Hotdog is a syslog-to-Kafka forwarder which aims to get log entries into Apache Kafka as quickly as possible.
It listens for syslog messages over plaintext or TLS-encrypted TCP connection and depending on the defined Rules it will route and even modify messages on their way into a configured Kafka broker.
-
syslog over plaintext or TLS-encrypted TCP connections.
-
Rules and Actions for matching, modifying, and routing syslog messages based on the message content.
-
Rich integration with Kafka with full configuration passthrough for librdkafka
-
Built-in metrics integration for daemon health reporting.
Hotdog 0.1.0
R Tyler Croy <[email protected]
Forward syslog over to Kafka with ease
USAGE:
hotdog [OPTIONS]
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-c, --config <FILE> Sets a custom config file [default: hotdog.yml]
-t, --test <TEST_FILE> Test a log file against the configured rulesHotdog can be installed by grabbing a
released binary.
The system which will run hotdog must have libsasl2 installed, e.g.:
sudo apt-get install libsasl2-2sudo zypper install libsasl2-3Hotdog is configured by the hotdog.yml file, which has a very fluid syntax at
the moment. The two main sections are the global and rules blocks.
Rules defined in the configuration can be tested against an example log file in order to verify that the right rules are matching the expected log inputs, for example:
❯ RUST_LOG=info ./target/debug/hotdog -t example.log
Line 1 matches on:
- Regex: ^hello\s+(?P<name>\w+)?
- Regex: .*
Line 2 matches on:
- Regex: .*
Line 3 matches on:
- Regex: .*
Line 4 matches on:
- JMESPath: meta.topic
- Regex: .*The global configuration configures hotdog itself. The listen, kafka, and metrics keys are all
required by default in order for hotdog to start properly.
The global.listen configuration is required and will determine on which
address and port hotdog will listen. The tls
configuration key is required to function as well. When tls is left blank,
hotdog will listen for syslog messages in plaintext on the specified port.
global:
listen:
address: '127.0.0.1'
port: 1514
tls:The global.listen.tls configuration section can be used to enable
syslog-over-TLS support from hotdog. Currently the only two valid keys for
this section are cert and key, both of which should be absolute or relative
paths to PEM-encoded files on disk.
Certificate and Key files can be created with certtool --generate-privkey
--outfile ca-key.pem
global:
listen:
tls:
cert: './a/path.crt'
key: './a/path.key'
# ca is optional and when provided will ensure certificate validation
# happens
ca: './a/ca.crt'The global.status is an optional configuration entry which will enable the
launching of an HTTP status server on the specified addresss and port.
JSON formatted statistics can be retrieved on /stats.
global:
status:
address: '127.0.0.1'
port: 8585A global.kafka configuration is required in order for hotdog to function
properly. The two main configuration values are conf and topic.
global:
kafka:
conf:
bootstrap.servers: 'localhost:9092'
client.id: 'hotdog'
topic: 'logs'Default: 1024
global.kafka.buffer may contain a number indicating the size of the internal
queue for sending messages to Kafka. This queue represents the number of
internal messages hotdog will buffer during Kafka availability issues.
This value is not the same as the librdkafka queue.buffering.max.messages
configuration, which governs the number of in-flight messages which can be sent
at any given time to the Kafka broker(s). To set that variable, include it in
the Conf section documented below.
|
🔥
|
If the internal Kafka queue has been filled up, new log lines received by
|
global.kafka.conf should contain a map of
librdkafka configuration values.
hotdog will expect every key and value to be a String. These configuration
values are passed right on to the underlying librdkafka client connection, so
whatever librdkafka supports, hotdog supports!
Default: 30_000
global.kafka.timeout_ms is an optional configuration which defines the
timeout in milliseconds for hotdog to make an initial connection to the
configured Kafka brokers.
global.kafka.topic may contain a string value which is to be considered the
"default topic" for the Forward action.
The global.metrics configuration tells hotdog where to send its own
internal metrics The only currently supported metrics format is
statsd.
If your environment doesn’t use statsd or you do not wish to report metrics,
set the statsd value to an invalid host and port.
global:
metrics:
statsd: 'localhost:8125'The global.status configuration is fully optional but when it is enabled hotdog
will spin up an HTTP server on the configured address and port in order to provide
real-time status information about the daemon’s runtime to HTTP clients.
global:
status:
address: 'localhost'
port: 8585Hotdog’s rules define how it should handle and route the syslog messages it
receives. In the hotdog.yml, the rules must be defined as an array of maps.
