cloudfoundry-community / firehose-to-syslog Goto Github PK

View Code? Open in Web Editor NEW

44.0 27.0 57.0 20.3 MB

Send firehose events from Cloud Foundry to syslog.

License: MIT License

Go 94.73% Makefile 0.78% Shell 2.85% Dockerfile 1.61% Procfile 0.03%

firehose-to-syslog's Introduction

Disclaimer

Since 2.5.0 we stop supporting username and password for authentification.

Please use ClientId and ClientSecret.

Firehose-to-syslog

This nifty util aggregates all the events from the firehose feature in CloudFoundry.

./firehose-to-syslog \
          --api-endpoint="https://api.10.244.0.34.xip.io" \
          --skip-ssl-validation \
          --debug
....
....
{"cf_app_id":"c5cb762b-b7bb-44b6-97d1-2b612d4baba9","cf_app_name":"lattice","cf_org_id":"fb5777e6-e234-4832-8844-773114b505b0","cf_org_name":"GWENN","cf_origin":"firehose","cf_space_id":"3c910823-22e7-41ff-98de-094759594398","cf_space_name":"GWENN-SPACE","event_type":"LogMessage","level":"info","message_type":"OUT","msg":"Lattice-app. Says Hello. on index: 0","origin":"rep","source_instance":"0","source_type":"APP","time":"2015-06-12T11:46:11+09:00","timestamp":1434077171244715915}

Options

usage: firehose-to-syslog --api-endpoint=API-ENDPOINT --client-id=CLIENT-ID --client-secret=CLIENT-SECRET [<flags>]

Flags:
  --help                         Show context-sensitive help (also try
                                 --help-long and --help-man).
  --debug                        Enable debug mode. This disables
                                 forwarding to syslog
  --api-endpoint=API-ENDPOINT    Api endpoint address. For bosh-lite
                                 installation of CF:
                                 https://api.10.244.0.34.xip.io
  --doppler-endpoint=DOPPLER-ENDPOINT
                                 Overwrite default doppler endpoint return
                                 by /v2/info
  --syslog-server=SYSLOG-SERVER  Syslog server.
  --syslog-protocol="tcp"        Syslog protocol (tcp/udp/tcp+tls).
  --skip-ssl-validation-syslog   Skip Ssl validation for syslog
  --subscription-id="firehose"   Id for the subscription.
  --client-id=CLIENT-ID          Client ID.
  --client-secret=CLIENT-SECRET  Client secret.
  --skip-ssl-validation          Please don't
  --fh-keep-alive=25s            Keep Alive duration for the firehose
                                 consumer
  --min-retry-delay=500ms        Doppler Cloud Foundry Doppler min. retry
                                 delay duration
  --max-retry-delay=1m           Doppler Cloud Foundry Doppler max. retry
                                 delay duration
  --max-retry-count=1000         Doppler Cloud Foundry Doppler max. retry
                                 Count duration
  --logs-buffer-size=10000       Number of envelope to be buffered
  --events="LogMessage"          Comma separated list of events you would
                                 like. Valid options are ContainerMetric,
                                 CounterEvent, Error, HttpStartStop,
                                 LogMessage, ValueMetric
  --enable-stats-server          Will enable stats server on 8080
  --boltdb-path="my.db"          Bolt Database path
  --cc-pull-time=60s             CloudController Polling time in sec
  --cc-rps=50                    CloudController Polling request by second
  --extra-fields=""              Extra fields you want to annotate your
                                 events with, example:
                                 '--extra-fields=env:dev,something:other
  --orgs=""                      Forwarded on the app logs from theses
                                 organisations' example: --orgs=org1,org2
  --mode-prof=""                 Enable profiling mode, one of [cpu, mem,
                                 block]
  --path-prof=""                 Set the Path to write profiling file
  --log-formatter-type=LOG-FORMATTER-TYPE
                                 Log formatter type to use. Valid options
                                 are text, json, json-cee. If none
                                 provided, defaults to json.
  --cert-pem-syslog=""           Certificate Pem file
  --ignore-missing-apps          Enable throttling on cache lookup for
                                 missing apps
  --version                      Show application version.

** !!! --events Please use --help to get last updated event.

TLS syslog endpoint.

Since v3 firehose-to-syslog support TLS syslog --cert-pem-syslog using PEM encoded cert file. Please refer to https://github.com/RackSec/srslog/blob/master/script/gen-certs.py for Cert generation.

JSON CEE rsyslog compatibility

rsyslog supports parsing JSON log messages throught its mmjsonparse module. This module expects a parsable JSON log message to be prepended with the value @cee:.

For LOG-FORMATTER-TYPE, using json-cee will yield the same result as using json but the JSON sent will have @cee: prepended to it. The json-cee formatter type also ensures that a RFC3164 compatible log message is sent, which was found to be required by rsyslog when using the mmjsonparse module.

Event documentation

See the dropsonde protocol documentation for details on what data is sent as part of each event.

Caching

We use boltdb for caching application name, org and space name.

We have 3 caching strategies:

Pull all application data on start.
Pull application data if not cached yet.
Pull all application data every "cc-pull-time".

To test and build

# Setup repo
go get github.com/cloudfoundry-community/firehose-to-syslog
cd $GOPATH/src/github.com/cloudfoundry-community/firehose-to-syslog

# Test
make test

# Build binary
go build

Deploy with Bosh

logsearch-for-cloudfoundry

Parsing the logs with Logstash

logsearch-for-cloudfoundry

Profiling

To enable CPU Profiling you just need to add the profiling path ex --mode-prof=cpu

Run your program for some time and after that you can use the pprof tool

go tool pprof YOUR_EXECUTABLE cpu.pprof

(pprof) top 10
110ms of 110ms total (  100%)
Showing top 10 nodes out of 44 (cum >= 20ms)
      flat  flat%   sum%        cum   cum%
      30ms 27.27% 27.27%       30ms 27.27%  syscall.Syscall
      20ms 18.18% 45.45%       20ms 18.18%  ExternalCode
      20ms 18.18% 63.64%       20ms 18.18%  runtime.futex
      10ms  9.09% 72.73%       10ms  9.09%  adjustpointers
      10ms  9.09% 81.82%       10ms  9.09%  bytes.func·001
      10ms  9.09% 90.91%       20ms 18.18%  io/ioutil.readAll
      10ms  9.09%   100%       10ms  9.09%  runtime.epollwait
         0     0%   100%       60ms 54.55%  System
         0     0%   100%       20ms 18.18%  bufio.(*Reader).Read
         0     0%   100%       20ms 18.18%  bufio.(*Reader).fill

Push as an App to Cloud Foundry

Create doppler.firehose enabled user or client

Use Client ID / Client Secret

uaac target https://uaa.[your cf system domain]
uaac token client get admin -s [your admin-secret]
uaac client add firehose-to-syslog \
  --name firehose-to-syslog \
  --secret [your_client_secret] \
  --authorized_grant_types client_credentials,refresh_token \
  --authorities doppler.firehose,cloud_controller.admin_read_only

Download the latest release of firehose-to-syslog.

