This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Install AxoSyslog with Helm

AxoSyslog provides Helm charts for syslog-ng. You can use these charts to install cloud-ready syslog-ng images created and maintained by Axoflow.

Prerequisites

You must have Helm 3.0 or newer installed to use these charts. Refer to the official Helm documentation for details.

Syslog collector and syslog server use cases

The chart provides parameters that make it easy to deploy AxoSyslog for the following use cases:

  • As a collector, to collect local logs using the kubernetes() source, and forward them to another syslog server, to an opensearch() node, or to another AxoSyslog node.
  • As a syslog server:
    • to receive RFC3164 and RFC5424 formatted syslog messages from any sender, or syslog-ng-otlp messages from another AxoSyslog node, and then
    • store them locally, or forward them to remote destinations.

These two use cases are independent from each other and can be configured separately. For other use cases, for example, to use other sources and destinations, you can use the config.raw parameter of the collector or the server. For the list of configurable parameters and their default values, see Parameters of the AxoSyslog Helm chart.

Install

To install the axosyslog chart, complete the following steps.

  1. Clone the chart repository.

    helm repo add axosyslog https://axoflow.github.io/axosyslog
helm repo update

  2. Install the chart. The default settings install two pods into the default namespace:

    If need only one of these pods, you can disable it with the collector.enabled or the syslog.enabled parameter, respectively. For the list of configurable parameters and their default values, see Parameters of the AxoSyslog Helm chart. If you want to use disk-buffers, see also How to use disk-buffers in containers and Kubernetes.

    • Install with the default values:

      helm install --generate-name axosyslog/axosyslog

    • Install only the collector:

      helm install --generate-name axosyslog/axosyslog --set syslog.enabled=false

    • Install only the syslog server:

      helm install --generate-name axosyslog/axosyslog --set collector.enabled=false

    The output should be similar to:

    NAME: axosyslog-1713953907
LAST DEPLOYED: Wed Apr 24 12:18:28 2024
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
1. Watch the axosyslog-1713953907 container start.
  $ kubectl get pods --namespace=default -l app=axosyslog-1713953907 -w

  3. Check that the pods are running.

    kubectl get pods

    The output should list the pods that are running: two for the default settings, or one if you have disabled the collector or the syslog pod.

    NAME                                   READY   STATUS    RESTARTS   AGE
axosyslog-1713953907-collector-ddftq   1/1     Running   0          57s
axosyslog-1713953907-syslog-0          1/1     Running   0          57s

  4. Configure the settings of the pods for your use case.

    1. Create a file called my-values.yaml.

    2. Add the configuration needed for your use case. The settings in this file will override the default configuration settings of the chart.

    3. Update your deployment using the my-values.yaml file by running:

      helm upgrade <name-of-your-axosyslog-deployment> axosyslog/axosyslog -f my-values.yaml

      The output should be similar to:

      Release "axosyslog-1713953907" has been upgraded. Happy Helming!
...

      Tip: You can retrieve the non-default values of a deployment by running helm get values <name-of-your-axosyslog-deployment>

  5. For the collector use case, configure the destination where the logs are forwarded. For example, the following values file sends the logs in JSON format to the localhost:514 address via TCP:

    collector:
  config:
    destinations:
      syslog:
        enabled: true
        transport: tcp
        address: localhost
        port: 514
        template: "$(format-json .*)"

    For details and other parameters, see Collector parameters.

  6. For the syslog server use case, you can send test messages from the pods, for example:

    • From the syslog server pod:

      kubectl exec axosyslog-1714389625-syslog-0 -- loggen -S 127.0.0.1 1514

      Expected output:

      count=9328, rate = 882.83 msg/sec
count=9786, rate = 884.20 msg/sec
count=9800, rate = 27.92 msg/sec
average rate = 928.58 msg/sec, count=9800, time=10.5538, (average) msg size=256, bandwidth=232.14 kB/sec

    The generated log messages (like 2024-05-02T10:56:31.000000+00:00 localhost prg00000[1234]: seq: 0000000065, thread: 0000, runid: 1714647391, stamp: 2024-05-02T10:56:31 PADDPADDPADDPADD) should show up in the configured destinations, for example, in the file destination:

    kubectl exec axosyslog-1714389625-syslog-0 -- less /var/log/syslog

How to use disk-buffers in containers and Kubernetes

When you are running AxoSyslog in a container or in Kubernetes, and you want to use disk-buffers, there are some additional things to configure.

