Feature Request: Plugin for Google Cloud VMware Engine Syslog Collection

[KonradSchieban]

Google Cloud VMware Engine (GCVE) provides an interface to configure vCenter Syslog forwarding. GCVE adds additional metadata to the log entries of the following format:

{"record":"{"@timestamp":"2021-04-02T17:10:25.335748+00:00","@Version":"1","message":" Event [3873031] [1-1] [2021-04-02T17:10:10.873482Z] [vim.event.UserLogoutSessionEvent] [info] [root] [Datacenter] [3873031] [User [email protected] logged out (login time: Friday, 02 April, 2021 05:10:08 PM, number of API invocations: 5, user agent: pyvmomi Python/3.6.9 (Linux; 4.19.150+; x86_64))]","@fields.host":"xxxxxx","@fields.severity":"info","@fields.facility":"user","@fields.procid":"26060","@fields.privatecloud_id":"xxxxxxxxxxxx","@fields.privatecloud_name":"xxxxxxx","@fields.alias":"xxxxxxxxxxx","@fields.company_name":"xxxxxxxxx","@fields.region_id":"us-east4"}"}}

Looking for a plugin to format logs from received messages so they can be parsed and forwarded in JSON format to Cloud Logging (similar to the vmware_vcenter plugin, just specific to the GCVE syslog format).

[jsirianni]

Hi @KonradSchieban, I started working on this today. Unfortunately, I had trouble configuring the GCVE environment that I have access to (failed to configure VPC peering to my project). I will try to get this resolved soon, however, if you can provide me with additional logs, I can start working on the plugin right away. Access to GCVE might delay development.

[jsirianni]

The initial plugin can be found in branch gcve, https://github.com/observIQ/stanza-plugins/blob/gcve/plugins/gcve.yaml

Simply copy the plugin to your plugins directory and use this config:

pipeline:
- type: gcve
  enable_tls: false
  certificate_file: ""
  private_key_file: ""
- type: file_output
  path: /tmp/out

You can replace file_output with your Google Cloud output configuration. GCVE takes the same TLS parameters as vcenter, so feel free to enable those if needed.

echo '{"@timestamp": "2021-04-02T17:10:25.335748+00:00","@version": "1","message": " Event [3873031] [1-1] [2021-04-02T17:10:10.873482Z] [vim.event.UserLogoutSessionEvent] [info] [root] [Datacenter] [3873031] [User [email protected] logged out (login time: Friday, 02 April, 2021 05:10:08 PM, number of API invocations: 5, user agent: pyvmomi Python/3.6.9 (Linux; 4.19.150+; x86_64))]","@fields.host": "vcsa-2946","@fields.severity": "info","@fields.facility": "user","@fields.procid": "26060","@fields.privatecloud_id": "xxxxxxxxxxxx","@fields.privatecloud_name": "xxxxxxx","@fields.alias": "xxxxxxxxxxx","@fields.company_name": "xxxxxxxxx","@fields.region_id": "us-east4"}' | nc localhost 5140

Once I have full access to GCVE, I will perform my own testing.

[KonradSchieban]

Thanks, I will test it and get back to you on it today.

[KonradSchieban]

Looks pretty good. This is how it shows up right now in Cloud Logging:

[jsirianni]

@KonradSchieban thanks for reporting back to quickly.

Some thoughts come to mind:

1. should we "rename" the @fields.<key names> ?
2. any future json values will be included by default, which is the best part about the json_parser

My thoughts on 1, we could do something like:

• @fields.company_name --> company_name
• @fields.privatecloud_id --> privatecloud_id
• and so on

Let me know what you think. We can certainly leave them as is, but I think the @fields prefix can make it hard to reason about.

[KonradSchieban]

I think your suggestion makes sense. If we can strip the @fields substring that'll make it easier to parse and search for. And if additional fields will be supported automatically as they are added that would be best.

[KonradSchieban]

@jsirianni a suggestion: can we make the label log_type "Syslog", since the label plugin_id is already "gcve"? Like that it's easier to see in the labels that its Syslog coming from GCVE.

[jsirianni]

@KonradSchieban I updated it to gcve.syslog, I think this fits the pattern that we have been using.

For example, Cassandra:

    labels:
      log_type: 'cassandra.system'
      plugin_id: {{ .id }}

    labels:
      log_type: 'cassandra.gc'
      plugin_id: {{ .id }}

I also updated the plugin to handle "flattening" the json payload, it should look like this now:

{
  "timestamp": "2021-04-02T17:10:25.335748Z",
  "severity": 30,
  "severity_text": "info",
  "labels": {
    "log_type": "gcve.syslog",
    "plugin_id": "gcve"
  },
  "record": {
    "alias": "xxxxxxxxxxx",
    "company_name": "xxxxxxxxx",
    "facility": "user",
    "host": "vcsa-2946",
    "message": " Event [3873031] [1-1] [2021-04-02T17:10:10.873482Z] [vim.event.UserLogoutSessionEvent] [info] [root] [Datacenter] [3873031] [User [email protected] logged out (login time: Friday, 02 April, 2021 05:10:08 PM, number of API invocations: 5, user agent: pyvmomi Python/3.6.9 (Linux; 4.19.150+; x86_64))]",
    "privatecloud_id": "xxxxxxxxxxxx",
    "privatecloud_name": "xxxxxxx",
    "procid": "26060",
    "region_id": "us-east4",
    "version": "1"
  }
}

Please note that these field names are not 100% final, I still need to run them past our QA / Product team to ensure we do not have any conflicts with other plugins.

[KonradSchieban]

Looks pretty good! Thanks for the work!