Haproxy Addon sourcetypes

romgo75 · ‎08-26-2017

I have installed th haproxy Addon on my Splunk Entreprise 6.6

After reading the documentation I understand that there is 3 sourcetypes :

HAProxy logs, HTTP format
HAProxy logs, TCP format
HAProxy logs, default format

So far I created the input on port UDP:514 and set the sourcetype to HTTP format .
But in my Haproxy I also have TCP load balancing.

So is there a way to configure for only one device two different sourcetypes ?

regards

azamir_splunk · ‎08-26-2017

Try to create a new listener for the TCP format to the same device, this way you could have two different source types for the same device.

Since the listeners are independent that should work.

Here is an example for using two listeners for the same servers (in this case both use mode tcp, but you can alter one of them to mode http):
listen haproxy_192.168.55.110_3307_multi
bind *:3307
mode tcp
timeout client 10800s
timeout server 10800s
balance leastconn
option httpchk
option allbackups
default-server port 9200 inter 2s downinter 5s rise 3 fall 2 slowstart 60s maxconn 64 maxqueue 128 weight 100
server galera1 192.168.55.111:3306 check
server galera2 192.168.55.112:3306 check
server galera3 192.168.55.113:3306 check

listen haproxy_192.168.55.110_3308_single
bind *:3308
mode tcp
timeout client 10800s
timeout server 10800s
balance leastconn
option httpchk
option allbackups
default-server port 9200 inter 2s downinter 5s rise 3 fall 2 slowstart 60s maxconn 64 maxqueue 128 weight 100
server galera1 192.168.55.111:3306 check
server galera2 192.168.55.112:3306 check backup
server galera3 192.168.55.113:3306 check backup

Taken from https://severalnines.com/resources/tutorials/mysql-load-balancing-haproxy-tutorial

Test that and see if it can solve this problem.

romgo75 · ‎08-28-2017

Thank you, I tried to add a new input, so now my inputs.conf looks like :

[udp://192.168.1.1:514]
connection_host = ip sourcetype =
haproxy:http

[udp://192.168.1.1:514]
connection_host = ip sourcetype =
haproxy:tcp

But I only get sourcetype haproxy:http the TCP logs doesn't match the tcp sourcetype.
Any idea ?

azamir_splunk · ‎08-29-2017

You can't use the same header twice in inputs.conf, therefore the TCP logs don't match the TCP sourcetype. you need to define two listeners in haproxy.cfg and only use one sourcetype per header in inputs.conf . Duplication of a header (in your case [udp://192.168.1.1:514]) is a syntax error and the parser disregards the second.

romgo75 · ‎08-29-2017

I do have more than two listeners in haproxy.cfg, but this doesn't make haproxy sending logs from another IP source. Are you saying that for my tcp log the only solution is to use another IP source in order to apply sourcetype haproxy:tcp ?

azamir_splunk · ‎08-29-2017

Unfortunately you'd have to use another IP source in order to apply haproxy:tcp due to the fact it is impossible to define two different source types under the same IP source. If you can somehow transfer your tcp logs to a different port (for example 8514 instead of 514) that would do, then you could use
[udp://192.168.1.1:514]
connection_host = ip sourcetype =
haproxy:http
[udp://192.168.1.1:8514]
connection_host = ip sourcetype =
haproxy:tcp
and there wouldn't be an error. This is a workaround though, maybe someone else could find an easier solution.

Haproxy Addon sourcetypes

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor