secure_forward

Search…
secure_forward
The out_secure_forward output plugin sends messages via SSL with authentication (cf. in_secure_forward). This document doesn't describe all parameters. If you want to know full features, check the Further Reading section.
Installation
out_secure_forward is not included in either td-agent package or fluentd gem. In order to install it, please refer to the Plugin Management article.
Example Configurations
This section provides some example configurations for out_secure_forward.
Minimalist Configuration
At first, generate private CA file on side of input plugin by secure-forward-ca-generate, then copy that file to output plugin side by safe way (scp, or anyway else).
1
<match secret.data.**>
2
  @type secure_forward
3
  shared_key secret_string
4
  self_hostname client.fqdn.local
5
  secure true
6
  ca_cert_path /path/to/certificate/ca_cert.pem
7
​
8
  <server>
9
    host server.fqdn.local  # or IP
10
    # port 24284
11
  </server>
12
</match>
Copied!
Without hostname ACL (not yet implemented), `self_hostname` is not checked in any state. The `"#{Socket.gethostname}"` placeholder is available for such cases.
1
<match secret.data.**>
2
  @type secure_forward
3
  shared_key secret_string
4
  self_hostname "#{Socket.gethostname}"
5
  secure true
6
  ca_cert_path /path/to/certificate/ca_cert.pem
7
​
8
  <server>
9
    host server.fqdn.local  # or IP
10
    # port 24284
11
  </server>
12
</match>
Copied!
Multiple Forward Destinations over SSL
When two or more <server>...</server> clauses are specified, out_secure_forward uses these server nodes in a round-robin order. The servers with standby yes are NOT selected until all non-standby servers go down.
If a server requires username & password, set `username` and `password` in the `` section:
1
<match secret.data.**>
2
  @type secure_forward
3
  shared_key secret_string
4
  self_hostname client.fqdn.local
5
  secure true
6
  ca_cert_path /path/to/certificate/ca_cert.pem
7
​
8
  <server>
9
    host first.fqdn.local
10
    username repeatedly
11
    password sushi
12
  </server>
13
  <server>
14
    host second.fqdn.local
15
    username sasatatsu
16
    password karaage
17
  </server>
18
  <server>
19
    host standby.fqdn.local
20
    username kzk
21
    password hawaii
22
    standby  yes
23
  </server>
24
</match>
Copied!
Use the keepalive parameter to specify keepalive timeouts. For example, the configuration below disconnects and re-connects its SSL connection every hour. By default, keepalive is set to 0 and the connection does NOT get disconnected unless there is a connection issue (This feature is for DNS name updates and refreshing SSL common keys).
1
<match secret.data.**>
2
  @type secure_forward
3
  shared_key secret_string
4
  self_hostname client.fqdn.local
5
  keepalive 3600
6
  secure true
7
  ca_cert_path /path/to/certificate/ca_cert.pem
8
​
9
  <server>
10
    host server.fqdn.local  # or IP
11
    # port 24284
12
  </server>
13
</match>
Copied!
Secure Sender-Receiver Setup
Example to send and receive several different kinds of logs (format is set to none for simplicity here).
