tagomoris / fluent-plugin-secure-forward Goto Github PK

View Code? Open in Web Editor NEW

140.0 15.0 30.0 201 KB

License: Other

Ruby 100.00%

fluent-plugin-secure-forward's Introduction

fluent-plugin-secure-forward

Fluentd input/output plugin to forward fluentd messages over SSL with authentication.

Plugin status

NOTE: This plugin will not be updated anymore.

Fluentd v0.14.12 supports event forwarding via encrypted network communication. Use that feature instead of using this plugin.

Overview

This plugin makes you to be able to:

protect your data from others in transferring with SSL
- with certificate signed and registered correctly/publicly
- with private CA certificates generated by users
- with automatically generated and self-signed certificates in vulnerable way
authenticate by shared_key check from both of client(out_secure_forward) and server(in_secure_forward)
authenticate with username / password pairs

Installation

install with gem or fluent-gem command as:

 ### native gem
$ gem install fluent-plugin-secure-forward
 
 ### fluentd gem
$ fluent-gem install fluent-plugin-secure-forward

Using SSL certificates issued from trusted CA

To communicate over SSL with valid certificate issued from public CA, configure params below for input plugin:

secure: set yes or true
cert_path: set path of certificate file issued from CA
private_key_path: set path of private key file
private_key_passphrase: set passphrase of private key

<source>
  @type secure_forward
  
  # bind 0.0.0.0 # default
  # port 24284 # default
  self_hostname server.fqdn.example.com
  shared_key    secret_string
  
  secure yes
  
  cert_path        /path/for/certificate/cert.pem
  private_key_path /path/for/certificate/key.pem
  private_key_passphrase secret_foo_bar_baz
</source>

For output plugin, specify just 2 options below:

secure: set yes or true
enable_strict_verification: specify yes or true to verify FQDN of servers (input plugin)

<match secret.data.**>
  @type secure_forward
  
  self_hostname client.fqdn.local
  shared_key    secret_string
  
  secure yes
  enable_strict_verification yes
  
  <server>
    host server.fqdn.example.com  # or IP
    # port 24284
  </server>
  <server>
    host 203.0.113.8 # ip address to connect
    hostlabel server.fqdn.example.com # specify hostlabel for FQDN verification if ipaddress is used for host
  </server>
</match>

Using private CA file and key

This plugin has a simple utility command to generate private CA cert/key files just for secure-forward.

$ secure-forward-ca-generate /path/for/dir/of/certs "passphrase for private CA secret key"

This command generates ca_cert.pem and ca_key.pem on /path/for/dir/of/certs. For SSL communication with private CA, users must deploy both files for input plugins, and also must deploy ca_cert.pem for output plugins. And then, configure Fluentd with these files and the passphrase. With this configuration, server certificates are automatically generated and issued by private CA.

<source>
  @type secure_forward
  
  # bind 0.0.0.0 # default
  # port 24284 # default
  self_hostname myserver.local
  shared_key    secret_string
  
  secure yes
  
  ca_cert_path        /path/for/certificate/ca_cert.pem
  ca_private_key_path /path/for/certificate/ca_key.pem
  ca_private_key_passphrase passphrase for private CA secret key
</source>

For output plugin, specify just 2 options below:

secure: set yes or true
enable_strict_verification: specify yes or true

<match secret.data.**>
  @type secure_forward
  
  self_hostname myclient.local
  shared_key    secret_string
  
  secure yes
  ca_cert_path /path/for/certificate/ca_cert.pem
  # enable_strict_verification yes
  
  <server>
    host server.fqdn.example.com  # or IP
    # port 24284
  </server>
  <server>
    host 203.0.113.8 # ip address to connect
    hostlabel server.fqdn.example.com # specify hostlabel for FQDN verification if ipaddress is used for host
  </server>
</match>

Using insecure self-signed certificates

This is very dangerous and vulnerable to man-in-the-middle attacks

For just testing or data center internal communications, this plugin has a feature to communicate without any verification of certificates. Turn secure option to false to use this feature.

<source>
  @type secure_forward
  
  self_hostname myserver.local
  shared_key    secret_string
  
  secure no
</source>

Configure output plugin just same way:

<match data.**>
  @type secure_forward
  
  self_hostname myclient.local
  shared_key    secret_string
  
  secure no
  
  <server>
    host server.fqdn.example.com  # or IP
  </server>
</match>

In this mode, output plugin cannot verify peer node of connections. Man-in-the-middle attackers can spoof messages from output plugins under many various situations.

Configuration

SecureForwardInput

Default settings:

listen 0.0.0.0:24284
- bind 192.168.0.101
- port 24284
allow to accept from any sources
allow to connect without authentications
use certificate automatically generated
- generate_private_key_length 2048
- generate_cert_country US
- generate_cert_state CA
- generate_cert_locality Mountain View
- generate_cert_common_name SAME_WITH_SELF_HOSTNAME_PARAMETER
use TLSv1.2

Minimal configurations like below:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
  
  secure yes
  # and configurations for certs
</source>

To check username/password from clients, like this:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  
  secure yes
  # and configurations for certs
  
  authentication     yes # Deny clients without valid username/password
  <user>
    username tagomoris
    password foobar012
  </user>
  <user>
    username frsyuki
    password yakiniku
  </user>
</source>

To deny unknown source IP/hosts:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  
  secure yes
  # and configurations for certs
  
  allow_anonymous_source no  # Allow to accept from nodes of <client>
  <client>
    host 192.168.10.30
  </client>
  <client>
    host your.host.fqdn.local
    # wildcard (ex: *.host.fqdn.local) NOT Supported now
  </client>
  <client>
    network 192.168.16.0/24 # network address specification
  </client>
</source>

You can use both of username/password check and client check:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  
  secure yes
  # and configurations for certs
  
  allow_anonymous_source no  # Allow to accept from nodes of <client>
  authentication         yes # Deny clients without valid username/password
  <user>
    username tagomoris
    password foobar012
  </user>
  <user>
    username frsyuki
    password sukiyaki
  </user>
  <user>
    username repeatedly
    password sushi
  </user>
  <client>
    host 192.168.10.30      # allow all users to connect from 192.168.10.30
  </client>
  <client>
    host  192.168.10.31
    users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
  </client>
  <client>
    host 192.168.10.32
    shared_key less_secret_string # limited shared_key for 192.168.10.32
    users      repeatedly         # and repatedly only
  </client>
</source>

SecureForwardOutput

Minimal configurations like this:

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  
  secure yes
  # and configurations for certs/verification
  
  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

Without hostname ACL (and it's not implemented yet), self_hostname is not checked in any state. ${hostname} placeholder is available for such cases.

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname ${hostname}
  
  secure yes
  # and configurations for certs/verification
  
  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

When specified 2 or more <server>, this plugin uses these nodes in simple round-robin order. And servers with standby yes will be selected until all of non-standby servers goes down.

If server requires username/password, set username and password in <server> section:

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  
  secure yes
  # and configurations for certs/verification
  
  <server>
    host      first.fqdn.local
    hostlabel server.fqdn.local
    username  repeatedly
    password  sushi
  </server>
  <server>
    host      second.fqdn.local
    hostlabel server.fqdn.local
    username  sasatatsu
    password  karaage
  </server>
  <server>
    host      standby.fqdn.local
    hostlabel server.fqdn.local
    username  kzk
    password  hawaii
    standby   yes
  </server>
</match>

Specify hostlabel if server (in_forward) have different hostname (self_host configuration of in_forward) from DNS name (first.fqdn.local, second.fqdn.local or standby.fqdn.local). This configuration variable will be used to check common name (CN) of certifications.

To specify keepalive timeouts, use keepalive configuration with seconds. SSL connection will be disconnected and re-connected for each 1 hour with configuration below. In Default (and with keepalive 0), connections will not be disconnected without any communication troubles. (This feature is for dns name updates, and SSL common key refreshing.)

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local
  
  secure yes
  # and configurations for certs/verification
  
  keepalive 3600
  <server>
    host server.fqdn.local  # or IP
    # port 24284
  </server>
</match>

If you connect via Proxy, set for proxy_uri in <server> section:

<match secret.data.**>
  @type secure_forward
  shared_key secret_string
  self_hostname client.fqdn.local

  secure yes
  # and configurations for certs/verification

  <server>
    host server.fqdn.local  # or IP
    # port 24284
    proxy_uri http://foo.bar.local:3128
  </server>
</match>

Scenario (developer document)

server
- in_secure_forward
client
- out_secure_forward

Handshake

(client) connect to server

on SSL socket handshake, checks certificate and its significate (in client)

(server)

check network/domain acl (if enabled)
check client dns reverse lookup result (if enabled)
disconnect when failed

(server) send HELO

['HELO', options(hash)]
options:
- nonce: string as nonce: used for shared key digest (required, v0.3.2 or later)
- auth: string or blank_string (string: authentication required, and its salt is this value)
- keepalive: bool (allowed or not)

(client) send PING

['PING', selfhostname, sharedkey_salt, sha512_hex(sharedkey_salt + selfhostname + nonce + sharedkey), username || '', sha512_hex(auth_salt + username + password) || '']

(server) check PING

check sharedkey
check username / password (if required)
send PONG FAILURE if failed
['PONG', false, 'reason of authentication failure', '', '']

(server) send PONG

['PONG', bool(authentication result), 'reason if authentication failed', selfhostname, sha512_hex(salt + selfhostname + nonce + sharedkey)]

(client) check PONG

check sharedkey
disconnect when failed

connection established

send data from client (until keepalive expiration)

Data transferring

CONSIDER RETURN ACK OR NOT

Current version has no ACKs
- only supports burst transferring (same as ForwardInput/Output)
ack for each message ?
pipeline mode and one-by-one mode ?
data sequence number in keepalive session ?