git clone https://github.com/cloudfoundry-community/firehose-to-syslog
cd firehose-to-syslog

Utilize the CF cli to authenticate with your PCF instance.

cf login -a https://api.[your cf system domain] -u [your id] --skip-ssl-validation

Push firehose-to-syslog.
```
cf push firehose-to-syslog --no-start
```

Set environment variables with cf cli or in the manifest.yml.

cf set-env firehose-to-syslog API_ENDPOINT https://api.[your cf system domain]
cf set-env firehose-to-syslog DOPPLER_ENDPOINT wss://doppler.[your cf system domain]:443
cf set-env firehose-to-syslog SYSLOG_ENDPOINT [Your Syslog IP]:514
cf set-env firehose-to-syslog LOG_EVENT_TOTALS true
cf set-env firehose-to-syslog LOG_EVENT_TOTALS_TIME "10s"
cf set-env firehose-to-syslog SKIP_SSL_VALIDATION true
cf set-env firehose-to-syslog FIREHOSE_SUBSCRIPTION_ID firehose-to-syslog
cf set-env firehose-to-syslog FIREHOSE_CLIENT_ID  [your doppler.firehose enabled client id]
cf set-env firehose-to-syslog FIREHOSE_CLIENT_SECRET  [your doppler.firehose enabled client secret]
cf set-env firehose-to-syslog LOG_FORMATTER_TYPE [Log formatter type to use. Valid options are : text, json, json-cee]

Turn off the health check if you're staging to Diego.
```
cf set-health-check firehose-to-syslog process
```
Push the app.
```
cf push firehose-to-syslog --no-route
```

firehose-to-syslog's People

Stargazers

Watchers

Forkers

jamesclonk simplicityitself shinji62 freeformz camelpunch malston eljuanchosf cloudstrack msschwartz daverc1-pivotal virtmerlin 18f anwarchk vmware-archive jyidiego poprygun deejross dave-malone haydonryan dan-frohlich tomwhoiscontrary nrxus alexvasseur jmcarp rarsan mihaibuzgau charyorde wfernandes muymoo psychickita chenziliang colrich j-kaplan go-zen-chu dflick-pivotal aleliaert lyhuang making cduplantis datianshi govau cloutierf pdelagrave elliottpolk intelcfcontrib loggregator infra-red labrown kinjelom scoobed zakanderson drutstein cloud-gov

firehose-to-syslog's Issues

Events that are from an app should have a real app name, space and org information.

cf_app_id is a bit cryptic.

cf curl "/v2/apps/942d2650-28e1-4214-a3ce-fc2bf21bda77?inline-relations-depth=2" | egrep "name|space|org"
      "name": "article-search-dev-0_2",
      "space_guid": "0e568373-a012-4991-9d64-d319fec988f4",
      "detected_start_command": "JAVA_HOME=$PWD/.java-buildpack/open_jdk_jre JAVA_OPTS=\"-Djava.io.tmpdir=$TMPDIR -XX:OnOutOfMemoryError=$PWD/.java-buildpack/open_jdk_jre/bin/killjava.sh -Xmx160M -Xms160M -XX:MaxMetaspaceSize=64M -XX:MetaspaceSize=64M -Xss853K -XX:+UseConcMarkSweepGC\" $PWD/article-search-0.2/bin/article-search",
      "space_url": "/v2/spaces/0e568373-a012-4991-9d64-d319fec988f4",
      "space": {
            "url": "/v2/spaces/0e568373-a012-4991-9d64-d319fec988f4",
            "name": "dev",
            "organization_guid": "19805aa5-2b47-4efd-a688-6a678e9773ce",
            "space_quota_definition_guid": null,
            "organization_url": "/v2/organizations/19805aa5-2b47-4efd-a688-6a678e9773ce",
            "organization": {
                  "url": "/v2/organizations/19805aa5-2b47-4efd-a688-6a678e9773ce",
                  "name": "casper",
                  "spaces_url": "/v2/organizations/19805aa5-2b47-4efd-a688-6a678e9773ce/spaces

cloudfoundry-community/logsearch-for-cloudfoundry#21

Errors when using a non-valid Certificate

Hi there,

I'm trying to test the firehose-to-syslog out on a bosh-lite deployment of CF but it's failing because I'm using a self-signed cert.

I've implemented a quick fix for this locally by adding a --skip-ssl-validation flag and passing &tls.Config{InsecureSkipVerify: skipSSLValidation} through to noaa and gorequest. Would you be interested in a PR for this?

Cheers,
Ed

Ability to filter logs per application

At SAP, we are looking at the possibility to install multiple ELK stacks and connect different applications to them. Ideally, we would like to be able to filter firehose logs per application, so that only the logs of certain applications are "ingested" by the firehose ingestor, and all other logs are filtered out. We use logsearch-for-cloudfoundry, which is in turn based on this project.

Filtering logs per application seems not to be possible currently. Have you ever considered this, is this missing intentionally? Would you accept PRs in this direction?

There should be a field that all evens have that tells us what event type it is.

Kinda like

{....
"event_type": {LogMsg, HttStart....}
}

Can we use go-cfclient to get a token?

We do naughty hacks to get a token, this looks like a good candidate to fix this.

https://github.com/cloudfoundry-community/go-cfclient

Support for load balancing across multiple syslog endpoints

What would you guys think of a PR that would allow one to configure multiple syslog IPs? I'm talking to a customer right now that wans to configure multiple splunk syslog forwarders to splunk indexers and they don't want to put in their own load balancer in front of them. Is this a worthwhile endeavor?

Create a new release.

Hiya all!

Amazing, coming back from holiday and see so much work have been done!

With so much work going on, should we start thinking about a way to structure new releases, CHANGELOG, features and stuff like this, there is a lot of changes from 0.0.2 to HEAD on develop, almost to many.. :)

Also, how do you feel about git flow? The tests are not really there yet, but should we use travis or similar tool to run the few ones we have?

When executing ./firehose-to-syslog without any flags it should show help

Only mandatory flag should be --api-endpoint.

Use cc /v2/info endpoint for authorization_endpoint and logging_endpoint

The hardcoded defaults won't work in all environments.
For example our logging_endpoint still uses wss://loggregator.example.com.

Error getting token oauth2: cannot fetch token: 400 Bad Request

Using the new firehose-to-syslog 0.1.1-dev against my BOSH lite CF v205 installation gives me the following errors related to oauth2: cannot fetch tokens:

Any idea what is wrong?

