So I’ve got an Ubuntu 20.04 LTS server setup with Haproxy and I’m trying to fwd log info to Splunk Cloud.
I have the Haproxy.cfg with a Global entry:
log 127.0.0.1. local4
And I’ve got an entry in /etc/rsyslog.conf for the remote server:
*.* @@10.1.1.1:1603
(The @@ is for TCP and yeah I’m using a non-standard port that was assigned to me for this by InfoSec)
The latest versions of Haproxy create it’s own rsyslog config file /etc/rsyslog.d/hapyoxy.log with:
# Create an additional socket in haproxy's chroot in order to allow logging via
# /dev/log to chroot'ed HAProxy processes $AddUnixListenSocket /var/lib/haproxy/dev/log
# Send HAProxy messages to a dedicated logfile :programname, startswith, "haproxy" { /var/log/haproxy.log stop }
And finally I’ve added a line to /etc/rsyslog.d/50-default.conf:
local4.* /var/log/haproxy.log
So I believe I’ve got it all setup how it should be, so I run logger “please work” and I can see that line when I: tail /var/log/haproxy.log and tail /var/log/syslog but nothing on the remote end. So then I try: logger -n 10.1.1.1 -P 1603 -T “please really work” and I finalyl see events in Splunk.
I then made a few LDAPS requests to this specific HAP server but there’s nothing in /var/log/syslog or /var/log/haproxy.log.