  • Make sure to mount the disk-buffer files and the persist file (by default, both are stored in /var/lib/syslog-ng) in a way they are not lost when the pod or container is restarted.
    • In Kubernetes, add a persistent volume to your pod and store the disk buffer files (/var/lib/syslog-ng) there.
    • In a container, mount the disk-buffer directory from the host, or store it on a local volume.
  • Use a reliable disk-buffer only if your storage is fast enough. For example, a low-speed persistent volume in Kubernetes can cause a significant performance degradation for AxoSyslog.
  • Use the latest available version of AxoSyslog, as many related improvements and performance improvements (for example, disk-buffer related metrics) are only supported in recent versions.

If you are using syslog-ng without disk-buffering configured, syslog-ng stores everything in memory, which results in great performance. If you enable disk-buffering, the performance decreases. Make sure to size your observability pipeline appropriately.

Uninstall

Tip: List all installed releases using helm list.

To uninstall a chart release, run:

helm delete <name-of-the-release-to-delete>

1 - Parameters of the AxoSyslog Helm chart

The following table lists the configurable parameters of the AxoSyslog collector chart and their default values. For details on installing the chart, see Install AxoSyslog with Helm.

Collector parameters

When you deploy AxoSyslog as a collector (which is a DaemonSet), it collects and forwards local logs to a destination. You can use the following parameters to configure the collector. The parameters for specific destinations are shown in subsequent sections.

Parameter Description Default
collector.enabled Deploy AxoSyslog as a collector to collect and forward local logs true
collector.config.destinations The configurations of destinations that can be configured using chart values: syslog, opensearch, and syslogNgOtlp. For destinations and options not available as chart values, you can use the collector.config.raw option. ""
collector.config.raw A complete syslog-ng configuration. If this parameter is set, all other parameters in the collector.config section are ignored. You can use this to set parameters that are not available as chart values. For details on how to create a configuration for syslog-ng, see the AxoSyslog Core documentation. ""
collector.config.rewrites.set A list of name-value pairs to set for the collected log messages. Uses the set rewrite rule. {}
collector.config.sources.kubernetes.enabled Collect pod logs using the kubernetes() source. If disabled, the chart doesn’t configure any source. For the list of available sources, see the Sources chapter true
collector.config.sources.kubernetes.prefix Set JSON prefix for logs collected from the Kubernetes cluster ""
collector.config.sources.kubernetes.keyDelimiter Set JSON key delimiter for logs collected from the Kubernetes cluster ""
collector.stats.level Specifies the level of statistics AxoSyslog collects about the processed messages. For details, see (level()). 2

The following example uses the collector.config.raw parameter to configure a custom destination:

collector:
  config:
    raw: |
      @version: 4.9.0
      @include "scl.conf"

      log {
        source {
          syslog(port(12345));
        };

        destination {
          logscale(
            token("your-secret-humio-ingest-token")
          );
        };

        flags(flow-control);
      };

  hostNetworking: true

Syslog destination

Send logs over the network, conforming to RFC3164 using the network() destination driver.

Parameter Description Default
collector.config.destinations.syslog.enabled Enables the destination. false
collector.config.destinations.syslog.address The IP address of the destination host. localhost
collector.config.destinations.syslog.extraOptionsRaw Other options of the network() destination. "time-reopen(10)"
collector.config.destinations.syslog.port The port number to send the messages to. 12345
collector.config.destinations.syslog.template A template to format the messages. "$(format-json .*)"
collector.config.destinations.syslog.transport The transport protocol to use. Possible values: tcp, udp tcp

For example:

collector:
  config:
    destinations:
      syslog:
        enabled: true
        transport: tcp
        address: localhost
        port: 12345
        template: "$(format-json .*)"

OpenSearch destination

Send logs to OpenSearch over HTTP or HTTPS.

Parameter Description Default
collector.config.destinations.opensearch.enabled Enables the destination. false
collector.config.destinations.opensearch.address The URL of the OpenSearch server. http://my-release-opensearch.default.svc.cluster.local:9200
collector.config.destinations.opensearch.index Name of the OpenSearch index that stores the messages. "test-axoflow-index"
collector.config.destinations.opensearch.user The username to use for authentication on the OpenSearch server, if not authenticating with a certificate. "admin"
collector.config.destinations.opensearch.password The password to use for authentication on the OpenSearch server. "admin"
collector.config.destinations.opensearch.template A template to format the messages. "$(format-json .*)"
collector.config.destinations.opensearch.tls.CADir A directory containing a set of trusted CA certificates in PEM format. The name of the files must be the 32-bit hash of the subject’s name. AxoSyslog verifies the certificate of the server using these CA certificates. "/path/to/CADir/"
collector.config.destinations.opensearch.tls.CAFile The CA certificate in PEM format to use when verifying the certificate of the server. "/path/to/CAFile.pem"
collector.config.destinations.opensearch.tls.Cert Name of a file containing an X.509 certificate or a certificate chain in PEM format. AxoSyslog authenticates with this certificate on the server, with the private key set in the collector.config.destinations.opensearch.tls.Key field. If the file contains a certificate chain, the file must begin with the certificate of the host, followed by the CA certificate that signed the certificate of the host, and any other signing CAs in order. "/path/to/Cert.pem"
collector.config.destinations.opensearch.tls.Key Name of a file containing an unencrypted private key in PEM format. AxoSyslog authenticates with this key and the certificate set in the collector.config.destinations.opensearch.tls.Cert field. "/path/to/Key.pem"
collector.config.destinations.opensearch.tls.peerVerify If true, AxoSyslog verifies the certificate of the server with the CA certificates set in collector.config.destinations.opensearch.tls.CAFile and collector.config.destinations.opensearch.tls.CADir. false