./firehose-to-syslog   \
      --api-address=https://api.10.244.0.34.xip.io   \
      --skip-ssl-validation    \
      --user=admin   \
      --password=admin  \
      --syslog-server=127.0.0.1:514   \
      --events=LogMessage,Error,ContainerMetric \
      --debug

[2015-06-12 12:40:29.772073642 +0000 UTC] Starting firehose-to-syslog 0.1.1-dev 
2015/06/12 12:40:30 Error getting token oauth2: cannot fetch token: 400 Bad Request
Response: <!DOCTYPE html>


<html dir="ltr" lang="en">
<head>
<title>Cloud Foundry</title>

    <link href="/resources/oss/images/favicon.ico" rel="shortcut icon" />
    <meta charset="utf-8" />
    <meta name="author" content="Pivotal Software, Inc" />
    <meta name="copyright" content="Copyright 2014 Pivotal Software, Inc. All Rights Reserved." />
    <meta name="robots" content="all" />
    <meta name="Description" content="" />
    <meta name="keywords" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link href="/vendor/font-awesome/css/font-awesome.min.css" rel="stylesheet" />
    <link href="/resources/oss/stylesheets/application.css" rel="stylesheet" />



        <script type="text/javascript" src="/vendor/jquery/javascripts/jquery.js"></script>
        <script type="text/javascript" src="/resources/javascripts/nav.js"></script>



</head>
<body>
<div class="content">
    <div class="header" style="background-image: url(/resources/oss/images/logo.png);">

        <div class="nav">
            <div class="dropdown-trigger">
                <span>admin</span>
                <i class="fa fa-chevron-down"></i>
            </div>
            <ul class="dropdown-content">
                <li><a href="/profile">Account Settings</a></li>
                <li><a href="/logout.do">Sign Out</a></li>
            </ul>
        </div>

    </div>
    <div class="island">
        <h1>Where to?</h1>
        <ul class="tiles">

        </ul>


    </div>
    <div class="footer-spacer"></div>
</div>
<div class="footer">
    <div class="copyright" title="Version: 1.14, Commit: c4e3209, Timestamp: 2015-01-23T22:44:14+0000, UAA: http://uaa.10.244.0.34.xip.io">&#169; 2015 Pivotal Software, Inc. All Rights Reserved.</div>
</div>




</body>
</html>
[2015-06-12 12:40:30.2502689 +0000 UTC] Using wss://loggregator.10.244.0.34.xip.io:443 as doppler endpoint
[2015-06-12 12:40:30.253963953 +0000 UTC] Start filling app/space/org cache.
[2015-06-12 12:40:30.253992462 +0000 UTC] Retrieving Apps for Cache...
2015/06/12 12:40:30 Error requesting apps Get http://api.10.244.0.34.xip.io/v2/apps?inline-relations-depth=2: oauth2: token expired and refresh token is not set
[2015-06-12 12:40:30.254034668 +0000 UTC] Exception occurred! Message: Recovered in caching.GetAllApp() Details: runtime error: invalid memory address or nil pointer dereference
[2015-06-12 12:40:30.254048922 +0000 UTC] Done filling cache! Found [0] Apps
[2015-06-12 12:40:30.254053954 +0000 UTC] Setting up event routing!
[2015-06-12 12:40:30.254055072 +0000 UTC] Event Type [LogMessage] is included in the fireshose!
[2015-06-12 12:40:30.254076873 +0000 UTC] Event Type [Error] is included in the fireshose!
[2015-06-12 12:40:30.254082743 +0000 UTC] Event Type [ContainerMetric] is included in the fireshose!
[2015-06-12 12:40:30.25440026 +0000 UTC] Received hook to syslog server [127.0.0.1:514]!

[2015-06-12 12:40:30.254441627 +0000 UTC] Connected to Syslog Server! Connecting to Firehose...
2015/06/12 12:40:30 Error getting token oauth2: token expired and refresh token is not set
[2015-06-12 12:40:30.254462031 +0000 UTC] Firehose Subscription Succesfull! Routing events...
[2015-06-12 12:40:30.254495571 +0000 UTC] WEBSOCKET REQUEST:
[2015-06-12 12:40:30.25450172 +0000 UTC] GET /firehose/firehose HTTP/1.1
Host: wss://loggregator.10.244.0.34.xip.io:443
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: [HIDDEN]
Origin: http://localhost
Authorization: 

[2015-06-12 12:40:30.392777496 +0000 UTC] WEBSOCKET RESPONSE:
[2015-06-12 12:40:30.392867217 +0000 UTC] HTTP/1.1 404 Not Found
Date: Fri, 12 Jun 2015 12:40:30 GMT
Content-Length: 38
Content-Type: text/plain; charset=utf-8

[2015-06-12 12:40:30.392945478 +0000 UTC] Exception occurred! Message: Firehose Error! Details: Error dialing traffic controller server: websocket: bad handshake.
Please ask your Cloud Foundry Operator to check the platform configuration (traffic controller is wss://loggregator.10.244.0.34.xip.io:443).
[2015-06-12 12:40:30.894360318 +0000 UTC] WEBSOCKET REQUEST:
[2015-06-12 12:40:30.894405597 +0000 UTC] GET /firehose/firehose HTTP/1.1
Host: wss://loggregator.10.244.0.34.xip.io:443
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Version: 13
Sec-WebSocket-Key: [HIDDEN]
Origin: http://localhost
Authorization: 

[2015-06-12 12:40:31.030614156 +0000 UTC] WEBSOCKET RESPONSE:
[2015-06-12 12:40:31.03073043 +0000 UTC] HTTP/1.1 404 Not Found
Date: Fri, 12 Jun 2015 12:40:31 GMT
Content-Length: 38
Content-Type: text/plain; charset=utf-8

[2015-06-12 12:40:31.030790244 +0000 UTC] Exception occurred! Message: Firehose Error! Details: Error dialing traffic controller server: websocket: bad handshake.
Please ask your Cloud Foundry Operator to check the platform configuration (traffic controller is wss://loggregator.10.244.0.34.xip.io:443).

Release 1.0.0 stable one

Merge to master
Tag.

Json events have "time" in seconds precision

Log events that go through 'firehose-to-syslog' tool are wrapped to JSON that includes "time" field, e.g.:

{
"cf_app_name":"my-test-app",
. . .
"msg":"Test message",
"time":"2016-03-28T15:25:20Z"
}

But why the time field has seconds precision? I believe that seconds is not enough for the most cases (several log events can happen at the same second and we just don't know their correct order).

Cloud Foundry components' logs usually come with micro precision which looks more convenient:
<14>2016-03-28T16:11:03.003172+00:00192.168.111.24 vcap.cloud_controller_ng [job=nfs_z1 index=0] {. . . }

Can we make firehose events having micro precision as well?

Cached app metadata is missing values for some fields.

Stumbled across this whilst debugging another issue.

key=2d298cd3-bcf3-488e-921d-3c08d2f6102e, value={"Name":"sprcom-cms-frontend-qa_0.216","Guid":"2d298cd3-bcf3-488e-921d-3c08d2f6102e","SpaceName":"","SpaceGuid":"","OrgName":"","OrgGuid":""}

Panic: github.com/boltdb/bolt.(*Bucket).Get

Getting another error testing the latest code, this appears to be related to the Bolt DB? The nozzle is crashing instantly with the first log entry, not sure how to debug this.

