Log File updates appear, but no logs collected

Hi,
Possibly related to my other issue.

I am running an NXlog sidecar collector for my kubernetes cluster, and have noticed that the Sidecar Status page lists all log files in the directory specified in my configuration file (default, except for the lines listed below), and is quick to mark them blue as soon as they are updated. Despite this, no logs are appearing when I choose “Show Messages”.

I tried adding a new sidecar_files input in order to monitor the frequently updated sidecar log files listed on the status page, e.g. /var/log/graylog-sidecar/sidecar.log, but this does not appear either.

Have I missed something obvious, or is there some further configuration/change in the existing one I need to make the log file changes make their way to my search page too?

Cheers,
Oscar

/etc/graylog/sidecar/sidecar.yaml:

...
server_url: "http://<host>/api/"
...
server_api_token: "<token>"
...
list_log_files: ["/var/log"]
...

Collector configuration:

define ROOT /usr/bin

<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

<Extension syslogExt>
  Module xm_syslog
</Extension>

User nxlog
Group nxlog

Moduledir /usr/libexec/nxlog/modules
CacheDir /var/spool/nxlog/data
PidFile /var/run/nxlog/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO


<Input pod_files>
	Module im_file
	File '/var/log/pods/*/*/*.log'
	PollInterval 1
	SavePos	True
	ReadFromLast True
	Recursive False
	RenameCheck False
	Exec $FileName = file_name(); # Send file name with each message
</Input>

<Input container_files>
	Module im_file
	File '/var/log/containers/*.log'
	PollInterval 1
	SavePos	True
	ReadFromLast True
	Recursive False
	RenameCheck False
	Exec $FileName = file_name(); # Send file name with each message
</Input>

<Input sidecar_files>
	Module im_file
	File '/var/log/graylog-sidecar/*.log'
	PollInterval 1
	SavePos	True
	ReadFromLast True
	Recursive False
	RenameCheck False
	Exec $FileName = file_name(); # Send file name with each message
</Input>

#<Input syslog-udp>
#	Module im_udp
#	Host 127.0.0.1
#	Port 514
#	Exec parse_syslog_bsd();
#</Input>

<Output gelf>
	Module om_tcp
	#Host 192.168.1.1
    # ClusterIP:
	Host 10.105.109.129
	Port 12201
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	</Exec>
</Output>


<Route route-1>
  Path pod_files => gelf
</Route>
<Route route-2>
  Path container_files => gelf
</Route>
<Route route-3>
  Path sidecar_files => gelf
</Route>

I think I figured it out, and I think the answer is I missed something obvious…

The NXLog backend is not running in the kubernetes cluster but rather on the server nodes - but the IP address of the Host is the ClusterIP of the kubernetes service. I’ll have to experiment using NodePorts or something like that in order to get the logs into the cluster.

My current method includes updating the graylog ingress with the following:

        - backend:
            serviceName: graylog-tcp
            servicePort: gelf1
          path: /gelf

and I’ve successfully sent logs in using

curl <host>/gelf -p0 -d '{"short_message":"foo", "host":"temp"}'

For some reason it seems like NXLog doesn’t have access to my log files; I tried pointing directly to one of the files but from the /var/log/graylog-sidecar/nxlog_stderr.log I found it threw a Permission denied error. I noticed the log files in /var/log/pods/ are actually symlinks to log files in /var/lib/docker/containers/, and now I'm thinking maybe that could be a cause of the issue if NXLog is unable to treat the links as regular files. Does the root directory of the originals need to be added to thelist_log_filesfor NXLog to find them via symlinks, i.e. do I have to add/var/lib/containers/`?

It feels like that could send an unnecessary amount of data and detail.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.