Sumo Logic with Logging operator and syslog-ng

This guide helps you install and configure the Logging operator and syslog-ng to forward logs to your Sumo Logic account.

Prerequisites

We assume that you already have:

  • A Sumo Logic account.

  • A HTTP Hosted Collector configured in the Sumo Logic service.

    To configure a Hosted Collector, complete the steps in the Configure a Hosted Collector section on the official Sumo Logic website.

  • The unique HTTP collector code you receive while configuring your Host Collector for HTTP requests.

Deploy the Logging operator and a demo Application

Install the Logging operator and a demo application to provide sample log messages.

Deploy the Logging operator with Helm

To install the Logging operator using Helm, complete these steps.

Note: For the Helm-based installation you need Helm v3.2.1 or later.

  1. Add the chart repository of the Logging operator using the following commands:

    helm repo add kube-logging https://kube-logging.dev/helm-charts
helm repo update

  2. Install the logging-operator

    helm upgrade --install --wait --create-namespace --namespace logging logging-operator kube-logging/logging-operator

Configure the Logging operator

  1. Create the logging resource with a persistent syslog-ng installation.

    kubectl apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: Logging
metadata:
  name: demo
spec:
  controlNamespace: logging
  fluentbit: {}
  syslogNG:
    statefulSet:
      spec:
        template:
          spec:
            containers:
            - name: syslog-ng
              volumeMounts:
              - mountPath: /buffers
                name: buffer
        volumeClaimTemplates:
        - metadata:
            name: buffer
          spec:
            accessModes:
            - ReadWriteOnce
            resources:
              requests:
                storage: 10Gi
EOF

    Note: You can use the ClusterOutput and ClusterFlow resources only in the controlNamespace.

  2. Create a Sumo Logic output secret from the URL of your Sumo Logic collection.

    kubectl create secret generic sumo-collector -n logging --from-literal "token=XYZ"

  3. Create a SyslogNGOutput resource.

    kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: SyslogNGOutput
metadata:
  name: sumologic-syslog-ng-output
spec:
  sumologic-http: 
    collector:
      valueFrom:
        secretKeyRef:
          key: token
          name: sumo-collector
    deployment: us2
    batch-lines: 1000
    disk_buffer:
      disk_buf_size: 512000000
      dir: /buffers
      reliable: true
    body: "$(format-json --subkeys json. --exclude json.kubernetes.annotations.* json.kubernetes.annotations=literal($(format-flat-json --subkeys json.kubernetes.annotations.)) --exclude json.kubernetes.labels.* json.kubernetes.labels=literal($(format-flat-json --subkeys json.kubernetes.labels.)))"
    headers:
      - 'X-Sumo-Name: source-name'
      - 'X-Sumo-Category: source-category'
    tls:
      use-system-cert-store: true
EOF

  4. Create a SyslogNGFlow resource.

    kubectl -n logging apply -f - <<"EOF"
apiVersion: logging.banzaicloud.io/v1beta1
kind: SyslogNGFlow
metadata:
  name: log-generator
spec:
  match:
    and:
    - regexp:
        value: json.kubernetes.labels.app.kubernetes.io/instance
        pattern: log-generator
        type: string
    - regexp:
        value:  json.kubernetes.labels.app.kubernetes.io/name
        pattern: log-generator
        type: string
  filters:
  -  parser:
      regexp: 
        patterns:
        - '^(?<remote>[^ ]*) (?<host>[^ ]*) (?<user>[^ ]*) \[(?<time>[^\]]*)\] "(?<method>\S+)(?: +(?<path>[^\"]*?)(?: +\S*)?)?" (?<code>[^ ]*) (?<size>[^ ]*)(?: "(?<referer>[^\"]*)" "(?<agent>[^\"]*)"(?:\s+(?<http_x_forwarded_for>[^ ]+))?)?$'
        template: ${json.message}
        prefix: json.
  - rewrite:
    -  set:
        field: json.cluster
        value: xxxxx
    -  unset:
        field: json.message
    -  set:
        field: json.source
        value: /var/log/log-generator
        condition:
          regexp:
            value:  json.kubernetes.container_name
            pattern: log-generator
            type: string
  localOutputRefs:
    - sumologic-syslog-ng-output
EOF

  5. Install log-generator to produce logs with the label app.kubernetes.io/name: log-generator

    helm upgrade --install --wait --create-namespace --namespace logging log-generator kube-logging/log-generator

If you don’t get the expected result you can find help in the troubleshooting section.

Last modified July 24, 2023: Merge pull request #167 from kube-logging/link-fixes-230714 (1dda279)