Each rule is expected to a "matcher" (either regex or
jmespath), the field upon which the matcher should
apply, and the actions defining how the message should be
handled.
rules:
- jmespath: 'meta.topic'
field: msg
actions:
- type: forward
topic: '{{value}}'
# Catch-all, send everything else to a "logs-unknown" topic
- regex: '.*'
field: msg
actions:
- type: forward
topic: 'logs-unknown'| Name | Notes |
|---|---|
|
The actual message sent along from the syslog server |
|
The sender’s hostname, if available. |
|
The logging application, if available, which created the syslog entry |
|
The syslog logging facility, if available, which was used to create the syslog message. For example |
|
The severity of the syslog message, if available. For example: |
The regex matcher instructs hotdog to match the field against the defined
regular expression, which must follow the syntax of the
regex crate.
The matcher supports named groups in the regular expression, which are then exposed to actions such as merge and replace.
|
🔥
|
Named groups will override any built-in variables at the time of substitution, so be careful you are not naming your groups anything which might overlap with the built-in variable names |
Some actions, such as Replace, can perform variable substitutions on
log line. The variables available are a combination of the built-in variables
listed below, and whatever named groups exist in the regex field of the
Rules.
| Name | Description |
|---|---|
|
The original log line message sent along from the syslog sender. |
|
The version of |
|
The ISO-8601 timestamp of when the message was processed. |
Actions determine what hotdog should do with the given log line when it
receives it.
The forward action implies the Stop action when used, since
the internally tracked output buffer is flushed when it is sent to Kafka.
The merge action will only work when the log line is a JSON object. JSON
arrays, or other arbitrary strings will not merge properly, and cause all
subsequent actions for the given rule to be aborted.
| Key | Value |
|---|---|
|
A YAML map which will be merged with the JSON object deserialized from the matched log line. |
actions:
- type: merge
json:
meta:
hotdog:
version: '{{version}}'
timestamp: '{{iso8601}}'The template may utilize the matched and built-in variables in
order to generate a modified message. The output is only available to
subsequent actions defined after the replace action. Subsequent rules in
the chain will not utilize this generated message.
| Key | Value |
|---|---|
|
A Handlebars-style template which can be used to output a modified message. |
- regex: '^hello\s+(?P<name>\w+)?'
actions:
- type: replace
template: |
Why hello there {{name}}!hotdog is designed to emit Statsd metrics to the statsd endpoint configured
in the Metrics section. Each metric will be prefixed under hotdog.*.
| Key | Description |
|---|---|
|
Gauge tracking the number of connections |
|
Counter tracking the number of lines received by |
|
Counter tracking the number of messages submitted to Kafka |
|
Counter tracking the number of messages submitted to each Kafka topic |
|
Timer which tracks the amount of time it takes to actually write messages to Kafka |
|
Counters which count the number of different errors encountered while sending messages to Kafka. The types of possible metric names depends on the RDKafkaError enumeration from the underlying library. |
|
Number of the log lines received which could not be parsed as RFCC 5424 syslog lines. |
|
Count tracking the number of log lines which were dropped due to a full internal queue, Typically indicates an issue between |
|
Number of lines dropped because the could not be sent into the internal queue. |
|
Number of lines dropped because the configured dynamic topic could not be parsed properly (typically indicates a configuration error). |
|
Count of lines which could not have a merge action applied as configured due to a configuration error |
|
Count of lines received for a merge action which were not JSON, and therefore could not be merged. |
Hotdog is tested against the latest Rust stable. A simple cargo build should
compile a working hotdog binary for your platform.
On Linux systems it is easy to test with:
logger --server 127.0.0.1 -T -P 1514 "hello world"
logger --server 127.0.0.1 -T -P 1514 -f example.logFor TLS connections, you can use the openssl s_client command:
echo '<13>1 2020-04-18T15:16:09.956153-07:00 coconut tyler - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="505061"] hello world' | openssl s_client -connect localhost:6514hotdog was originally motivated by challenges with
rsyslog, a desire for a simple
configuration, and the need for built-in metrics.
Some other similar projects which can be used to get logs into Kafka: