Send docker syslogs to telegraf

syslog to influx.md

Syslog to InfluxDB

docker => syslog (RFC5424, non-transparent) => telegraf => (*)

Docker can use syslog as a log driver.

Anyway it transport syslog message towards destination using the non-transparent framing technique (also if deprecated by the octet-counting).

Using the telegraf syslog input plugin link.

Steps:

1. Start a telegraf on your localhost with telegraf.conf

2. Configure docker to use the syslog log driver placing the following JSON into /etc/docker/daemon.json directory.

   {
     "log-driver": "syslog",
     "log-opts": {
       "syslog-address": "tcp://127.0.0.1:6514",
       "syslog-format": "rfc5424",
       "mode": "non-blocking",
     }
   }

3. Look at the telegraf logs (configure a output.influxdb output to send the measurements, fields, and tags extracted from syslog messages directly to InfluxDB)

Another possible setup:

1. Start a containerised telegraf with such configuration

   docker run -v $(pwd)/telegraf.conf:/etc/telegraf/telegraf.conf -p 6514:6514 --name tele -d telegraf:1.9.2

2. Start some spammy container with syslog log driver and options

   docker run -it --log-driver syslog --log-opt syslog-address="tcp://127.0.0.1:6514" --log-opt syslog-format=rfc5424 somespammyimage somespammycommand

3. Enjoy at docker logs -f tele (same as above applies to send them to InfluxDB or other outputs).

telegraf.conf

[global_tags]
  env = "logging"

  [agent]
    interval = "10s"
    round_interval = true
    metric_batch_size = 1000
    metric_buffer_limit = 10000
    collection_jitter = "0s"
    flush_interval = "10s"
    flush_jitter = "0s"
    precision = ""
    debug = false
    quiet = false
    logfile = ""
    hostname = "$HOSTNAME"
    omit_hostname = false

  [[outputs.file]]
    files = ["stdout"]

  [[inputs.syslog]]
    server = "tcp://:6514"
    best_effort = true
    framing = "non-transparent"