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x8 pc=0x4587c3]

goroutine 1 [running]:
github.com/boltdb/bolt.(*Bucket).Get(0x0, 0xc208237b00, 0x24, 0x30, 0x0, 0x0, 0x0)
        /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/Godeps/_workspace/src/github.com/boltdb/bolt/bucket.go:256 +0x53
github.com/cloudfoundry-community/firehose-to-syslog/caching.func·002(0xc2082e80d0, 0x0, 0x0)
        /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/caching/caching.go:71 +0xbf
github.com/boltdb/bolt.(*DB).View(0xc2080389c0, 0xc20807e968, 0x0, 0x0)
        /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/Godeps/_workspace/src/github.com/boltdb/bolt/db.go:536 +0xe7
github.com/cloudfoundry-community/firehose-to-syslog/caching.GetAppInfo(0xc208237ad0, 0x24, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/caching/caching.go:73 +0x9f
github.com/cloudfoundry-community/firehose-to-syslog/logging.getAppInfo(0xc208237ad0, 0x24, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/logging/logging.go:31 +0x52
github.com/cloudfoundry-community/firehose-to-syslog/logging.LogMessages(0xc20810afa0)
        /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/logging/logging.go:131 +0x19b
github.com/cloudfoundry-community/firehose-to-syslog/events.RouteEvents(0xc2080332c0, 0xc20803d500)
        /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/events/events.go:25 +0x15c
main.main()
        /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/main.go:80 +0x7df

Generate subscription id or require one to be set

Enhancement / Feature request

As the subscription id is not required and defaults to 'firehose' it could happen that messages are being load balanced accidentally (different run execute firehose-to-syslog with different endpoints).

So it might be worth considering to:

use a UUID for the subscription id if nothing is provided

make the subscription id a required field without a default value.

Wrong Version Number in main.go

main.go still reflects the version to be 1.3.1 in branch develop as well as tag 1.4.0. Just opening an issue for tracking and a reminder to change it in the next release.

Freshly deployed apps have empty cf_app_name/cf_space_id/cf_space_name/etc

When I deploy a new app, its firehose logs don't contain any data for cf_app_name/cf_space_id/cf_space_name/etc, ie:

{"cf_app_id":"653277ef-e7f3-4abb-93c6-c2295302f191","cf_app_name":"","cf_org_id":"","cf_org_name":"","cf_space_id":"","cf_space_name":"","event_type":"LogMessage","level":"info","message_type":"OUT","msg":"ruby-simple.apps.54.183.203.97.xip.io - [21/04/2015:06:42:45 +0000] \"GET / HTTP/1.1\" 200 811 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36\" 10.10.2.6:37387 x_forwarded_for:\"80.229.7.108, 10.10.2.6\" vcap_request_id:1097e51b-8e38-4b49-4df5-7763e9490c46 response_time:0.005121271 app_id:653277ef-e7f3-4abb-93c6-c2295302f191\n","origin":"router__0","source_instance":"0","source_type":"RTR","time":"2015-04-21T06:42:28Z","timestamp":1429598565443002841}

If I restart the firehose-to-syslog service, then my new app's logs are correctly looked up, ie:

{"cf_app_id":"653277ef-e7f3-4abb-93c6-c2295302f191","cf_app_name":"ruby_simple","cf_org_id":"8005f45b-76d9-4038-8ca1-9e0a85ed5be0","cf_org_name":"system","cf_space_id":"a871a722-cad2-4d46-8061-2c9b728b7d8f","cf_space_name":"development","event_type":"LogMessage","level":"info","message_type":"OUT","msg":"ruby-simple.apps.54.183.203.97.xip.io - [21/04/2015:06:48:22 +0000] \"GET / HTTP/1.1\" 200 811 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36\" 10.10.2.6:38632 x_forwarded_for:\"80.229.7.108, 10.10.2.6\" vcap_request_id:c22c2da7-d169-4551-7e8d-a6e2fc589946 response_time:0.004251063 app_id:653277ef-e7f3-4abb-93c6-c2295302f191\n","origin":"router__0","source_instance":"0","source_type":"RTR","time":"2015-04-21T06:48:05Z","timestamp":1429598902773388246}

I'm running the firehose-to-syslog service like this:

firehose-to-syslog \
        --domain=run.54.183.203.97.xip.io \
        --skip-ssl-validation  \
        --user=admin \
        --password=XXXXXXX \
        --syslog-server=127.0.0.1:5514 \
        --events=LogMessage

It appears that the *Pull by application id if not cached yet portion of the caching strategy isn't working.

certificate-based authentication

Hello,

Do you have plans to support certificate-based authentication instead of simple authentication using password?

Missing events with 1.0.0-rc1!

Using https://github.com/cloudfoundry-samples/fib-cpu

Doing a "curl fib.test.cf.domain.com/10" yeilds two events

$ cf logs fib --recent
2015-06-23T14:18:38.91+0200 [App/0]      OUT Request /10 took 8.0233e-05 seconds to complete
2015-06-23T14:18:38.91+0200 [RTR/0]      OUT fib.test.cf.domain.com - [23/06/2015:12:18:38 +0000] "GET /10 HTTP/1.1" 200 0 2 "-" "curl/7.43.0" 10.230.31.7:49931 x_forwarded_for:"10.230.31.7" vcap_request_id:341a8de7-9000-4e43-60ef-0ce75aaf7858 response_time:0.011453207 app_id:99f4b46a-70ef-4b0c-941e-3fe8f83227c5

Running in three terminals at the same time

Term1$ cf logs fib > /tmp/logs
Term2$ ./firehose-to-syslog-linux64 --api-endpoint=https://api.test.cf.domain.com --user=admin --password=asdfsdf --subscription-id=kehe --debug --cc-pull-time=999999s --doppler-endpoint=wss://doppler.test.cf.domain.com > /tmp/firehose
Term3$ repeat 10 curl fib.test.cf.springer-sbm.com/10

There should be 10 RTR and 10 App logs from both parties.

$ cat /tmp/logs | grep RTR | wc -l
10
$ cat /tmp/logs | grep App | wc -l
10
$ cat /tmp/firehose | grep \"App | wc -l
10
$ cat /tmp/firehose | grep \"RTR | wc -l
7

firehose-to-syslog dies after 2 hours - why?

Hello,

I have firehose-to-syslog running outside PCF environment, it runs for 2 hours with no issues and then dies. (tried multiple times and it always stops at ~2 hours, not sure from where this 2 hour timeline kicks in, even though it shows invalid authorization I am using the same password all the time)

command used:

nohup firehose-to-syslog --api-endpoint="https://api.something.net" --subscription-id="firehose" --skip-ssl-validation --user="syslog" --password="nothing" --events="LogMessage, ValueMetric, Error, ContainerMetric" --cc-pull-time=60s --syslog-server=anything.net:54321 2>Error.log &

nohup.out:

[2016-04-08 09:45:54.521534415 -0400 EDT] Starting firehose-to-syslog 1.3.0 - 84c8757
...