Sender
1
# td-agent secured client (sender)
2
​
3
<source>
4
  @type tail
5
  path /appbase/logs/apache/apache_access_log
6
  pos_file /var/log/td-agent/tmp/apache.access.pos
7
  tag apache.access
8
  format none
9
</source>
10
​
11
<source>
12
  @type tail
13
  path /appbase/logs/apache/apache_error_log
14
  pos_file /var/log/td-agent/tmp/apache.error.pos
15
  tag apache.error
16
  format none
17
</source>
18
​
19
<source>
20
  @type tail
21
  path /appbase/logs/webapp/elastic_search.log
22
  pos_file /var/log/td-agent/tmp/elastic.search.pos
23
  tag elastic.search
24
  format none
25
</source>
26
​
27
<source>
28
  @type tail
29
  path /appbase/logs/webapp/elastic_search_poller.log
30
  pos_file /var/log/td-agent/tmp/elastic.search.poller.pos
31
  tag elastic.poller
32
  format none
33
</source>
34
​
35
<source>
36
  @type tail
37
  path /appbase/logs/webapp/ldap.log
38
  pos_file /var/log/td-agent/tmp/ldap.log.pos
39
  tag ldap.log
40
  format none
41
</source>
42
​
43
​
44
​
45
#-- Application Logs
46
​
47
<match apache.*>
48
  @type copy
49
  <store>
50
    @type secure_forward
51
    shared_key Supers3cr3t
52
    allow_self_signed_certificate true
53
    self_hostname frontend01.dev.company.net
54
    secure true
55
    ca_cert_path /path/to/certificate/ca_cert.pem
56
​
57
    <server>
58
      host logserver01.prd.company.net
59
      port 2514
60
    </server>
61
    <server>
62
      host logserver02.prd.company.net
63
      port 2514
64
    </server>
65
  </store>
66
</match>
67
​
68
<match elastic.*>
69
  @type copy
70
  <store>
71
    @type secure_forward
72
    shared_key Supers3cr3t
73
    allow_self_signed_certificate true
74
    self_hostname frontend01.dev.company.net
75
    secure true
76
    ca_cert_path /path/to/certificate/ca_cert.pem
77
​
78
    <server>
79
      host logserver01.prd.company.net
80
      port 2514
81
    </server>
82
    <server>
83
      host logserver02.prd.company.net
84
      port 2514
85
    </server>
86
  </store>
87
</match>
88
​
89
<match ldap.*>
90
  @type copy
91
  <store>
92
    @type secure_forward
93
    shared_key Supers3cr3t
94
    allow_self_signed_certificate true
95
    self_hostname frontend01.dev.company.net
96
    secure true
97
    ca_cert_path /path/to/certificate/ca_cert.pem
98
​
99
    <server>
100
      host logserver01.prd.company.net
101
      port 2514
102
    </server>
103
    <server>
104
      host logserver02.prd.company.net
105
      port 2514
106
    </server>
107
  </store>
108
</match>
109
​
110
#-- NOTE for troubleshooting any actions afer "type copy",
111
#-- and receive more output in td-agent.log, add:
112
#--       <store>
113
#--           @type stdout
114
#--       </store>
115
​
116
​
117
#-- Fluent Internal Logs
118
​
119
<match **>
120
  @type secure_forward
121
  shared_key Supers3cr3t
122
  self_hostname frontend01.dev.company.net
123
  flush_interval 8s
124
  secure true
125
  ca_cert_path /path/to/certificate/ca_cert.pem
126
​
127
  <server>
128
    host logserver01.prd.company.net
129
    port 2514
130
  </server>
131
  <server>
132
    host logserver02.prd.company.net
133
    port 2514
134
  </server>
135
</match>
Copied!
Receiver
1
# td-agent secured receiver (server)
2
​
3
<source>
4
  @type secure_forward
5
  shared_key         Supers3cr3t
6
  self_hostname      logserver01.prd.company.net
7
  port 2514
8
  secure true
9
  ca_cert_path        /path/to/certificate/ca_cert.pem
10
  ca_private_key_path /path/to/certificate/ca_key.pem
11
  ca_private_key_passphrase passphrase_for_private_CA_secret_key
12
</source>
13
​
14
​
15
#-- Application Logs
16
​
17
<match *.access>
18
  @type file
19
  append true
20
  path /appbase/logs/received/access
21
  time_slice_format %Y%m%d
22
  time_slice_wait 5m
23
  time_format %Y%m%dT%H:%M:%S%z
24
</match>
25
​
26
<match *.error>
27
  @type file
28
  append true
29
  path /appbase/logs/received/error
30
  time_slice_format %Y%m%d
31
  time_slice_wait 5m
32
  time_format %Y%m%dT%H:%M:%S%z
33
</match>
34
​
35
<match elastic.search>
36
  @type file
37
  append true
38
  path /appbase/logs/received/elastic_search
39
  time_slice_format %Y%m%d
40
  time_slice_wait 5m
41
  time_format %Y%m%dT%H:%M:%S%z
42
</match>
43
​
44
<match elastic.poller>
45
  @type file
46
  append true
47
  path /appbase/logs/received/elastic_search_poller
48
  time_slice_format %Y%m%d
49
  time_slice_wait 5m
50
  time_format %Y%m%dT%H:%M:%S%z
51
</match>
52
​
53
<match ldap.*>
54
  @type file
55
  append true
56
  path /appbase/logs/received/ldap
57
  time_slice_format %Y%m%d
58
  time_slice_wait 5m
59
  time_format %Y%m%dT%H:%M:%S%z
60
</match>
61
​
62
​
63
#-- Fluent Internal Logs
64
​
65
<match fluent.info>
66
  @type file
67
  append true
68
  path /appbase/logs/received/fluent-info
69
</match>
70
​
71
<match fluent.warn>
72
  @type file
73
  append true
74
  path /appbase/logs/received/fluent-warn
75
</match>
Copied!