TODO

ACK mode (protocol)
support disabling keepalive (input/output)
access control (input plugin)
- network acl / domain acl
- check connecting source ip and its dns reverse lookup result (for domaian acl)
- access deny on accept (against DoS)
pluggable authentication database (input plugin)
- RDBMS, LDAP, or ...
- Authentication by clients certificate
TESTS!

Copyright

Copyright (c) 2013- TAGOMORI Satoshi (tagomoris)
License
- Apache License, Version 2.0

fluent-plugin-secure-forward's People

Contributors

Stargazers

Watchers

fluent-plugin-secure-forward's Issues

Private certs and SSL verify issue

Problem

I have a fluentd forwarder/client talking to a fluentd aggregator via SSL. I rolled my own certs and I want to disable SSL verification. I therefore set "enable_strict_verification" to "no" in the config (see config snippets below) but still the node fails to connect to the aggregator and fails with following error:

2017-02-08 11:56:06 +0000 [warn]: failed to establish SSL connection error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed> host="" address="" port=24284

System info

root@fluentd-client001:/home/ubuntu# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"

root@fluentd-client001:/home/ubuntu# sudo apt-cache policy td-agent
td-agent:
Installed: 2.3.4-0
Candidate: 2.3.4-0
Version table:
*** 2.3.4-0 500
500 http://packages.treasuredata.com/2/ubuntu/xenial xenial/contrib amd64 Packages
100 /var/lib/dpkg/status

root@fluentd-client001:/home/ubuntu# /opt/td-agent/embedded/bin/fluent-gem list | grep fluent-plugin-secure-forward
fluent-plugin-secure-forward (0.4.3)
root@fluentd-client001:/home/ubuntu#

Configs

Forwarder

# Log Forwarding
<match *.**>
  @type secure_forward
  shared_key <REDACTED>
  flush_interval 60s
  self_hostname fluentd-client001
  secure yes
  enable_strict_verification no  # I want to use my own certs 
  ca_cert_path /etc/ssl/td-agent/td-agent.pem

  <server>
    host <REDACTED>
    port 24284
    hostlabel logs001.uswest2.stackstorm.net
  </server>
</match>

Aggregator

# Listen to incoming data over SSL
<source>
  type secure_forward
  shared_key <REDACTED>
  self_hostname localhost
  secure yes
  ca_cert_path /etc/ssl/td-agent/td-agent.pem
  ca_private_key_path /etc/ssl/td-agent/td-agent.key
  bind <REDACTED>
</source>

MessagePack::UnknownExtTypeError, there is not time_as_integer to set

@tagomoris we are hitting error_class=MessagePack::UnknownExtTypeError error="unexpected extension type in secure forward plugin and due to this our setup is breaking, buffer overflow is even because fluentd is not able to flush the buffer. I see this error in the receiving end(aggregator side).
I tried putting time_as_integer true but as expected its not in the code so has not affect.
Please help.

history: we haven't had this issue before but only after we got 'invalid byte in UTF8' error and we tried to fix that, we saw this error.

Information below:
Logs at aggregator:

'''

2018-03-27 05:54:28 +0000 [error]: #0 failed to emit fluentd's log event tag="fluent.warn" event={"error_class"=>"Fluent::Plugin::Buffer::BufferOverflowError", "error"=>"#<Fluent::Plugin::Buffer::BufferOverflowError: buffer space has too many data>", "message"=>"unexpected error in in_secure_forward from x.x.x.x:2067 error_class=Fluent::Plugin::Buffer::BufferOverflowError error=#<Fluent::Plugin::Buffer::BufferOverflowError: buffer space has too many data>"} error_class=Fluent::Plugin::Buffer::BufferOverflowError error="buffer space has too many data"
2018-03-27 05:54:34 +0000 [warn]: #0 emit transaction failed: error_class=MessagePack::UnknownExtTypeError error="unexpected extension type" location="/opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-1.1.2/lib/fluent/event.rb:237:in feed_each'" tag="" 2018-03-27 05:54:34 +0000 [warn]: #0 unexpected error in in_secure_forward from x.x.x.x:2003 error_class=MessagePack::UnknownExtTypeError error=#<MessagePack::UnknownExtTypeError: unexpected extension type> 2018-03-27 05:54:34 +0000 [error]: #0 failed to emit fluentd's log event tag="fluent.warn" event={"error"=>"#<MessagePack::UnknownExtTypeError: unexpected extension type>", "location"=>"/opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-1.1.2/lib/fluent/event.rb:237:in feed_each'", "tag"=>"", "message"=>"emit transaction failed: error_class=MessagePack::UnknownExtTypeError error="unexpected extension type" location="/opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-1.1.2/lib/fluent/event.rb:237:in `feed_each'" tag="""} error_class=Fluent::Plugin::Buffer::BufferOverflowError error="buffer space has too many data"
2018-03-27 05:54:34 +0000 [error]: #0 failed to emit fluentd's log event tag="fluent.warn" event={"error_class"=>"MessagePack::UnknownExtTypeError", "error"=>"#<MessagePack::UnknownExtTypeError: unexpected extension type>", "message"=>"unexpected error in in_secure_forward from x.x.x.x:2003 error_class=MessagePack::UnknownExtTypeError error=#<MessagePack::UnknownExtTypeError: unexpected extension type>"} error_class=Fluent::Plugin::Buffer::BufferOverflowError error="buffer space has too many data"
2018-03-27 05:54:37 +0000 [warn]: #0 unexpected error in in_secure_forward from x.x.x.x:2068 error_class=Fluent::Plugin::Buffer::BufferOverflowError error=#<Fluent::Plugin::Buffer::BufferOverflowError: buffer space has too many data>
2018-03-27 05:54:37 +0000 [error]: #0 failed to emit fluentd's log event tag="fluent.warn" event={"error_class"=>"Fluent::Plugin::Buffer::BufferOverflowError", "error"=>"#<Fluent::Plugin::Buffer::BufferOverflowError: buffer space has too many data>", "message"=>"unexpected error in in_secure_forward from x.x.x.x:2068 error_class=Fluent::Plugin::Buffer::BufferOverflowError error=#<Fluent::Plugin::Buffer::BufferOverflowError: buffer space has too many data>"} error_class=Fluent::Plugin::Buffer::BufferOverflowError error="buffer space has too many data"
'''
Forwarder config: Running inside docker conatiner
version: /usr/local/bin/fluentd --version
fluentd 1.1.2

Aggregator config:
version: $ /usr/sbin/td-agent --version
td-agent 1.1.2

Attached conf files, let me know if you need more details.
aggregator_conf.txt
forwarder_conf.txt

Using CRT file instead of PEM

Hi,

Can CRT certificate file be used instead of PEM file for secure transfer of logs?

If yes how. Because when I use its showing error "failed to load CA cert file".

Thanks.

Add ChangeLog

T/O

fluentd dies when a connection is reset.

Hi,

OpenSSL::Buffering#read_nonblock(called at output_node.rb:314) raises Errno::ECONNRESET when a connection is reset by peer unexpectedly, and then fluentd dies. I think the SystemCallError should be rescued in SecureForwardOutput::Node#connect.

SSL from windows

Hi,

Is it possible to transfer logs to this plugin from Windows?

Use case: I have a fluent server setup with secure-forward as the input and I'm trying to hook up my windows machines to it.

The official documentation mentions using nxlogs instead since v10 "doesn't support windows anymore", but its om_ssl module doesn't look like it supports any way of providing a shared key.

Are there any workarounds possible here? I haven't looked at the plugin's code, but it there a way to get rid of the shared key entirely? Would that let 3rd parties such as nxlogs to send logs to fluentd's SSL input?

Not entirely related but; I just stumbled across a few locations where it mentions fluent v0.14 supports windows again, but i can't find any download links?

EDIT: Also, i guess I wouldn't mind installing an old version of fluent that supports windows if it can handle this plugin... but again, I can't find any download links anywhere.

Session variable leak in in_secure_forward

Session instances should be removed from @sessions after it is expired or disconnected.
https://github.com/tagomoris/fluent-plugin-secure-forward/blob/master/lib/fluent/plugin/in_secure_forward.rb#L194

It makes memory leak in short keep-alive time configuration.

out_secure_forward blocks when the receiver node restarts

Consider the following setup with td-agent 2.1 + secure_forward v0.2.0

 -------------------------      ----------------------------
|(A) secure forward sender| -->|(B) secure forward receiver |
 -------------------------      ----------------------------

(A)'s td-agent.conf looks like this:

<source>
  type forward
</source>
<match secure.**>
  type secure_forward
  shared_key SHARED_KEY
  self_hostname ${hostname}
  <server>
    host HOST_IP
    port 24284
  </server>
</match>

and (B)'s td-agent.conf looks like this:

<source>
  type secure_forward
  shared_key 13ihudfwuh123ji
  self_hostname server.fqdn.local
  cert_auto_generate yes
</source>
<match secure.**>
  type stdout
</match>

Suppose both (A) and (B) are running. When (B) is restarted, (A) gets stuck trying to reconnect to (B).

See here for (A)'s td-agent.log as well as sigdump output.