Error.log:

[2016-04-08 11:50:29.988082066 -0400 EDT] Exception occurred! Message: Firehose Error! Details: EOF
[2016-04-08 11:50:30.529645699 -0400 EDT] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization
[2016-04-08 11:50:31.088254856 -0400 EDT] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization
[2016-04-08 11:50:31.621956793 -0400 EDT] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization
[2016-04-08 11:50:32.180145266 -0400 EDT] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization

Thanks.

go-cfclient.(*Client).getToken FAILS with panic: runtime error: invalid memory address or nil pointer dereference

I'm having trouble running the latest firehose-to-syslog as part of cloudfoundry-community/logsearch-for-cloudfoundry#26

Specifically, when I run inside my test logsearch bosh deployment with following options:

./firehose-to-syslog \
  --domain=run.54.183.203.97.xip.io --skip-ssl-validation \
  --user=admin --password=XXXXXXX \
  --syslog-server=127.0.0.1:5514 \
  --debug

It fails with:

panic: runtime error: invalid memory address or nil pointer dereference

Full output below:

root@fe66eaf2-c4b1-4227-b03c-453355ae0663:/var/vcap/packages/firehose-to-syslog/bin# ./firehose-to-syslog --domain=run.54.183.203.97.xip.io --skip-ssl-validation --user=admin --password=XXXXXXX --syslog-server=127.0.0.1:5514 --debug
panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xb code=0x1 addr=0x0 pc=0x4797c2]

goroutine 1 [running]:
github.com/cloudfoundry-community/go-cfclient.(*Client).getToken(0xc208054180, 0x0, 0x0)
    /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/Godeps/_workspace/src/github.com/cloudfoundry-community/go-cfclient/client.go:180 +0xa22
github.com/cloudfoundry-community/go-cfclient.(*Client).GetToken(0xc208054180, 0x0, 0x0)
    /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/Godeps/_workspace/src/github.com/cloudfoundry-community/go-cfclient/client.go:156 +0x44
github.com/cloudfoundry-community/go-cfclient.(*Client).doRequest(0xc208054180, 0xc208036500, 0x45, 0x0, 0x0)
    /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/Godeps/_workspace/src/github.com/cloudfoundry-community/go-cfclient/client.go:111 +0x84
github.com/cloudfoundry-community/go-cfclient.(*Client).ListApps(0xc208054180, 0x0, 0x0, 0x0)
    /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/Godeps/_workspace/src/github.com/cloudfoundry-community/go-cfclient/apps.go:54 +0x234
github.com/cloudfoundry-community/firehose-to-syslog/caching.GetAllApp(0x0, 0x0, 0x0)
    /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/caching/caching.go:59 +0x8c
main.main()
    /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/main.go:73 +0x733

goroutine 6 [chan receive]:
main.func·001()
    /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/main.go:60 +0x67
created by main.main
    /var/vcap/packages/firehose-to-syslog/src/github.com/cloudfoundry-community/firehose-to-syslog/main.go:65 +0x6d1

goroutine 17 [syscall, locked to thread]:
runtime.goexit()
    /usr/local/go/src/runtime/asm_amd64.s:2232 +0x1

There should be a feature to select what kind of events you would like to consume.

Kinda like

--events=ThisEvent,ThatEvent,Wakawakawaka

Docker improvement & Speed-up & Profiling

New Feature :

Profiling Options
Docker in Docker Now the Docker Image is build inside Docker and the image is only 7MG Exec is built with the static library
Improvement :

Use ffjson instead of std lib According to the profiling we decrease the timeconsumed by unmarshalled and so on

Missing cf_app_name when app pushed after initial token has expired

The current implementation of the go-cfclient fetches a token if there is no is available, but never expires this token. So when using the client with a long running process you will run into issues.
This issue is fixed in:
.

After the above issue is merged the go-cfclient should be updated.

Remove grok-pattern in favour of pointing at logsearch-for-cloudfoundry

I'd like to propose that we remove the embedded grok-pattern/ folder, and rather point people at the https://github.com/logsearch/logsearch-for-cloudfoundry/blob/master/target/logstash-filters-default.conf if they are interested in logstash filters.

firehose-to-syslog is about forwarding CF firehost to a generic syslog endpoint. The fact that logstash can be used as said syslog endpoint shouldn't be a concern of this codebase.

Non-debug mode outputs nothing

If --debug is not supplied, it connects to the syslog server. However, no data is ever received at the endpoint.

Benchmark

We need to add benchmark http://golang.org/pkg/testing/

Rename {api,doppler}-address to {api,doppler}-endpoint

0 Logs being processed.

I've pushed the firehose-to-syslog nozzle as an application to cloud foundry. However, I've been running into the following error: after sometime,the application stops processing logs. Below is an example log.

Mon Apr 04 2016 09:03:05 GMT-0400 (Eastern Standard Time) [APP] OUT We have processed 0 events from the firehose at wss://doppler.domain.com:443 over the last 29.9 seconds and 1620115 total events since startup.

We have this app running in a couple different environment with varying volumes of logs being output. In the environment we are seeing the issue, we have around 30,000 logs a minute being output (capturing from 300+ applications). I've increased the number of instances to 6 (with 512 MB of memory) however I'm still seeing the issue. Additionally, the application is only capturing LogMessage events.

Re-staging the application fixes the issue.

Add documentation for --events options

The --events flag allows subscription to the following event types:

HttpStart
HttpStop
Heartbeat
HttpStartStop
LogMessage
ValueMetric
CounterEvent
Error
ContainerMetric

We should add / link to documentation describing what these different event types are, and what fields are contained therein.

Be able to add extra fields to an event.

Would be nice to be able to be able to annotate events with static data

./firehost-to-sylog .... --extra-fields=env:dev,random-field:kehehe

To produce events like

{"cf_app_id":"1bfdaa4a-7982-4eff-9a49-eb58281f19e5"... "env":"dev","random-field":"kehehe",....}

