Syslog over UDP
All the application code here is available from the docs git repository.
The syslog udp example is demonstrate a number things:
- Encoding data in the
syslogformat. - Sending data over
UDP. - Receiving data over
UDP. - Decoding
syslogformatted data.
For digestion it is entirely self-contained inside a single tremor instance using multiple parallel pipelines, sinks and sources.
Setup
All the code here is available in the git repository as well and can be run with docker compose up.
Environment
The sources and sinks we use are:
- The
metronomesource - to generate data in one second intervals. - The
udpsink - to send the data overUDP. - The
udpsource - to receive data viaUDP. - The
stdoutsink - to display data decoded and re-formatted asJSON.
In addition we have two pipelines.
The producer pipeline takes the tick from metronome and generates a syslog message. It is only handling message rewriting.
The consumer pipeline takes the syslog message and forwards it. It is a passthrough pipeline.
The binding expresses those relations and gives the graph of onramp, pipeline and offramp. We hare left with those two workflows:
metronome -> producer -> syslog-udp-out
syslog-udp-in -> consumer -> stdout-output
Finally the mapping instantiates the binding with the given name and instance variable to activate the elements of the binding.
Business Logic
The only interesting part to look at is the event rewriting, this uses an example syslog message and adds the event.id as a structured_data field.
select {
"severity": "notice",
"facility": "local4",
"hostname": "example.com",
"appname": "evntsog",
"msg": "BOMAn application event log entry...",
"procid": null,
"msgid": "ID47",
"protocol": "RFC5424",
"protocol_version": 1,
"structured_data": {
"exampleSDID@32473" :
[
{"eventSource": "Tremor"},
{"eventID": "#{ event.id }"}
]
},
"timestamp": event.ingest_ns
} from in into out
Testing
If using the CLI, you can run the server using config artifacts and see a log message triggered by the metronome every second being transformed by the pipeline into json and sent to stdout:
$ tremor server run -f docs/recipes/14_syslog_udp/etc/tremor/config/*
tremor version: 0.11.12 heads/v0.11.12:77792d92a9e5788eb221b1e64cde4d2dce756340
...
>> {"hostname":"example.com","severity":"notice","facility":"local4","timestamp":1651666687465441000,"protocol":"RFC5424","protocol_version":1,"appname":"evntsog","msgid":"ID47","structured_data":{"exampleSDID@32473":[{"eventSource":"Tremor"},{"eventID":"0"}]},"procid":null,"msg":"BOMAn application event log entry..."}
>> {"hostname":"example.com","severity":"notice","facility":"local4","timestamp":1651666688468303000,"protocol":"RFC5424","protocol_version":1,"appname":"evntsog","msgid":"ID47","structured_data":{"exampleSDID@32473":[{"eventSource":"Tremor"},{"eventID":"1"}]},"procid":null,"msg":"BOMAn application event log entry..."}
Since the config enables a syslog receiver on port 12201, you should be able to send custom syslog messages with the
logger command.
$ logger -d -n 127.0.0.1 -P 12201 "Weeeeh. It works :D"
NOTE: If you are running the recipe inside a docker container, execute the command inside the container using
docker exec. If you are running using the CLI, leave tremor running and execute this in a different terminal window.
You should be able to see a message similar to this in the tremor output.
>> {"hostname":"neptune","severity":"notice","facility":"user","timestamp":1651671807829230000,
"protocol":"RFC5424", "protocol_version":1,"appname":"sandipb","msgid":null,
"structured_data":{"timeQuality":[{"tzKnown":"1"},{"isSynced":"1"},{"syncAccuracy":"153500"}]},
"procid":null, "msg":"Weeeeh. It works :D"}