For example:

collector:
  config:
    destinations:
      opensearch:
        - address: 10.104.232.94
          index: "test-axoflow-index"
          tls:
            CAFile: "/path/to/CAFile.pem"
            CADir: "/path/to/CADir/"
            Cert: "/path/to/Cert.pem"
            Key: "/path/to/Key.pem"
            peerVerify: true
            template: "$(format-json .*)"

syslogNgOtlp destination

Send logs over to another AxoSyslog node using the syslog-ng-otlp() destination driver.

Parameter Description Default
collector.config.destinations.syslogNgOtlp.enabled Enables the destination. false
collector.config.destinations.syslogNgOtlp.url The IP address and port of the destination host. "192.168.77.133:4317"
collector.config.destinations.syslogNgOtlp.extraOptionsRaw Other options of the syslog-ng-otlp() destinations. “time-reopen(1) batch-timeout(1000) batch-lines(1000)”

Other collector parameters

Parameter Description Default
collector.affinity Pod affinity {}
collector.annotations Additional annotations to apply to the DaemonSet {}
collector.extraVolumes Additional volumes to mount []
collector.hostAliases Add host aliases []
collector.hostNetworking Whether to enable host networking false
collector.labels Additional labels to apply to the DaemonSet {}
collector.maxUnavailable The maximum number of unavailable pods during a rolling update 1
collector.nodeSelector Node labels for pod assignment {}
collector.resources Resource requests and limits {}
collector.tolerations Tolerations for pod assignment []
collector.secretMounts Mount additional secrets as volumes []
collector.securityContext Security context for the pod {}

Syslog server parameters

When you deploy AxoSyslog as a server (which is a StatefulSet), it receives incoming data from the network and routes it to a local or remote destination. collects and forwards local logs to a destination. You can use the following parameters to configure the syslog server. The parameters for specific destinations are shown in subsequent sections.

Parameter Description Default
syslog.enabled Deploy AxoSyslog as a collector to collect and forward local logs true
syslog.bufferStorage.enabled Configures a storage using PersistentVolumes to use as disk-buffer. false
syslog.bufferStorage.storageClass The class of the storage to use, for example, standard. standard
syslog.bufferStorage.size The maximum size of the storage to use as disk-buffer, for example, 10Gi. 10Gi
syslog.logFileStorage.enabled Configures a storage using PersistentVolumes to store the log files. false
syslog.logFileStorage.storageClass The class of the storage to use, for example, standard. standard
syslog.logFileStorage.size The maximum size of the storage to use as for log storage, for example, 10Gi. 500Gi
syslog.config.raw A complete syslog-ng configuration. If this parameter is set, all other parameters in the syslog.config section are ignored. You can use this to set parameters that are not available as chart values. For details on how to create a configuration for syslog-ng, see the AxoSyslog Core documentation. ""
syslog.config.stats.level Specifies the detail of statistics AxoSyslog collects about the processed messages. For details, see level(). 2
syslog.config.rewrites.set A list of name-value pairs to set for the collected log messages. Uses the set rewrite rule. {}
syslog.config.sources The configurations of the sources that can be configured using chart values: syslog and syslogNgOtlp. syslog and syslogNgOtlp are enabled by default. See the individual sources for details. For sources not available as chart values, you can use the collector.config.raw option.
syslog.config.destinations The configurations of destinations that can be configured using chart values: file, syslog, opensearch, and syslogNgOtlp. The file, syslog, opensearch destinations are enabled by default. For destinations not available as chart values, you can use the collector.config.raw option.