Cannot go get/godep get

$ go get github.com/cloudfoundry-community/firehose-to-syslog
# github.com/cloudfoundry-community/firehose-to-syslog/events
events/events.go:6: inconsistent definition for type events.Heartbeat during import
    struct { SentCount *uint64 "protobuf:\"varint,1,req,name=sentCount\" json:\"sentCount,omitempty\""; ReceivedCount *uint64 "protobuf:\"varint,2,req,name=receivedCount\" json:\"receivedCount,omitempty\""; ErrorCount *uint64 "protobuf:\"varint,3,req,name=errorCount\" json:\"errorCount,omitempty\""; ControlMessageIdentifier *events.UUID "protobuf:\"bytes,4,opt,name=controlMessageIdentifier\" json:\"controlMessageIdentifier,omitempty\""; XXX_unrecognized []byte "json:\"-\"" } (in "github.com/cloudfoundry-community/firehose-to-syslog/logging")
    struct { SentCount *uint64 "protobuf:\"varint,1,req,name=sentCount\" json:\"sentCount,omitempty\""; ReceivedCount *uint64 "protobuf:\"varint,2,req,name=receivedCount\" json:\"receivedCount,omitempty\""; ErrorCount *uint64 "protobuf:\"varint,3,req,name=errorCount\" json:\"errorCount,omitempty\""; XXX_unrecognized []byte "json:\"-\"" } (in "github.com/cloudfoundry/noaa/events")
events/events.go:6: inconsistent definition for type events.CounterEvent during import
    struct { Name *string "protobuf:\"bytes,1,req,name=name\" json:\"name,omitempty\""; Delta *uint64 "protobuf:\"varint,2,req,name=delta\" json:\"delta,omitempty\""; Total *uint64 "protobuf:\"varint,3,opt,name=total\" json:\"total,omitempty\""; XXX_unrecognized []byte "json:\"-\"" } (in "github.com/cloudfoundry-community/firehose-to-syslog/logging")
    struct { Name *string "protobuf:\"bytes,1,req,name=name\" json:\"name,omitempty\""; Delta *uint64 "protobuf:\"varint,2,req,name=delta\" json:\"delta,omitempty\""; XXX_unrecognized []byte "json:\"-\"" } (in "github.com/cloudfoundry/noaa/events")
events/events.go:6: inconsistent definition for type events.Envelope during import
    struct { Origin *string "protobuf:\"bytes,1,req,name=origin\" json:\"origin,omitempty\""; EventType *events.Envelope_EventType "protobuf:\"varint,2,req,name=eventType,enum=events.Envelope_EventType\" json:\"eventType,omitempty\""; Timestamp *int64 "protobuf:\"varint,6,opt,name=timestamp\" json:\"timestamp,omitempty\""; Deployment *string "protobuf:\"bytes,13,opt,name=deployment\" json:\"deployment,omitempty\""; Job *string "protobuf:\"bytes,14,opt,name=job\" json:\"job,omitempty\""; Index *string "protobuf:\"bytes,15,opt,name=index\" json:\"index,omitempty\""; Ip *string "protobuf:\"bytes,16,opt,name=ip\" json:\"ip,omitempty\""; Heartbeat *events.Heartbeat "protobuf:\"bytes,3,opt,name=heartbeat\" json:\"heartbeat,omitempty\""; HttpStart *events.HttpStart "protobuf:\"bytes,4,opt,name=httpStart\" json:\"httpStart,omitempty\""; HttpStop *events.HttpStop "protobuf:\"bytes,5,opt,name=httpStop\" json:\"httpStop,omitempty\""; HttpStartStop *events.HttpStartStop "protobuf:\"bytes,7,opt,name=httpStartStop\" json:\"httpStartStop,omitempty\""; LogMessage *events.LogMessage "protobuf:\"bytes,8,opt,name=logMessage\" json:\"logMessage,omitempty\""; ValueMetric *events.ValueMetric "protobuf:\"bytes,9,opt,name=valueMetric\" json:\"valueMetric,omitempty\""; CounterEvent *events.CounterEvent "protobuf:\"bytes,10,opt,name=counterEvent\" json:\"counterEvent,omitempty\""; Error *events.Error "protobuf:\"bytes,11,opt,name=error\" json:\"error,omitempty\""; ContainerMetric *events.ContainerMetric "protobuf:\"bytes,12,opt,name=containerMetric\" json:\"containerMetric,omitempty\""; XXX_unrecognized []byte "json:\"-\"" } (in "github.com/cloudfoundry-community/firehose-to-syslog/logging")
    struct { Origin *string "protobuf:\"bytes,1,req,name=origin\" json:\"origin,omitempty\""; EventType *events.Envelope_EventType "protobuf:\"varint,2,req,name=eventType,enum=events.Envelope_EventType\" json:\"eventType,omitempty\""; Timestamp *int64 "protobuf:\"varint,6,opt,name=timestamp\" json:\"timestamp,omitempty\""; Heartbeat *events.Heartbeat "protobuf:\"bytes,3,opt,name=heartbeat\" json:\"heartbeat,omitempty\""; HttpStart *events.HttpStart "protobuf:\"bytes,4,opt,name=httpStart\" json:\"httpStart,omitempty\""; HttpStop *events.HttpStop "protobuf:\"bytes,5,opt,name=httpStop\" json:\"httpStop,omitempty\""; HttpStartStop *events.HttpStartStop "protobuf:\"bytes,7,opt,name=httpStartStop\" json:\"httpStartStop,omitempty\""; LogMessage *events.LogMessage "protobuf:\"bytes,8,opt,name=logMessage\" json:\"logMessage,omitempty\""; ValueMetric *events.ValueMetric "protobuf:\"bytes,9,opt,name=valueMetric\" json:\"valueMetric,omitempty\""; CounterEvent *events.CounterEvent "protobuf:\"bytes,10,opt,name=counterEvent\" json:\"counterEvent,omitempty\""; Error *events.Error "protobuf:\"bytes,11,opt,name=error\" json:\"error,omitempty\""; XXX_unrecognized []byte "json:\"-\"" } (in "github.com/cloudfoundry/noaa/events")
events/events.go:32: undefined: events.Envelope_ContainerMetric

Default doppler-endpoint is wrong.

➜  firehose-to-syslog git:(feature/48) ./firehose-to-syslog --api-address=https://api.dev.cf.domain.com --debug 
[2015-06-18 11:37:45.010513083 +0200 CEST] Starting firehose-to-syslog 0.1.2-dev 
[2015-06-18 11:37:45.607868905 +0200 CEST] Using wss://loggregator.dev.cf.domain.com:443 as doppler endpoint

This endpoint is not working to consume the firehose from, the default one should be wss://doppler.dev.cf.domain.com:443

Missing quotes

Hi you have missing quotes at line 4 at the EOL firehose-to-syslog/Docker/build.sh

events/caching/caching.go:63: multiple-value gcfClient.AppByGuid() in single-value context

Hello,

Should I have to be concerned of this error? How do I fix this?

bash-4.1$ ginkgo -r .
Failed to compile events:

github.com/cloudfoundry-community/firehose-to-syslog/caching

events/caching/caching.go:63: multiple-value gcfClient.AppByGuid() in single-value context
events/caching/caching.go:81: multiple-value gcfClient.ListApps() in single-value context

Ginkgo ran 1 suite in 4.549190889s
Test Suite Failed
bash-4.1$

firehose-to-syslog : Exception occurred! Message: Firehose Error! Details: Error dialing traffic controller server: Service Unavailable

We are trying to use firehose-to-syslog: https://github.com/cloudfoundry-community/firehose-to-syslog.
After pushing the application, we are getting following error:
Error message:
2016-06-17T15:24:17.000+00:00 [APP] ERR [2016-06-17 15:24:17.125829248 +0000 UTC] Exception occurred! Message: Firehose Error! Details: Error dialing traffic controller server: Service Unavailable.
2016-06-17T15:24:17.000+00:00 [APP] ERR Please ask your Cloud Foundry Operator to check the platform configuration (traffic controller is wss://doppler.devcloudwest.xxxxx.com:443).
I got the Doppler server endpoint from system info.
System info:

cf curl /v2/info

{
........
"routing_endpoint": "https://api.devcloudwest.xxxxx.com/routing",
"logging_endpoint": "wss://loggregator.devcloudwest.xxxxx.com:443",
"doppler_logging_endpoint": "wss://doppler.devcloudwest.xxxxx.com:443",
"user": "20717dac-6773-4e66-9568-862b3df679be"
}
The env variables in manifest.yml is as follows:

API_ENDPOINT: https://api.devcloudwest.xxxxx.com
DOPPLER_ENDPOINT: wss://doppler.devcloudwest.xxxxx.com:443
......
SYSLOG_ENDPOINT: :1414

As I was not sure if I should put inside o: system s:app-manager, I have put the firehose-to-syslog app in a custom org/space.
Appreciate your quick help!

