.g. chrony, ntpd, etc.) on the node to have an accurate current timestamp. This is crucial for all the production-grade logging services.
For Amazon Web Services users, we recommend using the AWS-hosted NTP server.

Increase the Maximum Number of File Descriptors

Increase the maximum number of file descriptors. You can check the existing configuration using the ulimit -n command:
1
$ ulimit -n
2
65535
Copied!
If your console shows 1024, it is insufficient. Please add the following lines to your /etc/security/limits.conf file and reboot your machine:
1
root soft nofile 65536
2
root hard nofile 65536
3
* soft nofile 65536
4
* hard nofile 65536
Copied!
If you are running fluentd under systemd, the option LimitNOFILE=65536 can also be used. And, if you are using the td-agent package, this value is set up by default.

Optimize the Network Kernel Parameters

For high load environments with many Fluentd instances, add the following configuration to your /etc/sysctl.conf file:
1
net.core.somaxconn = 1024
2
net.core.netdev_max_backlog = 5000
3
net.core.rmem_max = 16777216
4
net.core.wmem_max = 16777216
5
net.ipv4.tcp_wmem = 4096 12582912 16777216
6
net.ipv4.tcp_rmem = 4096 12582912 16777216
7
net.ipv4.tcp_max_syn_backlog = 8096
8
net.ipv4.tcp_slow_start_after_idle = 0
9
net.ipv4.tcp_tw_reuse = 1
10
net.ipv4.ip_local_port_range = 10240 65535
Copied!
Use sysctl -p command or reboot your node for the changes to take effect.
These kernel options were originally taken from the presentation How Netflix Tunes EC2 Instances for Performance by Brendan Gregg, Senior Performance Architect at AWS re:Invent 2017.

Use sticky bit symlink/hardlink protection

NOTE: CentOS 7 or later, Ubuntu 18.04 (bionic) or later, and Debian GNU/Linux 10 (buster) or later are supported these parameters.
Fluentd sometimes uses predictable paths for dumping, writing files, and so on. This default settings for the protections are in /etc/sysctl.d/10-link-restrictions.conf, or /usr/lib/sysctl.d/50-default.conf or elsewhere.
For symlink attack protection, check the following parameters are set up as 1:
1
fs.protected_hardlinks = 1
2
fs.protected_symlinks = 1
Copied!
This settings are almost enough for time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) which are class of software bugs.
If you turned off these protections, please turn on them.
Use sysctl -p command or reboot your node for the changes to take effect.
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Last modified 15d ago