I could reproduce this issue with CentOS 6 for (A) and Ubuntu 12.04 for (B), but the same problem has been reported with CentOS -> CentOS as well. See this thread on the mailing list.

no one nodes with valid ssl session

Hello,
I have configured 3 sessions per system (there are 13 systems). I am randomly getting the error in the subject. The error occurs on one of the sessions (configured match) while the other two are perfectly fine.
Restarting does not work, I must kill -9 to get it to stop.
Once started the buffers on disk are loaded and sent.
I have included the log entries below. I am running 0.2.6 and using td-agent-2.2.0 which uses ruby 2.1.5p273

Any suggestions?

2015-04-07 14:35:12 +0000 [trace]: plugin/out_secure_forward.rb:139:block in node_watcher: in node health watcher
2015-04-07 14:35:12 +0000 [trace]: plugin/out_secure_forward.rb:142:block (2 levels) in node_watcher: node health watcher for lumberjack.advidi.com
2015-04-07 14:35:13 +0000 [trace]: plugin/out_secure_forward.rb:218:write_objects: selected node host="lumberjack.advidi.com" port=24284 standby=false
2015-04-07 14:35:15 +0000 [warn]: fluent/output.rb:354:rescue in try_flush: temporarily failed to flush the buffer. next_retry=2015-04-07 14:51:37 +0000 error_class="RuntimeError" error="no one nodes with valid
ssl session" plugin_id="campaign_secure_tracking_clicks"
2015-04-07 14:35:15 +0000 [warn]: suppressed same stacktrace

td-agent not recognizing plugin

Hello,
I installed the plugin using sudo td-agent-gem install fluent-plugin-secure-forward. However, when I run it, I get this issue: #0 config error file="/etc/td-agent/td-agent.conf" error_class=Fluent::ConfigError error="Unknown input plugin 'secure_forward'. Run 'gem search -rd fluent-plugin' to find plugins"

Any clue? Thanks!

DNS round robin support

The out_forward plugin has support for DNS round robin selection of destination servers. It would be nice if out_secure_forward supported this as well.

EPIPE Exception causes detached connection state which never get re-connected by node watcher.

Warn level errors show in the log when this error condition initially occurs. The node watcher has no logic relating to the detatched? state and therefore never attempts to reconnect the session.

2015-02-11 08:31:33 -0600 [warn]: temporarily failed to flush the buffer. next_retry=2015-02-11 08:31:34 -0600 error_class="Errno::EPIPE" error="Broken pipe" plugin_id="object:3faf4f80bb80"
2015-02-11 08:31:33 -0600 [warn]: Failed to send messages to ingest.data.goldenfrog.com, parging. error_class=Errno::EPIPE error=#<Errno::EPIPE: Broken pipe>

These errors are then followed by a series of failures sending and ultimately it appears that fluentd stops trying to send and we loose events as they are pruned out based on retry rules.

I have submitted a pull request with changes that address this issue: #13

Problem with dead connection

Hi,

I have a problem with the plugin :

Forwarder :

2015-04-07 17:37:25 +0200 [info]: starting fluentd-0.12.7
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-mixin-config-placeholders' version '0.3.0'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-mixin-plaintextformatter' version '0.2.6'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-mongo' version '0.7.8'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-parser' version '0.4.1'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-record-reformer' version '0.5.0'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '1.5.1'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '1.4.1'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-s3' version '0.5.7'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-scribe' version '0.10.14'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-secure-forward' version '0.2.6'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-td' version '0.10.26'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-td-monitoring' version '0.2.0'
2015-04-07 17:37:26 +0200 [info]: gem 'fluent-plugin-webhdfs' version '0.4.1'
2015-04-07 17:37:26 +0200 [info]: gem 'fluentd' version '0.12.7'
2015-04-07 17:37:26 +0200 [info]: using configuration file: <ROOT>
  <source>
    type tail
    path /var/log/syslog
    pos_file /var/log/td-agent/syslog.pos
    format none
    tag syslog
  </source>
  <match reformered.**>
    type secure_forward
    self_hostname ${hostname}
    shared_key hogeposxxx0
    keepalive 300
    buffer_type memory
    buffer_chunk_limit 256m
    buffer_queue_limit 128
    flush_interval 5s
    disable_retry_limit true
    retry_wait 30s
    <server>
      host aggregator.toto.lan
      port 282525
    </server>
  </match>
  <match **>
    type record_reformer
    hostname ${hostname}
    tag reformered.${tag}
  </match>
</ROOT>
2015-04-07 17:37:26 +0200 [info]: adding match pattern="reformered.**" type="secure_forward"
2015-04-07 17:37:11 +0200 [info]: adding match pattern="**" type="record_reformer"
2015-04-07 17:37:12 +0200 [info]: adding source type="tail"
2015-04-07 17:37:12 +0200 [info]: following tail of /var/log/syslog
2015-04-07 17:37:17 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:37:18 +0200 [warn]: temporarily failed to flush the buffer. next_retry=2015-04-07 17:37:50 +0200 error_class="RuntimeError" error="no one nodes with valid ssl session" plugin_id="object:3b111da080d4"
  2015-04-07 17:37:18 +0200 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-secure-forward-0.2.6/lib/fluent/plugin/out_secure_forward.rb:216:in `write_objects'
  2015-04-07 17:37:18 +0200 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:463:in `write'
  2015-04-07 17:37:18 +0200 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/buffer.rb:325:in `write_chunk'
  2015-04-07 17:37:18 +0200 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/buffer.rb:304:in `pop'
  2015-04-07 17:37:18 +0200 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:321:in `try_flush'
  2015-04-07 17:37:18 +0200 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:140:in `run
2015-04-07 17:37:32 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:37:47 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:37:51 +0200 [warn]: temporarily failed to flush the buffer. next_retry=2015-04-07 17:38:53 +0200 error_class="RuntimeError" error="no one nodes with valid ssl session" plugin_id="object:3b111da080d4"
  2015-04-07 17:37:51 +0200 [warn]: suppressed same stacktrace
2015-04-07 17:38:02 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:38:17 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:38:32 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:38:47 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:38:54 +0200 [warn]: temporarily failed to flush the buffer. next_retry=2015-04-07 17:40:40 +0200 error_class="RuntimeError" error="no one nodes with valid ssl session" plugin_id="object:3b111da080d4"
  2015-04-07 17:38:54 +0200 [warn]: suppressed same stacktrace
2015-04-07 17:39:02 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:39:17 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:39:32 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:39:47 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:40:02 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:40:17 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:40:32 +0200 [warn]: dead connection found: aggregator.toto.lan, reconnecting...
2015-04-07 17:40:41 +0200 [warn]: temporarily failed to flush the buffer. next_retry=2015-04-07 17:44:55 +0200 error_class="RuntimeError" error="no one nodes with valid ssl session" plugin_id="object:3b111da080d4"

Aggregator :

2015-04-07 17:33:11 +0200 [info]: starting fluentd-0.12.7
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-mixin-config-placeholders' version '0.3.0'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-mixin-plaintextformatter' version '0.2.6'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-mixin-rewrite-tag-name' version '0.1.0'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-elasticsearch' version '0.7.0'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-mongo' version '0.7.8'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-mysqlslowquerylog' version '0.0.2'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-parser' version '0.4.1'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-record-reformer' version '0.5.0'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '1.5.1'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-rewrite-tag-filter' version '1.4.1'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-s3' version '0.5.7'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-scribe' version '0.10.14'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-secure-forward' version '0.2.6'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-td' version '0.10.26'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-td-monitoring' version '0.2.0'
2015-04-07 17:33:11 +0200 [info]: gem 'fluent-plugin-webhdfs' version '0.4.1'
2015-04-07 17:33:11 +0200 [info]: gem 'fluentd' version '0.12.7'
2015-04-07 17:33:11 +0200 [info]: using configuration file: <ROOT>
  <source>
    type secure_forward
    self_hostname ${hostname}
    shared_key hogeposxxx0
    cert_auto_generate yes
    port 282525
  </source>
  <match fluent.**>
    type record_reformer
    hostname ${hostname}
    tag reformered.${tag}
  </match>
  <match reformered.**>
    type record_reformer
    tag ${tag_suffix[1]}
  </match>
  <match **>
    type roundrobin
    <store>
      type elasticsearch
      host x.x.x.x
      port 9200
      logstash_format true
      logstash_prefix ${tag}
      include_tag_key true
      tag_key tag
      flush_interval 1s
    </store>
    <store>
      type elasticsearch
      host x.x.x.x
      port 9200
      logstash_format true
      logstash_prefix ${tag}
      include_tag_key true
      tag_key tag
      flush_interval 1s
    </store>
  </match>
</ROOT>

Can you help me ?

SSL not working using letsencrypt certificates

The logs:

2018-01-17 18:31:37 +0000 [debug]: #0 starting server 2018-01-17 18:31:37 +0000 [debug]: #0 failed to establish ssl session error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_accept SYSCALL returned=5 errno=0 state=SSLv3 read client certificate A> 2018-01-17 18:31:37 +0000 [debug]: #0 Shutdown called 2018-01-17 18:31:37 +0000 [debug]: #0 Shutting down :

The Config:

@type secure_forward
port 8080
bind "0.0.0.0"
self_hostname "myname.mysite.com"
shared_key xxxxxx
log_level debug
secure true
ca_private_key_passphrase xxxxxx
ca_cert_path "/etc/td-agent/fullchain.pem"
ca_private_key_path "/etc/td-agent/privkey.pem"

Browsers say:
The connection to this site is using a valid, trusted server certificate issued by unknown name.