Cache does not properly fill during startup.

One of our environments have > 300 apps, during startup I see this in the log

2015/05/06 11:24:32 Error unmarshaling app json: cannot unmarshal number into Go value of type string

and after the error is thrown there is only 20 cached apps.

non admin user

Hello,

What should I expect if I am using non-admin user?

I won't get admin user to test in my environment and I am not noticing any issues with non-admin user (except it dies @ ~2 hours)

I see your README says, but is 'Admin' user one of the option or the only option?
--user="admin" Admin user.
--password="admin" Admin password.

Thanks.

--version Show application version.

Hello,

Why I have to provide this flag -api-endpoint to show the application version?

Doesn't work: (which I am expecting to work)
firehose-to-syslog --version
firehose-to-syslog: error: required flag --api-endpoint not provided, try --help

Do work:
firehose-to-syslog --api-endpoint="" --version
1.3.0 - 84c8757

Note1: Anyways, I don't have to provide a valid value to --api-endpoint flag, merely including the flag with empty values works.

Note2: I am aware that I can see the version info from --help-man page
firehose-to-syslog --help-man
.TH firehose-to-syslog 1 1.3.0 - 84c8757 ""

Note3: I do understand from the syntax of firehose-to-syslog, --api-endpoint is mandatory flag. But, to use the --help flag I don't have to provide empty/valid --api-endpoint flag. Why not have similar implementation for --version flag?

Thanks

Issues with cf_app_id for some events.

{"cf_app_id":{"low":307803602406404138,"high":12626693043313324730},"content_length":17,"event_type":4,"instance_id":"e5ca5558240d4b22b96be814e85732def449a6afc3374cf89876f32f95e576f5","instance_index":0,"level":"info","method":1,"msg":"","origin":"router__0","parent_request_id":{"low":3623130128173741517,"high":13739927289683842897},"peer_type":1,"remote_addr":"10.230.16.4:46853","request_id":{"low":17960694338432120122,"high":5986596037565401678},"start_timestamp":1427878953848040371,"status_code":200,"stop_timestamp":1427878953855930658,"time":"2015-04-01T11:02:33+02:00","uri":"super-secret.com","user_agent":"NING/1.0"}

Im pretty sure "{"low":307803602406404138,"high":12626693043313324730}" is not a cf_app_id. :)

firehose-to-syslog stopped working with latest go-client and SkipSslValidation.

This is just a reference to
cloudfoundry/go-cfclient#8

invalid_token","error_description":"Invalid refresh token (expired)

We have seen the error messages in the logs of firehose-nozzle application until we restart the application. Until the restart, it stopped sending logs to syslog servers. It looks like it is failing to re-authenticate with uaa server and get a new token.

Logs:

ERR Response: {"error":"invalid_token","error_description":"Invalid refresh token (expired): eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIxMjM3YzEwZi05YmY0LTRmYzMtYjcyYS05NzY2YjU5OTViYmItciIsInN1YiI6Ijc0NmVmN2JmLTRmYWItNGI1NC05MTE4LTkyMmI5ZWYzZjMxNiIsInNjb3BlIjpbIm9wZW5pZ
CIsInNjaW0ucmVhZCIsImNsb3VkX2NvbnRyb2xsZXIuYWRtaW4iLCJ1YWEudXNlciIsImNsb3VkX2NvbnRyb2xsZXIucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSIsImRvcHBsZXIuZmlyZWhvc2UiXSwiaWF0IjoxNDUwMjk4OTI0LCJleHAiOjE0NTE1MDg1MjQsImNpZCI6ImNmIiwiY2xpZW50X2lkIjoiY2YiLCJpc3MiOiJodHRwczovL3VhYS5zY3Axc3lzc
GRjMS5zY2h3YWIuY29tL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiZ3JhbnRfdHlwZSI6InBhc3N3b3JkIiwidXNlcl9uYW1lIjoic3ZjLnNjcGZpcmVob3NlX3Byb2QiLCJvcmlnaW4iOiJsZGFwIiwidXNlcl9pZCI6Ijc0NmVmN2JmLTRmYWItNGI1NC05MTE4LTkyMmI5ZWYzZjMxNiIsInJldl9zaWciOiJlNmI1ZTg4ZCIsImF1ZCI6WyJjZiIsIm9wZW5pZCIsInNjaW0iLCJjbG91ZF9jb250c
m9sbGVyIiwidWFhIiwicGFzc3dvcmQiLCJkb3BwbGVyIl19.YrtlOCCU-iWUSMQmJKaiRV-P1P4sSpKbz0PCZd-jrxqR0_xrmeSW66JEb6-e0yNgV9NVNjEOnEZzijmlO1-J5KSzB8GH-qyrOU3Uz_SAXqBjH_epv42cdcOCmgEo-T8o4MS0A_BUcvh39NQOFaFTInvkteW8ulOqN2HhkHgjsf8xKrtvhNKD4c8H100YQQT0siWBfCk_rOCkHayXqbckOX5XtuHyGsXWorJ8ajWO0-q3P4fZI4nwp0m330-K
qRrtARVWs98xhujUxV78vtuTFSB1i7CKzErCfK0xILsLC4jLeWd0Sv6A4ajYIQXsl0_E8zGSMMyd68MXwhLPkWKRLQ expired at Wed Dec 30 20:48:44 UTC 2015"}

Rejected Event Name [Heartbeat]

Hello,

--version 1.3.0 - 84c8757

https://github.com/cloudfoundry-community/firehose-to-syslog/blob/develop/README.md says
--events="LogMessage"
Comma seperated list of events you would like. Valid options are LogMessage, ValueMetric, CounterEvent, Error, ContainerMetric, Heartbeat, HttpStart, HttpStop, HttpStartStop

But, when I tried one of the above listed value "Heartbeat", it throws the following error:
2016/03/18 23:11:15 Error setting up event routing: Rejected Event Name [Heartbeat] - Valid events: HttpStart, HttpStop, HttpStartStop, LogMessage, ValueMetric, CounterEvent, Error, ContainerMetric

Note1: When I looked at the dropsonde protocol documentation, looks like "Heartbeat" has been removed. I could see rest of events listed there.

Note2: firehose-to-syslog help && "Rejected Event" error message has to be synced. Also, the order can be matched for easy comparison. They aren't in same order now:
=HttpStart, HttpStop, HttpStartStop, LogMessage, ValueMetric, CounterEvent, Error, ContainerMetric
=HttpStop, HttpStartStop, LogMessage, ValueMetric, CounterEvent, Error, ContainerMetric, HttpStart

Thanks

e.Fields["cf_origin"] = "firehose", e.Fields["event_type"] = e.Type in events/events.go is in AnnotateWithAppData, its not really related to the rest of the stuff in there.

Migrate to https://github.com/cloudfoundry/sonde-go

We will need to migrate to https://github.com/cloudfoundry/sonde-go as events have been remove from noaa lib.

But sonde-go is not stabilize yet, they remove heartbeat in sonde-go but not in noaa..

