I have installed th haproxy Addon on my Splunk Entreprise 6.6
After reading the documentation I understand that there is 3 sourcetypes :
HAProxy logs, HTTP format
HAProxy logs, TCP format
HAProxy logs, default format
So far I created the input on port UDP:514 and set the sourcetype to HTTP format .
But in my Haproxy I also have TCP load balancing.
So is there a way to configure for only one device two different sourcetypes ?
regards
Try to create a new listener for the TCP format to the same device, this way you could have two different source types for the same device.
Since the listeners are independent that should work.
Here is an example for using two listeners for the same servers (in this case both use mode tcp, but you can alter one of them to mode http):
listen haproxy_192.168.55.110_3307_multi
bind *:3307
mode tcp
timeout client 10800s
timeout server 10800s
balance leastconn
option httpchk
option allbackups
default-server port 9200 inter 2s downinter 5s rise 3 fall 2 slowstart 60s maxconn 64 maxqueue 128 weight 100
server galera1 192.168.55.111:3306 check
server galera2 192.168.55.112:3306 check
server galera3 192.168.55.113:3306 check
listen haproxy_192.168.55.110_3308_single
bind *:3308
mode tcp
timeout client 10800s
timeout server 10800s
balance leastconn
option httpchk
option allbackups
default-server port 9200 inter 2s downinter 5s rise 3 fall 2 slowstart 60s maxconn 64 maxqueue 128 weight 100
server galera1 192.168.55.111:3306 check
server galera2 192.168.55.112:3306 check backup
server galera3 192.168.55.113:3306 check backup
Taken from https://severalnines.com/resources/tutorials/mysql-load-balancing-haproxy-tutorial
Test that and see if it can solve this problem.
Thank you, I tried to add a new input, so now my inputs.conf looks like :
[udp://192.168.1.1:514]
connection_host = ip sourcetype =
haproxy:http[udp://192.168.1.1:514]
connection_host = ip sourcetype =
haproxy:tcp
But I only get sourcetype haproxy:http the TCP logs doesn't match the tcp sourcetype.
Any idea ?
You can't use the same header twice in inputs.conf, therefore the TCP logs don't match the TCP sourcetype. you need to define two listeners in haproxy.cfg and only use one sourcetype per header in inputs.conf . Duplication of a header (in your case [udp://192.168.1.1:514]) is a syntax error and the parser disregards the second.
I do have more than two listeners in haproxy.cfg, but this doesn't make haproxy sending logs from another IP source. Are you saying that for my tcp log the only solution is to use another IP source in order to apply sourcetype haproxy:tcp ?
Unfortunately you'd have to use another IP source in order to apply haproxy:tcp due to the fact it is impossible to define two different source types under the same IP source. If you can somehow transfer your tcp logs to a different port (for example 8514 instead of 514) that would do, then you could use
[udp://192.168.1.1:514]
connection_host = ip sourcetype =
haproxy:http
[udp://192.168.1.1:8514]
connection_host = ip sourcetype =
haproxy:tcp
and there wouldn't be an error. This is a workaround though, maybe someone else could find an easier solution.