The certificate is the cert plus the intermediate certificate: https://letsencrypt.org/certificates/

I tried adding the other intermediate signed by ISRG, and also adding the root cert below that. Same issue.

Thoughts?

write_objects fails with `no one nodes with valid SSL session`

Using td-agent v2.2.0 and secure-forward v0.3.2, for some reason our server got disconnected and secure-forward never recovered. I kept seeing "no one nodes with valid ssl session" error messages. This looks exactly like issue #7 again:

2015-06-22 19:08:12 +0000 [warn]: disconnected from server.redacted.com
2015-06-22 19:08:15 +0000 [warn]: dead connection found: server.redacted.com, reconnecting...
2015-06-22 19:08:20 +0000 [warn]: recovered connection to dead node: server.redacted.com
2015-06-22 19:09:11 +0000 [warn]: disconnected from server.redacted.com
2015-06-22 19:09:15 +0000 [warn]: dead connection found: server.redacted.com, reconnecting...
2015-06-22 19:09:20 +0000 [warn]: recovered connection to dead node: server.redacted.com
2015-06-22 19:23:55 +0000 [warn]: temporarily failed to flush the buffer. next_retry=2015-06-22 19:09:16 +0000 error_class="Errno::ETIMEDOUT" error="Connection timed out" plugin_id="object:3ff55d39b574"
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/2.1.0/openssl/buffering.rb:326:in `syswrite'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/2.1.0/openssl/buffering.rb:326:in `do_write'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/2.1.0/openssl/buffering.rb:344:in `write'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/plugin/buf_memory.rb:55:in `write_to'
2015-06-22 19:23:55 +0000 [warn]: disconnected from server2.redacted.com
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-secure-forward-0.3.2/lib/fluent/plugin/out_secure_forward.rb:274:in `send_data'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-secure-forward-0.3.2/lib/fluent/plugin/out_secure_forward.rb:238:in `write_objects'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:463:in `write'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/buffer.rb:325:in `write_chunk'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/buffer.rb:304:in `pop'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:321:in `try_flush'
  2015-06-22 19:23:55 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:140:in `run'
2015-06-22 19:23:55 +0000 [warn]: retry succeeded. plugin_id="object:3ff55d39b574"
2015-06-22 19:24:09 +0000 [warn]: temporarily failed to flush the buffer. next_retry=2015-06-22 19:24:10 +0000 error_class="Errno::ECONNRESET" error="Connection reset by peer" plugin_id="object:3ff55d39b574"
  2015-06-22 19:24:09 +0000 [warn]: suppressed same stacktrace
2015-06-22 19:24:09 +0000 [warn]: disconnected from server.redacted.com
2015-06-22 19:24:11 +0000 [warn]: temporarily failed to flush the buffer. next_retry=2015-06-22 19:24:12 +0000 error_class="RuntimeError" error="no one nodes with valid ssl session" plugin_id="object:3ff55d39b574"
  2015-06-22 19:24:11 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-secure-forward-0.3.2/lib/fluent/plugin/out_secure_forward.rb:233:in `write_objects'
  2015-06-22 19:24:11 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:463:in `write'
  2015-06-22 19:24:11 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/buffer.rb:325:in `write_chunk'
  2015-06-22 19:24:11 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/buffer.rb:304:in `pop'
  2015-06-22 19:24:11 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:321:in `try_flush'
  2015-06-22 19:24:11 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluentd-0.12.7/lib/fluent/output.rb:140:in `run'
2015-06-22 19:24:13 +0000 [warn]: temporarily failed to flush the buffer. next_retry=2015-06-22 19:24:15 +0000 error_class="RuntimeError" error="no one nodes with valid ssl session" plugin_id="object:3ff55d39b574"

unable to run in container with no `ip` or `ifconfig`

I think the issue is similar to tagomoris/fluent-plugin-route#3

Here is the trace:

2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:372:rescue in main_process: unexpected error error="No such file or directory - addr"
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/uuidtools-2.1.5/lib/uuidtools.rb:587:in ``'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/uuidtools-2.1.5/lib/uuidtools.rb:587:in `ifconfig'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/uuidtools-2.1.5/lib/uuidtools.rb:634:in `mac_address'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/uuidtools-2.1.5/lib/uuidtools.rb:242:in `block in timestamp_create'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/uuidtools-2.1.5/lib/uuidtools.rb:232:in `synchronize'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/uuidtools-2.1.5/lib/uuidtools.rb:232:in `timestamp_create'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:35:in `uuid_timestamp'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:70:in `block (2 levels) in configure'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:39:in `call'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:39:in `block in replace'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:39:in `each'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:39:in `reduce'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:39:in `replace'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:94:in `check_element'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-mixin-config-placeholders-0.3.1/lib/fluent/mixin/config_placeholders.rb:104:in `configure'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluent-plugin-secure-forward-0.4.1/lib/fluent/plugin/in_secure_forward.rb:95:in `configure'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/root_agent.rb:154:in `add_source'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/root_agent.rb:95:in `block in configure'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/root_agent.rb:92:in `each'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/root_agent.rb:92:in `configure'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/engine.rb:129:in `configure'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/engine.rb:103:in `run_configure'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/supervisor.rb:483:in `run_configure'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/supervisor.rb:154:in `block in start'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/supervisor.rb:360:in `call'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/supervisor.rb:360:in `main_process'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/supervisor.rb:333:in `block in supervise'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/supervisor.rb:332:in `fork'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/supervisor.rb:332:in `supervise'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/supervisor.rb:150:in `start'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/lib/fluent/command/fluentd.rb:173:in `<top (required)>'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:73:in `require'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:73:in `require'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/gems/fluentd-0.12.25/bin/fluentd:5:in `<top (required)>'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/bin/fluentd:23:in `load'
  2016-05-26 21:51:35 +0000 [error]: fluent/supervisor.rb:332:fork: /opt/app-root/src/bin/fluentd:23:in `<main>'
2016-05-26 21:51:35 +0000 [info]: fluent/supervisor.rb:348:supervise: process finished code=256
2016-05-26 21:51:35 +0000 [warn]: fluent/supervisor.rb:351:supervise: process died within 1 second. exit.

The config:

<source>
  @type secure_forward
  shared_key      string
  self_hostname  fqdn
  bind 0.0.0.0
  port 24284
  secure no

  @label @SECUREFWD
</source>

Is this going to fix the issue?
sporkmonger/uuidtools#39

is there a known workaround I could use?

[question] Secondary the require secure_forward config? or not support?

Hi,

An error of the 2 will occur in the following the 1 setting file.
Is "secondary" not supported in "secure_forward"?
Or is it limited to secure_forward?

I am considering using S3 as a fallback destination of "secure_forward" destination.

fluent conf

<match log>
    @type secure_forward
    secure yes
    shared_key "#{ENV['SHARD_KEY']}"
    self_hostname "{Socket.gethostname}"
    ca_cert_path /path/to/local_ca_cert.pem

    <server>
        host receiver
        port 24284
    </server>
    <secondary>
        type s3
        aws_key_id  access_key
        aws_sec_key secret_key
        s3_bucket my-local-bucket
        s3_endpoint http://minio:9000/
        s3_region us-east-1
        s3_object_key_format %{path}.%{index}.%{file_extension}
        path send_err
        buffer_path /buffer/send_err
        time_slice_format %Y%m%d
        time_slice_wait 1m
        flush_interval 1s # debug
    </secondary>
</match>

2 error

fluentd_1           | 2018-08-07 16:25:30 +0900 [error]: config error in:
fluentd_1           | <secondary>
fluentd_1           |   type s3
fluentd_1           |   aws_key_id access_key
fluentd_1           |   aws_sec_key secret_key
fluentd_1           |   s3_bucket my-local-bucket
fluentd_1           |   s3_endpoint http://minio:9000/
fluentd_1           |   s3_region us-east-1
fluentd_1           |   s3_object_key_format %{path}.%{index}.%{file_extension}
fluentd_1           |   path send_err
fluentd_1           |   buffer_path /buffer/send_err
fluentd_1           |   time_slice_format %Y%m%d
fluentd_1           |   time_slice_wait 1m
fluentd_1           |   flush_interval 1s
fluentd_1           | </secondary>
fluentd_1           | 2018-08-07 16:25:30 +0900 [error]: config error file="/fluentd/etc/fluent_local.conf" error="'secure' parameter is required"

tlsv1 alert unknown ca

I followed the instruction to create private CA using the command "secure-forward-ca-generate" . The secure forward connection fail and show the error message as below.

fluentd node :
Log :
2016-09-28 16:50:58 +0800 [warn]: plugin/output_node.rb:301:rescue in connect: failed to establish SSL connection error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed> host="XXX.XXX.XXX.XXX" address="XXX.XXX.XXX.XXX" port=24284

Config :
<match *.**>
type secure_forward
retry_limit 9
shared_key XXXXXXXX
secure yes
self_hostname xxx.xxxxxxxx.com
ca_cert_path /etc/td-agent/ca_cert.pem

host xxx.xxx.xxx.xxx
port 24284

fluentd aggerator :
Log :
2016-09-28 16:51:01 +0800 [debug]: plugin/input_session.rb:154:rescue in start: failed to establish ssl session error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 alert unknown ca>

Config :

type secure_forward shared_key XXXXXXXXX self_hostname xxx.xxxxxxx.xom secure yes cert_auto_generate yes ca_cert_path /etc/td-agent/ca_cert.pem ca_private_key_path /etc/td-agent/ca_key.pem ca_private_key_passphrase XXXXXXXXX port 24284

Is it need to generate a certificate manually instead of "secure-forward-ca-generate"?