Parameters
type
This parameter is required. Its value must be secure_forward.
port (integer)
The default value is 24284.
bind (string)
The default value is 0.0.0.0.
secure (bool)
Indicate published connection is secure or not. Specify yes (or true) if secure encryption needed.
ca_cert_path (string)
The file path of private CA certificate file. This file must be shared with input plugin. The default is blank, but this parameter must be specified except for the case to use certificates signed by public CA.
self_hostname (string)
Default value of the auto-generated certificate common name (CN).
shared_key (string)
Shared key between nodes..
keepalive (time)
The duration for keepalive. If this parameter is not specified, keepalive is disabled.
send_timeout (time)
The send timeout value for sockets. The default value is 60 seconds.
reconnect_interval (time)
The interval between SSL reconnects. The default value is 5 seconds.
read_length (integer)
The number of bytes read per nonblocking read. The default value is 8MB=810241024 bytes.
read_interval_msec (integer)
The interval between the non-blocking reads, in milliseconds. The default value is 50.
socket_interval_msec (integer)
The interval between SSL reconnects in milliseconds. The default value is 200.
Buffered Output Parameters
For advanced usage, you can tune Fluentd's internal buffering mechanism with these parameters.
buffer_type
The buffer type is memory by default (buf_memory) for the ease of testing, however file (buf_file) buffer type is always recommended for the production deployments. If you use file buffer type, buffer_path parameter is required.
buffer_queue_limit, buffer_chunk_limit
The length of the chunk queue and the size of each chunk, respectively. Please see the Buffer Plugin Overview article for the basic buffer structure. The default values are 64 and 8m, respectively. The suffixes "k" (KB), "m" (MB), and "g" (GB) can be used for buffer_chunk_limit.
flush_interval
The interval between data flushes. The default is 60s. The suffixes "s" (seconds), "m" (minutes), and "h" (hours) can be used.
flush_at_shutdown
If set to true, Fluentd waits for the buffer to flush at shutdown. By default, it is set to true for Memory Buffer and false for File Buffer.
retry_wait, max_retry_wait
The initial and maximum intervals between write retries. The default values are 1.0 seconds and unset (no limit). The interval doubles (with +/-12.5% randomness) every retry until max_retry_wait is reached.
Since td-agent will retry 17 times before giving up by default (see the retry_limit parameter for details), the sleep interval can be up to approximately 131072 seconds (roughly 36 hours) in the default configurations.
retry_limit, disable_retry_limit
The limit on the number of retries before buffered data is discarded, and an option to disable that limit (if true, the value of retry_limit is ignored and there is no limit). The default values are 17 and false (not disabled). If the limit is reached, buffered data is discarded and the retry interval is reset to its initial value (retry_wait).
num_threads
The number of threads to flush the buffer. This option can be used to parallelize writes into the output(s) designated by the output plugin. Increasing the number of threads improves the flush throughput to hide write / network latency. The default is 1.
slow_flush_log_threshold
The threshold for checking chunk flush performance. The default value is 20.0 seconds. Note that parameter type is float, not time.
If chunk flush takes longer time than this threshold, fluentd logs warning message like below:
1
2016-12-19 12:00:00 +0000 [warn]: buffer flush took longer time than slow_flush_log_threshold: elapsed_time = 15.0031226690043695 slow_flush_log_threshold=10.0 plugin_id="foo"
Copied!
log_level option
The log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.
Please see the logging article for further details.
Further Reading
​fluent-plugin-secure-forward repository​
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
forward
exec
Last modified 1yr ago