Syslog source

You can use the syslog source to receive RFC3164 or RFC5424 formatted syslog messages on the following ports:

  • 1514: RFC3164-formatted traffic over TCP and UDP (NodePort 30514)
  • 1601: RFC5424-formatted traffic over TCP (NodePort 30601)
  • 6514: RFC5424-formatted traffic over TLS (NodePort 30614)

If needed, you can open additional ports using the service.extraPorts option.

Parameter Description Default
syslog.config.sources.syslog.enabled Enable receiving syslog messages. true
syslog.config.sources.syslog.max-connections Maximum number of parallel connections. 1000
syslog.config.sources.syslog.log-iw-size The initial window size used for flow-control. 100000
syslog.config.sources.syslog.tls.peerVerify Set to yes to request a certificate from the peers. In this case, you must also set the CA directory or the CA file. no
syslog.config.sources.syslog.tls.CAFile A file containing trusted CA certificates. For details, see TLS options. ""
syslog.config.sources.syslog.tls.CADir The directory for the trusted CA files. For details, see TLS options. ""
syslog.config.sources.syslog.tls.Cert The certificate file to show to the peer. For details, see TLS options. ""
syslog.config.sources.syslog.tls.Key The private key file for the certificate. For details, see TLS options. ""

syslogNgOtlp source

Initializes a syslog-ng-otlp() to receive messages from another AxoSyslog node that sends telemetry data using the syslog-ng-otlp() destination driver.

Parameter Description Default
syslog.config.sources.syslogNgOtlp.enabled Enable receiving syslog-ng-otlp() messages. true
syslog.config.sources.syslogNgOtlp.port The port where messages are received. 4317

File destination

To write the collected logs into files, configure the syslog.logFileStorage and the syslog.config.destinations.file options.

Parameter Description Default
syslog.config.destinations.file.enabled Enables the file destination. true
syslog.config.destinations.file.path The path and filename of the log files. Can include macros. For examples, see file: Store messages in plain-text files. "/var/log/syslog"
syslog.config.destinations.file.template The template used to format the log messages. Can include macros. ""
syslog.config.destinations.file.extraOptionsRaw Other options of the file() destination. If the directories used in syslog.destinations.file.path do not exist, set extraOptionsRaw: "create-dirs(yes)" "create-dirs(yes)"

For example:

syslog:
  enabled: true
  logFileStorage:
    enabled: true
    storageClass: standard
    size: 500Gi
  bufferStorage:
    enabled: false
    storageClass: standard
    size: 10Gi
  config:
    sources:
      syslog:
        enabled: true
    destinations:
      file:
        enabled: true
        path: "/var/log/$HOST/syslog"
        extraOptionsRaw: "create-dirs(yes)"

OpenSearch destination

Send logs to OpenSearch over HTTP or HTTPS.

Parameter Description Default
syslog.config.destinations.opensearch.enabled Enables the destination. true
syslog.config.destinations.opensearch.url The URL of the OpenSearch server. http://my-release-opensearch.default.svc.cluster.local:9200
syslog.config.destinations.opensearch.extraOptionsRaw Other options of the opensearch() destination. "time-reopen(10)"
syslog.config.destinations.opensearch.index Name of the OpenSearch index that stores the messages. "test-axoflow-index"
syslog.config.destinations.opensearch.user The username to use for authentication on the OpenSearch server, if not authenticating with a certificate. "admin"
syslog.config.destinations.opensearch.password The password to use for authentication on the OpenSearch server. "admin"
syslog.config.destinations.opensearch.template A template to format the messages. "$(format-json --scope rfc5424 --exclude DATE --key ISODATE @timestamp=${ISODATE})"
syslog.config.destinations.opensearch.tls.CAFile The CA certificate in PEM format to use when verifying the certificate of the server. ""
syslog.config.destinations.opensearch.tls.CADir A directory containing a set of trusted CA certificates in PEM format. The name of the files must be the 32-bit hash of the subject’s name. AxoSyslog verifies the certificate of the server using these CA certificates. ""
syslog.config.destinations.opensearch.tls.Cert Name of a file containing an X.509 certificate or a certificate chain in PEM format. AxoSyslog authenticates with this certificate on the server, with the private key set in the syslog.config.destinations.opensearch.tls.Key field. If the file contains a certificate chain, the file must begin with the certificate of the host, followed by the CA certificate that signed the certificate of the host, and any other signing CAs in order. ""
syslog.config.destinations.opensearch.tls.Key Name of a file containing an unencrypted private key in PEM format. AxoSyslog authenticates with this key and the certificate set in the syslog.config.destinations.opensearch.tls.Cert field. ""
syslog.config.destinations.opensearch.tls.peerVerify If true, AxoSyslog verifies the certificate of the server with the CA certificates set in syslog.config.destinations.opensearch.tls.CAFile and syslog.config.destinations.opensearch.tls.CADir. ""