Secondary support for secure_forward

Hi,

Currently if we try to use the <secondary> tag that works on out_forward we get an error

 [error]: config error file="/etc/td-agent/td-agent.conf" error="unknown config tag name secondary"

It'd be nice to have a fallback in case all servers are not available.

Public CA Cert appears as invalid

I have attempted to setup a receiver with a public CA cert and it is being deemed as untrusted by both the sender and external utilities such as openssl.

The reciever has a public CA issued cert from godaddy which has a 3 part bundle of intermediate CA certs that is appended into a pem file (key, cert, bundle). The cert is a wildard cert that is in production elsewhere so it is trusted elsewhere. So I feel the problem is that part of the certificate chain is not being sent.

Can an option be made to specify intermediate CAs?

Recv Source Config:

type secure_forward shared_key TjKjGwwNyLD3McwD4 self_hostname logging.company.co secure true cert_path /etc/td-agent/ssl/wildcard_company_co-godaddy-2015.pem private_key_path /etc/td-agent/ssl/wildcard_company_co-godaddy-2015.key private_key_passphrase authentication yes

    <user>
            username        compuser
            password        compass
    </user>

Sender Source Config:
<match **>
type secure_forward
shared_key TjKjGwwNyLD3McwD4
self_hostname appserver.company.co
secure true
enable_strict_verification yes

host logging.company.co # or IP # port 24284 username compuser password compass

Sender td-agent logs:
015-07-31 10:57:30 +0100 [warn]: failed to establish SSL connection error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed> host="logging.company.co" address="123.123.123.123" port=24284

OpenSSL output from domain using this cert and considered trusted:
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.company.co
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

TD-Agent Receiver connection output:
openssl s_client -connect logging.company.co:24284
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = .company.co
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.company.co
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = *.company.co
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/OU=Domain Control Validated/CN=.company.co
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

Secure input performance and limits

I've been troubleshooting an issue for the past few weeks and I'd like to share some conclusions/questions.

We wrap Fluentd in docker using fluent/fluentd:v0.12-latest-onbuild. The aggregator's configuration is rather simple:

<source>
  @type secure_forward
  self_hostname ...
  cert_path ...
  private_key_path ...
  private_key_passphrase ...
  shared_key ...
  port 24284
  secure yes
  skip_invalid_event yes
  @label @elasticsearch
</source>

<label @elasticsearch>
  <filter **>
    type tidyup
    target_index_key target_index
    time_key @timestamp
  </filter>
  <match **>
    @type elasticsearch
    (redacted for brievity - 10m max file buffers and flushes every 7s)
  </match>
</label>

The tidyup script is also very simple:

    def filter(tag, time, record)
      timestamp = Time.at(time).to_datetime
      record[@target_index_key] = [tag, timestamp.strftime('%Y-%m-%W')].join("-").gsub(/[.\/]/, '-')

      if record.has_key? @time_key
        record[@time_key] = parse_time(record[@time_key], time, tag).iso8601(3)
      else
        record[@time_key] = timestamp.iso8601(3)
      end

      return record
    end

The server is dedicated to Fluentd. For my tests, I used an r4.large instance from AWS. They 15gb of RAM, a good CPU (2 cores) and better-than-average network bandwidth.

Under normal operation, there are about 350 fluentd threads and using around 30% CPU.

I have stressed-tested this server by creating tons of idle connections from my developer machine (and some through AWS lambda too). When the thread count reaches 800+, clients start receiving timeout errors and are eventually unable to forward logs to the aggregator. Apparently, the ElasticSearch output plugin also halts and the CPU hits and sustains 100% (on the main fluentd process). To be extra clear: none of my idle connections are actually sending logs. They just perform the handshake and shared key exchange, and then they idle out. The Load Balancer eventually kicks the instance out since it cannot reply in a timely manner (health check).

I confirmed that the load balancer is not part of the problem. On the contrary, I was able to reduce the load on the server by configuring the load balancer to kill any idle connection after 10 seconds, but this causes clients to perform a lot more handshakes and is not ideal from my point of view.

I also isolated a server just for the tests (meaning, the 350 real clients are not hitting it at all and no load balancer either). I created about 2k idle connections. Then I tried sending logs with one of them, and basically received timeouts 80% of the time (tried 5 and 10 seconds timeouts, didn't really affected the results).

A few weeks prior, we isolated every fluentd plugin in its own process. That's why i know the secure input plugin is the culprit. The elastic search output was in its own process and never showed any sign of fatigue, nor CPU usage, and doesn't spawn any threads other than the ones it spawns on init.

So, my conclusion is that a connection to the secure input plugin, even if completely idle, is very expensive, and too much can bring a server down. Is this expected? Are you surprised by these performance issues, or is it about right?

I'd be interested to try this scenario outside of docker if you think the behavior I'm seeing is wrong...

I have graphed the buffer size VS thread count for the server during my tests, going through the load balancer, configured to kill any idle connection after 5 minutes:

The normal thread count is about 350 and that was true around 15:15 (not on the graph). Then I started flooding the server (those red spikes that disappear are AWS lambdas hard-stopping after 5 minutes). So, dead connections are correctly being cleaned up, that's awesome. At the same time, my local dev machine was creating connections like crazy and also trying to push logs at the same time. The green line shows the buffer size on disk. Typically, it moves all the time, but you can see on the graph that at 15h40, it pretty much stopped moving: ElasticSearch's plugin stopped forwarding logs, and Secure Input stopped accepting logs from clients too. When I killed all my tests around 15h50, we can see elastic started working again since the buffer size starts moving again. The red line drops slowly; that's the 350 real clients trying to reconnect and send their backlogs! It then took more than 30 minutes to return to normal operations.

To reduce the load, we're changing the exception handling of our clients to tolerate a certain amount of timeouts before attempting to recreate a connection (they will also be limited in the amount of connections they are allowed to create in time).

Thank you! And sorry for the long post :)

Memory leak of in_secure_forward?

v 0.2.3 により連続稼動試験を行っています。

受信側サーバを監視しているとデータ送信量の増加に従い、メモリ&スワップの使用量が増加します。
その後残スワップがなくなると以下のようなメッセージが OS のログに出力され、同時に td-agent の
プロセスが再起動します。

Nov 1 00:45:07 dev01 kernel: Out of memory: Kill process 29624 (ruby) score 951 or sacrifice child
Nov 1 00:45:07 dev01 kernel: Killed process 29624, UID 496, (ruby) total-vm:9549424kB, anon-rss:1542876kB, file-rss:124kB

このとき、/var/log/td-agent/td-agent.log には以下のようなログが出力されています。

2014-11-01 00:45:09 +0900 [info]: process finished code=9
2014-11-01 00:45:09 +0900 [error]: fluentd main process died unexpectedly. restarting.
2014-11-01 00:45:09 +0900 [info]: starting fluentd-0.10.55
2014-11-01 00:45:09 +0900 [info]: reading config file path="/etc/td-agent/td-agent.conf"

同じ試験を "type forward" により行った場合 (11/01 16:00 ～) はスワップ使用量の変化はありません。

これらの現象についてお気づきの点がないかご確認ください。

尚、検証時のログなどの記録も採取しておりますが、github では画像以外の形式を添付できない
ようですので、必要に応じメールなどで提供させて頂きます。

On CentOS 6.4 install old 0.0.2 version

When installing on an CentOS6.4 it always install an old plugin version:

fluent-logger (0.5.1)
fluent-mixin-config-placeholders (0.4.0)
fluent-mixin-plaintextformatter (0.2.6)
fluent-plugin-kafka (0.3.1)
fluent-plugin-mongo (0.7.15)
fluent-plugin-rewrite-tag-filter (1.5.5)
fluent-plugin-s3 (0.7.1)
fluent-plugin-scribe (0.10.14)
fluent-plugin-secure-forward (0.0.2)
fluent-plugin-td (0.10.29)
fluent-plugin-td-monitoring (0.2.2)
fluent-plugin-webhdfs (0.4.2)

Even after upgrading ruby to version 2.0.0

Do you have any ideas?

Thanks

missing utility secure-forward-ca-generate

The documentation for the plugin here on github references this utility:
secure-forward-ca-generate /path/for/dir/of/certs "passphrase for private CA secret key"

However I don't have that program when I install the plugin. Where/how do I get this? Or can you change the instructions to reference an outside utility?

disconnected from other version clients

I updated secure-forward version of server without changing clients.
Then server output warning Connection required from unknown host 'XXX' (XXX), disconnecting....

It is derived by difference between addr and peeraddr.

Can i resolve it without updating client's version?

