Before Installation

PreviousInstallation NextInstall fluent-package

Last updated 2 years ago

Was this helpful?

Before Installation

Before installing Fluentd, make sure that your environment is properly set up to avoid any inconsistencies at a later stage.

Follow these recommendations:

Set Up NTP
Increase the Maximum Number of File Descriptors
Optimize the Network Kernel Parameters

Set Up NTP

It is highly recommended that you set up an NTP daemon (e.g. , ntpd, etc.) on the node to have an accurate current timestamp. This is crucial for all the production-grade logging services.

For Amazon Web Services users, we recommend using the .

Increase the Maximum Number of File Descriptors

Increase the maximum number of file descriptors. You can check the existing configuration using the ulimit -n command:

$ ulimit -n
65535

If your console shows 1024, it is insufficient. Please add the following lines to your /etc/security/limits.conf file and reboot your machine:

root soft nofile 65536
root hard nofile 65536
* soft nofile 65536
* hard nofile 65536

If you are running fluentd under systemd, the option LimitNOFILE=65536 can also be used. And, if you are using the td-agent package, this value is set up by default.

Optimize the Network Kernel Parameters

For high load environments with many Fluentd instances, add the following configuration to your /etc/sysctl.conf file:

net.core.somaxconn = 1024
net.core.netdev_max_backlog = 5000
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_wmem = 4096 12582912 16777216
net.ipv4.tcp_rmem = 4096 12582912 16777216
net.ipv4.tcp_max_syn_backlog = 8096
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 10240 65535
# If forward uses port 24224, reserve that port number for use as an ephemeral port.
# If another port, e.g., monitor_agent uses port 24220, add a comma-separated list of port numbers.
# net.ipv4.ip_local_reserved_ports = 24220,24224
net.ipv4.ip_local_reserved_ports = 24224

Use sysctl -p command or reboot your node for the changes to take effect.

Use sticky bit symlink/hardlink protection

NOTE: CentOS 7 or later, Ubuntu 18.04 (bionic) or later, and Debian GNU/Linux 10 (buster) or later are supported these parameters.

Fluentd sometimes uses predictable paths for dumping, writing files, and so on. This default settings for the protections are in /etc/sysctl.d/10-link-restrictions.conf, or /usr/lib/sysctl.d/50-default.conf or elsewhere.

For symlink attack protection, check the following parameters are set to 1:

fs.protected_hardlinks = 1
fs.protected_symlinks = 1

This settings are almost enough for time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) which are a class of software bugs.

If you turned off these protections, please turn them on.

Use sysctl -p command or reboot your node for the changes to take effect.

PreviousInstallation NextInstall fluent-package

Last updated 2 years ago

Was this helpful?

Before installing Fluentd, make sure that your environment is properly set up to avoid any inconsistencies at a later stage.

Follow these recommendations:

Set Up NTP
Increase the Maximum Number of File Descriptors
Optimize the Network Kernel Parameters

Set Up NTP

It is highly recommended that you set up an NTP daemon (e.g. , ntpd, etc.) on the node to have an accurate current timestamp. This is crucial for all the production-grade logging services.

For Amazon Web Services users, we recommend using the .

Increase the Maximum Number of File Descriptors

Increase the maximum number of file descriptors. You can check the existing configuration using the ulimit -n command:

$ ulimit -n
65535

If your console shows 1024, it is insufficient. Please add the following lines to your /etc/security/limits.conf file and reboot your machine:

root soft nofile 65536
root hard nofile 65536
* soft nofile 65536
* hard nofile 65536

If you are running fluentd under systemd, the option LimitNOFILE=65536 can also be used. And, if you are using the td-agent package, this value is set up by default.

Optimize the Network Kernel Parameters

For high load environments with many Fluentd instances, add the following configuration to your /etc/sysctl.conf file:

net.core.somaxconn = 1024
net.core.netdev_max_backlog = 5000
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_wmem = 4096 12582912 16777216
net.ipv4.tcp_rmem = 4096 12582912 16777216
net.ipv4.tcp_max_syn_backlog = 8096
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 10240 65535
# If forward uses port 24224, reserve that port number for use as an ephemeral port.
# If another port, e.g., monitor_agent uses port 24220, add a comma-separated list of port numbers.
# net.ipv4.ip_local_reserved_ports = 24220,24224
net.ipv4.ip_local_reserved_ports = 24224

Use sysctl -p command or reboot your node for the changes to take effect.

These kernel options were originally taken from the presentation by , Senior Performance Architect at AWS re:Invent 2017.

Use sticky bit symlink/hardlink protection

NOTE: CentOS 7 or later, Ubuntu 18.04 (bionic) or later, and Debian GNU/Linux 10 (buster) or later are supported these parameters.

For symlink attack protection, check the following parameters are set to 1:

fs.protected_hardlinks = 1
fs.protected_symlinks = 1

This settings are almost enough for time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) which are a class of software bugs.

If you turned off these protections, please turn them on.

Use sysctl -p command or reboot your node for the changes to take effect.

If this article is incorrect or outdated, or omits critical information, please . is an open-source project under . All components are available under the Apache 2 License.