For example:

syslog:
  enabled: true
  bufferStorage:
    enabled: true
    storageClass: standard
    size: 10Gi
  config:
    sources:
      syslog:
        enabled: true
    destinations:
      opensearch:
        enabled: true
        url: http://my-release-opensearch.default.svc.cluster.local:9200
        index: "test-axoflow-index"
        user: "admin"
        password: "admin"
        #tls:
        #  CAFile: "/path/to/CAFile.pem"
        #  CADir: "/path/to/CADir/"
        #  Cert: "/path/to/Cert.pem"
        #  Key: "/path/to/Key.pem"
        #  peerVerify: false
        extraOptionsRaw: "time-reopen(10)"

Syslog destination

Send logs over the network, conforming to RFC3164 using the network() destination driver.

Parameter Description Default
syslog.config.destinations.syslog.enabled Enables the destination. true
syslog.config.destinations.syslog.address The IP address of the destination host. ""
syslog.config.destinations.syslog.extraOptionsRaw Other options of the network() destination. "time-reopen(10)"
syslog.config.destinations.syslog.port The port number to send the messages to. 12345
syslog.config.destinations.syslog.template A template to format the messages. ""
syslog.config.destinations.syslog.transport The transport protocol to use. Possible values: tcp, udp tcp

For example:

syslog:
  enabled: true
  bufferStorage:
    enabled: true
    storageClass: standard
    size: 10Gi
  config:
    sources:
      syslog:
        enabled: true
    destinations:
      syslog:
        enabled: true
        transport: tcp
        address: 192.168.77.133
        port: 12345
        # convert incoming data to JSON
        #template: "$(format-json .*)\n"
        # use standard syslog logfile
        #template: "$ISODATE $HOST $MSGHDR$MSG\n"
        extraOptionsRaw: "time-reopen(10)"

syslogNgOtlp destination

Send data using the syslog-ng-otlp() destination driver to another AxoSyslog node.

Parameter Description Default
syslog.config.destinations.syslogNgOtlp.enabled Enables the destination. no
syslog.config.destinations.syslogNgOtlp.url The IP address of the destination host. ""
syslog.config.destinations.syslogNgOtlp.extraOptionsRaw Other options of the syslog-ng-otlp() destination. "time-reopen(1) batch-timeout(1000) batch-lines(1000)"

For example:

syslog:
  enabled: true
  bufferStorage:
    enabled: true
    storageClass: standard
    size: 10Gi
  config:
    sources:
      syslog:
        enabled: true
    destinations:
      syslogNgOtlp:
        enabled: true
        url: "192.168.77.133:4317"
        extraOptionsRaw: "time-reopen(1) batch-timeout(1000) batch-lines(1000)"

Generic chart parameters

Parameter Description Default
image.repository The container image repository ghcr.io/axoflow/axosyslog
image.pullPolicy The container image pull policy IfNotPresent
image.tag The container image tag 4.9.0
image.extraArgs Custom arguments applied as the value of spec.container.args []
imagePullSecrets The names of secrets containing private registry credentials []
nameOverride Override the chart name ""
fullnameOverride Override the full chart name ""
rbac.create Create RBAC resources true
rbac.extraRules Additional RBAC rules []
openShift.enabled Set to true when deploying on OpenShift false
openShift.securityContextConstraints.create Create SecurityContextConstraints on OpenShift true
openShift.securityContextConstraints.annotations Annotations to apply to SecurityContextConstraints {}
service.create Create a service so the syslog server can receive incoming connections. true
service.extraports Open additional ports for the syslog server []
serviceAccount.create Whether to create a service account true
serviceAccount.annotations Annotations to apply to the service account {}
namespace The Kubernetes namespace to deploy to ""
podAnnotations Additional annotations to apply to the pod {}
podSecurityContext Security context for the pod {}
securityContext Security context for the container {}
resources Resource requests and limits for the collector container. If not set, the values of collector.resources are used. {}
nodeSelector Node labels for pod assignment {}
tolerations Tolerations for pod assignment []
affinity Pod affinity {}
updateStrategy Update strategy for the Collector DaemonSet RollingUpdate
priorityClassName The name of the PriorityClass the pod belongs to ""
dnsConfig The DNS configuration of the pod {}
hostAliases Additional entries to the pod’s hosts file []
secretMounts Additional secrets to mount for the pod. If not set, the values of collector.secretMounts are used. []
extraVolumes Additional volumes to mount for the pod. If not set, the values of collector.extraVolumes are used. []
terminationGracePeriodSeconds How many seconds a pod with a failing probe has before shut down 30