Getting "no one nodes with valid ssl session" error

Hello,

I'm using version 0.1.6 of the plugin to collect logs.
From time to time the node using SecureForwardOutput would stop sending logs and get this error:

2014-05-09 23:34:06 -0700 [warn]: temporarily failed to flush the buffer. next_retry=2014-05-09 23:34:21 -0700 error_class="RuntimeError" error="no one nodes with valid ssl session" instance=69908390552060
  2014-05-09 23:34:06 -0700 [warn]: /usr/lib64/fluent/ruby/lib/ruby/gems/1.9.1/gems/fluent-plugin-secure-forward-0.1.6/lib/fluent/plugin/out_secure_forward.rb:168:in `write_objects'
  2014-05-09 23:34:06 -0700 [warn]: /usr/lib64/fluent/ruby/lib/ruby/gems/1.9.1/gems/fluentd-0.10.45/lib/fluent/output.rb:449:in `write'
  2014-05-09 23:34:06 -0700 [warn]: /usr/lib64/fluent/ruby/lib/ruby/gems/1.9.1/gems/fluentd-0.10.45/lib/fluent/buffer.rb:296:in `write_chunk'
  2014-05-09 23:34:06 -0700 [warn]: /usr/lib64/fluent/ruby/lib/ruby/gems/1.9.1/gems/fluentd-0.10.45/lib/fluent/buffer.rb:276:in `pop'
  2014-05-09 23:34:06 -0700 [warn]: /usr/lib64/fluent/ruby/lib/ruby/gems/1.9.1/gems/fluentd-0.10.45/lib/fluent/output.rb:310:in `try_flush'
  2014-05-09 23:34:06 -0700 [warn]: /usr/lib64/fluent/ruby/lib/ruby/gems/1.9.1/gems/fluentd-0.10.45/lib/fluent/output.rb:132:in `run'
2014-05-09 23:34:10 -0700 [info]: dead connection found: kibana.clearslide.net, reconnecting...

Restarting td-agent on the node using SecureForwardInput fixes the problem.

What do you recommend?

can't modify frozen String

I'm trying to run the plugin on FreeBSD and get this error:

2015-06-15 20:41:52 +0300 [error]: unexpected error error="can't modify frozen String"
  2015-06-15 20:41:52 +0300 [error]: /usr/local/lib/ruby/gems/2.1/gems/fluent-plugin-secure-forward-0.3.2/lib/fluent/plugin/output_node.rb:319:in `feed_each'
  2015-06-15 20:41:52 +0300 [error]: /usr/local/lib/ruby/gems/2.1/gems/fluent-plugin-secure-forward-0.3.2/lib/fluent/plugin/output_node.rb:319:in `block in connect'
  2015-06-15 20:41:52 +0300 [error]: /usr/local/lib/ruby/gems/2.1/gems/fluent-plugin-secure-forward-0.3.2/lib/fluent/plugin/output_node.rb:310:in `loop'
  2015-06-15 20:41:52 +0300 [error]: /usr/local/lib/ruby/gems/2.1/gems/fluent-plugin-secure-forward-0.3.2/lib/fluent/plugin/output_node.rb:310:in `connect'

The same config on Ubuntu works fine

<match *.**>
  type secure_forward
  shared_key ......
  self_hostname ${hostname}
  secure no

  flush_interval 1s
  <server>
    name ...
    host ...
    port ...
    weight 60
  </server>
</match>

Nil conversion on connection_hard_timeout (v 0.4.0)

The newest version caused fluentd to crash.

2016-03-30 14:54:00 +0000 [error]: unexpected error error_class=TypeError error=#<TypeError: can't convert nil into an exact number>
2016-03-30 14:54:00 +0000 [error]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-secure-forward-0.4.0/lib/fluent/plugin/output_node.rb:333:in `+'
...
2016-03-30 14:54:00 +0000 [warn]: /opt/td-agent/embedded/lib/ruby/gems/2.1.0/gems/fluent-plugin-secure-forward-0.4.0/lib/fluent/plugin/output_node.rb:331:in `connect'
2016-03-30 14:54:00 +0000 [info]: process finished code=0
2016-03-30 14:54:00 +0000 [warn]: process died within 1 second. exit.

It seems the default value of connection_hard_timeout is set to nil here while this line and this line try to compare its value.

Wrong openssl version number?

2017-10-23 18:43:55 -0700 [trace]: #0 accept tcp connection (ssl session not established yet)
2017-10-23 18:43:55 -0700 [trace]: #0 session instances: all=1 closed=0
2017-10-23 18:43:55 -0700 [debug]: #0 starting server
2017-10-23 18:43:55 -0700 [trace]: #0 accepting ssl session
2017-10-23 18:43:55 -0700 [debug]: #0 failed to establish ssl session error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=error: wrong version number>
2017-10-23 18:43:55 -0700 [debug]: #0 Shutdown called
2017-10-23 18:43:55 -0700 [debug]: #0 Shutting down :
2017-10-23 18:43:55 -0700 [debug]: #0 Shutdown called

So I get a wrong version number error.. for openSSL? How do I update this?

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol

Hi, after many tries with no result I would like to ask you about this error.

I run td-agent 0.12.20 tailing log files on several instances on DigitalOcean sending data via secure_forward to google-fluentd 1.5.8 running on one service instance on Google and here are feeded into google StackDriver.

For several weeks everything was working perfect. But on Wednesday (2016-07-06) we installed security updates on service instance on Google and after restarting it td-agents on DO are no longer able to create connection. I got still these error messages:

2016-07-08 15:44:12 +0000 fluent.debug: {"host":"xxxxx","address":"xxxxxx","port":24284,"message":"create tcp socket to node host="xxxxxx" address="xxxxxx" port=24284"}
2016-07-08 15:44:12 +0000 [debug]: trying to connect ssl session host="xxxxxx" address="xxxxx" port=24284
2016-07-08 15:44:12 +0000 fluent.debug: {"host":"xxxxxx","address":"xxxxxx","port":24284,"message":"trying to connect ssl session host="xxxxxx" address="xxxxxx" port=24284"}
2016-07-08 15:44:12 +0000 [warn]: failed to establish SSL connection error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol> host="xxxxxx" address="xxxxxx" port=24284
2016-07-08 15:44:12 +0000 fluent.warn: {"error_class":"OpenSSL::SSL::SSLError","error":"#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol>","host":"xxxxxxx","address":"xxxxxx","port":24284,"message":"failed to establish SSL connection error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol> host="xxxxxx" address="xxxxxx" port=24284"}
2016-07-08 15:44:22 +0000 [debug]: SSL connection is not established until timemout host="xxxxxxx" port=24284 timeout=10

Secure forwarder on all sites in updated to latest version using embeded fluentd-gem.
I can telnet port 24284 from DO to Google, I can ssh service instance on Google from all DO instances without problems under td-agent user.
Any Ideas what to do?

Disconnect sender-receiver connection for period of time

I have multiple senders configured to connect to one receiver, with secure-forward plugin and all those senders keep a connection open with receiver even when they don't have anything to send.

Is there a sleep connection function or a configuration I can use to disconnect sender-receiver?

ps. awesome plugin 😃 !

Thank you,
Ashish

supervise: process finished code=6

日本語で失礼します。

Scientific Linux 6.6 の rpm パッケージ td-agent-1.1.21-0.x86_64
に fluent-plugin-secure-forward (0.3.2) をインストールして利用しています。

PHP のプログラムから 1,000,000 件のデータを送信したところ途中で

2015-06-14 04:15:39 +0900 [info]: fluent/supervisor.rb:296:supervise: process finished code=6

のようなメッセージが出力され fluentd が再起動されています。

直接関係があるかわかりませんが、以前のバージョンである 0.2.5 までは
同じ送信プログラムを実行しても同様の現象は発生せず、0.2.6 と 0.3.2 では
発生が確認されました。