"Invalid authorization" after pushing the app

Hi,

We downloaded the latest build (so far) and follow the steps to create a doppler.firehose enabled user to push as an app to Cloud Foundry.

However the app keeps on crashing with the following errors in the logs:

17T09:52:47.000+00:00 [APP] OUT [2016-03-17 09:52:47.380748386 +0000 UTC] Starting firehose-to-syslog 1.3.0 - 84c8757
2016-03-17T09:52:47.000+00:00 [APP] OUT [2016-03-17 09:52:47.580148655 +0000 UTC] Using wss://doppler.system.cf55.fbdldomain.local:443 as doppler endpoint
2016-03-17T09:52:47.000+00:00 [APP] OUT [2016-03-17 09:52:47.580298085 +0000 UTC] Setting up event routing!
2016-03-17T09:52:47.000+00:00 [APP] OUT [2016-03-17 09:52:47.622523282 +0000 UTC] Start filling app/space/org cache.
2016-03-17T09:52:47.000+00:00 [APP] OUT [2016-03-17 09:52:47.961634621 +0000 UTC] Done filling cache! Found [13] Apps
2016-03-17T09:52:47.000+00:00 [APP] OUT [2016-03-17 09:52:47.963057604 +0000 UTC] Connected to Syslog Server! Connecting to Firehose...
2016-03-17T09:52:47.000+00:00 [APP] OUT [2016-03-17 09:52:47.963148581 +0000 UTC] Firehose Subscription Succesfull! Routing events...
2016-03-17T09:52:48.000+00:00 [APP] ERR [2016-03-17 09:52:48.019280402 +0000 UTC] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization
2016-03-17T09:52:48.000+00:00 [APP] ERR [2016-03-17 09:52:48.573200649 +0000 UTC] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization
2016-03-17T09:52:49.000+00:00 [APP] ERR [2016-03-17 09:52:49.126156624 +0000 UTC] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization
2016-03-17T09:52:49.000+00:00 [APP] ERR [2016-03-17 09:52:49.676930719 +0000 UTC] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization
2016-03-17T09:52:50.000+00:00 [APP] ERR [2016-03-17 09:52:50.220484655 +0000 UTC] Exception occurred! Message: Firehose Error! Details: Unauthorized error: You are not authorized. Error: Invalid authorization
2016-03-17T09:52:50.000+00:00 [APP] OUT Exit status 0
2016-03-17T09:52:50.000+00:00 [CELL] OUT Exit status 0

I think I've enabled the user with proper permission and ensure the password is correct. Is there any steps I've missed or miss-configured?

Thanks!
Silvester

If firehose fails or goes down, will log messages be lost during that downtime.

Recently we were seeing Invalid Refresh token error, which had caused no logs in our log aggregation tool.

When we restarted the firehose app, it refreshed the token and started back sending the logs. So does it mean that we have lost all logs for the apps during this failure or is there a way to recover it.

Can someone please explain this behavior.

source_instance is always 0 for RTR LogMessages

Given an app with 3 instances:

$ cf a
Getting apps in org system / space test as admin...
OK

name        requested state   instances   memory   disk   urls   
cf-env      started           3/3         128M     1G     cf-env.apps.54.183.203.97.xip.io

Making 3 different requests to the app (and confirming via the browser output that each requests goes to a different cf-instance)

The RTR logs forwarded to syslog always have "source_instance":"0",

{"cf_app_id":"abfc9a95-d20c-44bb-9771-4aba27856843","level":"info","message_type":"OUT","msg":"cf-env.apps.54.183.203.97.xip.io - [04/04/2015:08:24:34 +0000] \"GET / HTTP/1.1\" 200 4283 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36\" 10.10.2.6:50837 x_forwarded_for:\"80.229.7.108, 10.10.2.6\" vcap_request_id:65583092-4d22-4de1-74e8-da86c9056be7 response_time:0.010811226 app_id:abfc9a95-d20c-44bb-9771-4aba27856843\n","source_instance":"0","source_type":"RTR","time":"2015-04-04T08:24:32Z"}
{"cf_app_id":"abfc9a95-d20c-44bb-9771-4aba27856843","level":"info","message_type":"ERR","msg":"80.229.7.108, 10.10.2.6 - - [04/Apr/2015 08:24:38] \"GET / HTTP/1.1\" 200 4344 0.0034","source_instance":"0","source_type":"App","time":"2015-04-04T08:24:35Z"}
{"cf_app_id":"abfc9a95-d20c-44bb-9771-4aba27856843","level":"info","message_type":"OUT","msg":"cf-env.apps.54.183.203.97.xip.io - [04/04/2015:08:24:37 +0000] \"GET / HTTP/1.1\" 200 4344 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36\" 10.10.2.6:50837 x_forwarded_for:\"80.229.7.108, 10.10.2.6\" vcap_request_id:b6b1938d-0677-4b41-76ec-79818acdfb61 response_time:0.018241253 app_id:abfc9a95-d20c-44bb-9771-4aba27856843\n","source_instance":"0","source_type":"RTR","time":"2015-04-04T08:24:35Z"}
{"cf_app_id":"abfc9a95-d20c-44bb-9771-4aba27856843","level":"info","message_type":"ERR","msg":"80.229.7.108, 10.10.2.6 - - [04/Apr/2015 08:24:40] \"GET / HTTP/1.1\" 200 4344 0.0106","source_instance":"1","source_type":"App","time":"2015-04-04T08:24:37Z"}
{"cf_app_id":"abfc9a95-d20c-44bb-9771-4aba27856843","level":"info","message_type":"OUT","msg":"cf-env.apps.54.183.203.97.xip.io - [04/04/2015:08:24:39 +0000] \"GET / HTTP/1.1\" 200 4344 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36\" 10.10.2.6:50837 x_forwarded_for:\"80.229.7.108, 10.10.2.6\" vcap_request_id:d8623d66-2b91-4e64-4662-0b09c2621d49 response_time:0.017076269 app_id:abfc9a95-d20c-44bb-9771-4aba27856843\n","source_instance":"0","source_type":"RTR","time":"2015-04-04T08:24:37Z"}

It seems that the source_instance changes for other message_types - eg "source_type":"App"

Shouldn't we be seeing multiple source_instances for the RTR logs too?

How do I enable webproxy?

Hello,
I am trying to connect to PCF which is outside my organization. firehose-to-syslog nozzle is setup in my company VM (RHEL server). I need webproxy to connect to public URIs. How do I enable webproxy?
Thanks.

Test test test

Mostly no unit testing ..

cloudfoundry-community / firehose-to-syslog Goto Github PK

firehose-to-syslog's Introduction

Disclaimer

Firehose-to-syslog

Options

TLS syslog endpoint.

JSON CEE rsyslog compatibility

Event documentation

Caching

To test and build

Deploy with Bosh

Parsing the logs with Logstash

Profiling

Push as an App to Cloud Foundry

firehose-to-syslog's People

Stargazers

Watchers

Forkers

firehose-to-syslog's Issues

command used:

nohup.out:

Error.log:

github.com/cloudfoundry-community/firehose-to-syslog/caching

cf curl /v2/info

Recommend Projects

Recommend Topics

Recommend Org