プラグインのバージョンを変更して発生したのでこちらに質問させていただきましたが
この現象は fluentd 自体の不具合であるか切り分けは可能ですか？

念のため、これを実行したときの送信側の td-agent.log を以下に転記します。

2015-06-14 04:15:19 +0900 [info]: fluent/supervisor.rb:403:read_config: reading config file path="/etc/td-agent/td-agent.conf"
2015-06-14 04:15:19 +0900 [info]: fluent/supervisor.rb:279:supervise: starting fluentd-0.12.12
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered buffer plugin 'file'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered buffer plugin 'memory'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered filter plugin 'grep'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered filter plugin 'record_transformer'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered filter plugin 'stdout'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'debug_agent'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'dummy'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'exec'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'forward'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'gc_stat'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'http'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'monitor_agent'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'object_space'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'status'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'unix'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'syslog'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'tail'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'tcp'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'udp'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'copy'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'exec'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'exec_filter'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'file'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'forward'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'null'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'relabel'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'roundrobin'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'stdout'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'tcp'
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'unix'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-mixin-config-placeholders' version '0.3.0'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-mixin-config-placeholders' version '0.2.4'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-mixin-plaintextformatter' version '0.2.6'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-flume' version '0.1.1'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-mongo' version '0.7.10'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-mongo' version '0.7.3'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-rewrite-tag-filter' version '1.5.1'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-rewrite-tag-filter' version '1.4.1'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-s3' version '0.5.9'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-s3' version '0.4.1'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-scribe' version '0.10.14'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-scribe' version '0.10.12'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-secure-forward' version '0.3.2'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-secure-forward' version '0.2.5'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-td' version '0.10.27'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-td' version '0.10.22'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-td-monitoring' version '0.2.0'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-td-monitoring' version '0.1.3'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-webhdfs' version '0.4.1'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-webhdfs' version '0.3.1'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluentd' version '0.12.12'
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluentd' version '0.10.55'
2015-06-14 04:15:19 +0900 [info]: fluent/agent.rb:123:add_match: adding match pattern="tmp.write" type="secure_forward"
2015-06-14 04:15:19 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'secure_forward'
2015-06-14 04:15:19 +0900 [warn]: plugin/out_secure_forward.rb:89:configure: 'insecure' mode has vulnerability for man-in-the-middle attacks.
2015-06-14 04:15:19 +0900 [info]: fluent/root_agent.rb:142:add_source: adding source type="unix"
2015-06-14 04:15:19 +0900 [info]: fluent/root_agent.rb:142:add_source: adding source type="forward"
2015-06-14 04:15:19 +0900 [info]: fluent/engine.rb:97:configure: using configuration file: <ROOT>
  <source>
    type unix
    path /var/run/td-agent/td-agent.sock
  </source>
  <source>
    type forward
  </source>
  <match tmp.write>
    type secure_forward
    shared_key abcde
    self_hostname ***********************
    keepalive 10s
    flush_interval 10s
    retry_wait 60s
    buffer_type file
    buffer_path /data/fluent/test
    buffer_queue_limit 1280
    secure no
    ssl_version SSLv23
    <server>
      host 10.96.152.142
    </server>
  </match>
</ROOT>
2015-06-14 04:15:19 +0900 [debug]: plugin/out_secure_forward.rb:138:start: starting secure-forward
2015-06-14 04:15:19 +0900 [debug]: plugin/out_secure_forward.rb:140:start: start to connect target nodes
2015-06-14 04:15:19 +0900 [debug]: plugin/out_secure_forward.rb:142:block in start: connecting node host="10.96.152.142" port=24284
2015-06-14 04:15:19 +0900 [debug]: plugin/in_stream.rb:180:listen: listening fluent socket on /var/run/td-agent/td-agent.sock
2015-06-14 04:15:19 +0900 [info]: plugin/in_forward.rb:74:listen: listening fluent socket on 0.0.0.0:24224
2015-06-14 04:15:19 +0900 [debug]: plugin/output_node.rb:216:connect: starting client
2015-06-14 04:15:19 +0900 [debug]: plugin/output_node.rb:219:connect: create tcp socket to node host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:19 +0900 [trace]: plugin/output_node.rb:228:connect: changing socket options
2015-06-14 04:15:19 +0900 [trace]: plugin/output_node.rb:235:connect: initializing SSL contexts
2015-06-14 04:15:19 +0900 [trace]: plugin/output_node.rb:239:connect: setting SSL verification options
2015-06-14 04:15:19 +0900 [debug]: plugin/output_node.rb:270:connect: trying to connect ssl session host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:19 +0900 [trace]: plugin/output_node.rb:273:connect: connecting... host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:19 +0900 [debug]: plugin/output_node.rb:281:connect: ssl session connected host="10.96.152.142" port=24284
2015-06-14 04:15:19 +0900 [debug]: plugin/output_node.rb:301:connect: ssl session connected host="10.96.152.142" port=24284
2015-06-14 04:15:19 +0900 [debug]: plugin/output_node.rb:184:on_read: on_read
2015-06-14 04:15:19 +0900 [debug]: plugin/output_node.rb:127:check_helo: checking helo
2015-06-14 04:15:19 +0900 [debug]: plugin/output_node.rb:140:generate_ping: generating ping
2015-06-14 04:15:20 +0900 [debug]: plugin/output_node.rb:184:on_read: on_read
2015-06-14 04:15:20 +0900 [debug]: plugin/output_node.rb:155:check_pong: checking pong
2015-06-14 04:15:20 +0900 [info]: plugin/output_node.rb:207:on_read: connection established to 10.96.152.142
2015-06-14 04:15:20 +0900 [debug]: plugin/output_node.rb:210:on_read: connection established host="10.96.152.142" port=24284 expire=2015-06-14 04:15:30 +0900
2015-06-14 04:15:24 +0900 [trace]: plugin/out_secure_forward.rb:156:block in node_watcher: in node health watcher
2015-06-14 04:15:24 +0900 [trace]: plugin/out_secure_forward.rb:159:block (2 levels) in node_watcher: node health watcher for 10.96.152.142
2015-06-14 04:15:29 +0900 [trace]: plugin/out_secure_forward.rb:156:block in node_watcher: in node health watcher
2015-06-14 04:15:29 +0900 [trace]: plugin/out_secure_forward.rb:159:block (2 levels) in node_watcher: node health watcher for 10.96.152.142
2015-06-14 04:15:32 +0900 [trace]: plugin/in_stream.rb:116:initialize: accepted fluent socket from ':': object_id=70261118875400
2015-06-14 04:15:33 +0900 [trace]: plugin/out_secure_forward.rb:235:write_objects: selected node host="10.96.152.142" port=24284 standby=false
2015-06-14 04:15:34 +0900 [trace]: plugin/out_secure_forward.rb:235:write_objects: selected node host="10.96.152.142" port=24284 standby=false
2015-06-14 04:15:34 +0900 [trace]: plugin/out_secure_forward.rb:156:block in node_watcher: in node health watcher
2015-06-14 04:15:34 +0900 [trace]: plugin/out_secure_forward.rb:159:block (2 levels) in node_watcher: node health watcher for 10.96.152.142
2015-06-14 04:15:34 +0900 [debug]: plugin/out_secure_forward.rb:173:block (2 levels) in node_watcher: reconnecting to node host="10.96.152.142" port=24284 expire=2015-06-14 04:15:30 +0900 expired=true detached=false
2015-06-14 04:15:34 +0900 [trace]: plugin/out_secure_forward.rb:185:block (2 levels) in node_watcher: checking reconnecting node 10.96.152.142
2015-06-14 04:15:34 +0900 [debug]: plugin/output_node.rb:216:connect: starting client
2015-06-14 04:15:34 +0900 [debug]: plugin/output_node.rb:219:connect: create tcp socket to node host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:34 +0900 [trace]: plugin/output_node.rb:228:connect: changing socket options
2015-06-14 04:15:34 +0900 [trace]: plugin/output_node.rb:235:connect: initializing SSL contexts
2015-06-14 04:15:34 +0900 [trace]: plugin/output_node.rb:239:connect: setting SSL verification options
2015-06-14 04:15:34 +0900 [debug]: plugin/output_node.rb:270:connect: trying to connect ssl session host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:34 +0900 [trace]: plugin/output_node.rb:273:connect: connecting... host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:34 +0900 [debug]: plugin/output_node.rb:281:connect: ssl session connected host="10.96.152.142" port=24284
2015-06-14 04:15:34 +0900 [debug]: plugin/output_node.rb:301:connect: ssl session connected host="10.96.152.142" port=24284
2015-06-14 04:15:34 +0900 [debug]: plugin/output_node.rb:184:on_read: on_read
2015-06-14 04:15:34 +0900 [debug]: plugin/output_node.rb:127:check_helo: checking helo
2015-06-14 04:15:34 +0900 [debug]: plugin/output_node.rb:140:generate_ping: generating ping
2015-06-14 04:15:35 +0900 [debug]: plugin/output_node.rb:184:on_read: on_read
2015-06-14 04:15:35 +0900 [debug]: plugin/output_node.rb:155:check_pong: checking pong
2015-06-14 04:15:35 +0900 [debug]: plugin/output_node.rb:210:on_read: connection established host="10.96.152.142" port=24284 expire=2015-06-14 04:15:45 +0900
2015-06-14 04:15:37 +0900 [trace]: plugin/out_secure_forward.rb:235:write_objects: selected node host="10.96.152.142" port=24284 standby=false
2015-06-14 04:15:38 +0900 [trace]: plugin/out_secure_forward.rb:235:write_objects: selected node host="10.96.152.142" port=24284 standby=false
2015-06-14 04:15:39 +0900 [trace]: plugin/out_secure_forward.rb:156:block in node_watcher: in node health watcher
2015-06-14 04:15:39 +0900 [trace]: plugin/out_secure_forward.rb:159:block (2 levels) in node_watcher: node health watcher for 10.96.152.142
2015-06-14 04:15:39 +0900 [trace]: plugin/out_secure_forward.rb:185:block (2 levels) in node_watcher: checking reconnecting node 10.96.152.142
2015-06-14 04:15:39 +0900 [debug]: plugin/out_secure_forward.rb:188:block (2 levels) in node_watcher: connection established for reconnecting node
2015-06-14 04:15:39 +0900 [trace]: plugin/out_secure_forward.rb:197:block (2 levels) in node_watcher: old connection shutting down
2015-06-14 04:15:39 +0900 [trace]: plugin/out_secure_forward.rb:199:block (2 levels) in node_watcher: old connection shutted down
2015-06-14 04:15:39 +0900 [debug]: plugin/output_node.rb:87:shutdown: shutting down node 10.96.152.142
2015-06-14 04:15:39 +0900 [info]: fluent/supervisor.rb:296:supervise: process finished code=6
2015-06-14 04:15:39 +0900 [error]: fluent/supervisor.rb:146:start: fluentd main process died unexpectedly. restarting.
2015-06-14 04:15:39 +0900 [info]: fluent/supervisor.rb:279:supervise: starting fluentd-0.12.12
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered buffer plugin 'file'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered buffer plugin 'memory'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered filter plugin 'grep'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered filter plugin 'record_transformer'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered filter plugin 'stdout'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'debug_agent'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'dummy'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'exec'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'forward'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'gc_stat'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'http'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'monitor_agent'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'object_space'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'status'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'unix'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'syslog'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'tail'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'tcp'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered input plugin 'udp'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'copy'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'exec'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'exec_filter'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'file'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'forward'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'null'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'relabel'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'roundrobin'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'stdout'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'tcp'
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'unix'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-mixin-config-placeholders' version '0.3.0'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-mixin-config-placeholders' version '0.2.4'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-mixin-plaintextformatter' version '0.2.6'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-flume' version '0.1.1'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-mongo' version '0.7.10'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-mongo' version '0.7.3'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-rewrite-tag-filter' version '1.5.1'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-rewrite-tag-filter' version '1.4.1'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-s3' version '0.5.9'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-s3' version '0.4.1'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-scribe' version '0.10.14'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-scribe' version '0.10.12'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-secure-forward' version '0.3.2'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-secure-forward' version '0.2.5'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-td' version '0.10.27'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-td' version '0.10.22'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-td-monitoring' version '0.2.0'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-td-monitoring' version '0.1.3'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-webhdfs' version '0.4.1'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluent-plugin-webhdfs' version '0.3.1'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluentd' version '0.12.12'
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:90:block in configure: gem 'fluentd' version '0.10.55'
2015-06-14 04:15:39 +0900 [info]: fluent/agent.rb:123:add_match: adding match pattern="tmp.write" type="secure_forward"
2015-06-14 04:15:39 +0900 [trace]: fluent/plugin.rb:98:register_impl: registered output plugin 'secure_forward'
2015-06-14 04:15:39 +0900 [warn]: plugin/out_secure_forward.rb:89:configure: 'insecure' mode has vulnerability for man-in-the-middle attacks.
2015-06-14 04:15:39 +0900 [info]: fluent/root_agent.rb:142:add_source: adding source type="unix"
2015-06-14 04:15:39 +0900 [info]: fluent/root_agent.rb:142:add_source: adding source type="forward"
2015-06-14 04:15:39 +0900 [info]: fluent/engine.rb:97:configure: using configuration file: <ROOT>
  <source>
    type unix
    path /var/run/td-agent/td-agent.sock
  </source>
  <source>
    type forward
  </source>
  <match tmp.write>
    type secure_forward
    shared_key abcde
    self_hostname *************************
    keepalive 10s
    flush_interval 10s
    retry_wait 60s
    buffer_type file
    buffer_path /data/fluent/test
    buffer_queue_limit 1280
    secure no
    ssl_version SSLv23
    <server>
      host 10.96.152.142
    </server>
  </match>
</ROOT>
2015-06-14 04:15:39 +0900 [debug]: plugin/out_secure_forward.rb:138:start: starting secure-forward
2015-06-14 04:15:39 +0900 [debug]: plugin/out_secure_forward.rb:140:start: start to connect target nodes
2015-06-14 04:15:39 +0900 [debug]: plugin/out_secure_forward.rb:142:block in start: connecting node host="10.96.152.142" port=24284
2015-06-14 04:15:39 +0900 [debug]: plugin/in_stream.rb:180:listen: listening fluent socket on /var/run/td-agent/td-agent.sock
2015-06-14 04:15:39 +0900 [info]: plugin/in_forward.rb:74:listen: listening fluent socket on 0.0.0.0:24224
2015-06-14 04:15:39 +0900 [debug]: plugin/output_node.rb:216:connect: starting client
2015-06-14 04:15:39 +0900 [debug]: plugin/output_node.rb:219:connect: create tcp socket to node host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:39 +0900 [trace]: plugin/output_node.rb:228:connect: changing socket options
2015-06-14 04:15:39 +0900 [trace]: plugin/output_node.rb:235:connect: initializing SSL contexts
2015-06-14 04:15:39 +0900 [trace]: plugin/output_node.rb:239:connect: setting SSL verification options
2015-06-14 04:15:39 +0900 [debug]: plugin/output_node.rb:270:connect: trying to connect ssl session host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:39 +0900 [trace]: plugin/output_node.rb:273:connect: connecting... host="10.96.152.142" address="10.96.152.142" port=24284
2015-06-14 04:15:39 +0900 [debug]: plugin/output_node.rb:281:connect: ssl session connected host="10.96.152.142" port=24284
2015-06-14 04:15:39 +0900 [debug]: plugin/output_node.rb:301:connect: ssl session connected host="10.96.152.142" port=24284
2015-06-14 04:15:40 +0900 [debug]: plugin/output_node.rb:184:on_read: on_read
2015-06-14 04:15:40 +0900 [debug]: plugin/output_node.rb:127:check_helo: checking helo
2015-06-14 04:15:40 +0900 [debug]: plugin/output_node.rb:140:generate_ping: generating ping
2015-06-14 04:15:40 +0900 [debug]: plugin/output_node.rb:184:on_read: on_read
2015-06-14 04:15:40 +0900 [debug]: plugin/output_node.rb:155:check_pong: checking pong
2015-06-14 04:15:40 +0900 [info]: plugin/output_node.rb:207:on_read: connection established to 10.96.152.142
2015-06-14 04:15:40 +0900 [debug]: plugin/output_node.rb:210:on_read: connection established host="10.96.152.142" port=24284 expire=2015-06-14 04:15:50 +0900
2015-06-14 04:15:40 +0900 [trace]: plugin/out_secure_forward.rb:235:write_objects: selected node host="10.96.152.142" port=24284 standby=false
2015-06-14 04:15:42 +0900 [trace]: plugin/out_secure_forward.rb:235:write_objects: selected node host="10.96.152.142" port=24284 standby=false
2015-06-14 04:15:44 +0900 [trace]: plugin/out_secure_forward.rb:235:write_objects: selected node host="10.96.152.142" port=24284 standby=false
2015-06-14 04:15:44 +0900 [trace]: plugin/out_secure_forward.rb:156:block in node_watcher: in node health watcher
2015-06-14 04:15:44 +0900 [trace]: plugin/out_secure_forward.rb:159:block (2 levels) in node_watcher: node health watcher for 10.96.152.142
2015-06-14 04:15:48 +0900 [debug]: fluent/supervisor.rb:337:block in install_supervisor_signal_handlers: fluentd supervisor process get SIGTERM
2015-06-14 04:15:48 +0900 [debug]: fluent/supervisor.rb:507:block in install_main_process_signal_handlers: fluentd main process get SIGTERM
2015-06-14 04:15:48 +0900 [debug]: fluent/supervisor.rb:510:block in install_main_process_signal_handlers: getting start to shutdown main process
2015-06-14 04:15:48 +0900 [info]: fluent/engine.rb:175:run: shutting down fluentd
2015-06-14 04:15:48 +0900 [debug]: plugin/output_node.rb:87:shutdown: shutting down node 10.96.152.142
2015-06-14 04:15:48 +0900 [info]: fluent/supervisor.rb:296:supervise: process finished code=0

＊ "ssl_version SSLv23" を指定しているのは、td-agent-1.1.21-0.x86_64 に同胞されている ruby のバージョンが 1.9.3 であり、デフォルト値の TLSv1_2 を認識できなかったためです。

Fluentd 14.0. v SSLErrorWaitReadable error with SecureForward plugin

I tried using Fluentd v 14.0.1 with

ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux](Installed using RhRuby 2.2)
OpenSSL 1.0.1e-fips 11 Feb 2013

I am getting error [Fluent::SecureForwardOutput] SSLError error_class=OpenSSL::SSL::SSLErrorWaitReadable error=#<OpenSSL::SSL::SSLErrorWaitReadable: read would block> mtime=2016-07-25 08:34:52 +0000 host="10.4.1.10" port=24284

Fluentd using fluent-plugin-secure-forward' version '0.4.2 with the correct certificates to transfer the data from forwarder to aggregator. But the above issue is happening even after updating the openssl versions to latest one.

Cannot run plugin on windows

I'm running fluentd 0.10.46 from the windows branch:
https://github.com/fluent/fluentd/archive/windows.zip

OS is Windows Server 2012 R2.

Getting this error when starting fluentd:

2014-12-23 23:24:47 +0000 [error]: unexpected error error_class=Errno::ENOENT error=#<Errno::ENOENT: No such file or directory - /dev/urandom>
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluent-plugin-secure-forward-0.2.4/lib/fluent/plugin/out_secure_forward.rb:121:in `read'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluent-plugin-secure-forward-0.2.4/lib/fluent/plugin/out_secure_forward.rb:121:in `start'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/plugin/out_copy.rb:50:in `block in start'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/plugin/out_copy.rb:49:in `each'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/plugin/out_copy.rb:49:in `start'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/match.rb:40:in `start'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/engine.rb:260:in `block in start'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/engine.rb:259:in `each'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/engine.rb:259:in `start'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/engine.rb:206:in `run'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/supervisor.rb:458:in `run_engine'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/supervisor.rb:120:in `block in start'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/supervisor.rb:251:in `call'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/supervisor.rb:251:in `main_process'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/supervisor.rb:214:in `supervise'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/supervisor.rb:108:in `start'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/lib/fluent/command/fluentd.rb:225:in `<top (required)>'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/site_ruby/1.9.1/rubygems/custom_require.rb:36:in `require'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/lib/ruby/gems/1.9.1/gems/fluentd-0.10.46/bin/fluentd:6:in `<top (required)>'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/bin/fluentd:23:in `load'
  2014-12-23 23:24:47 +0000 [error]: C:/Ruby193/bin/fluentd:23:in `<main>'

Here is my config file:

<source>
  type tail
  path C:\fluentd\hello.txt
  tag jvm
  format /^(?<time>\d\d\d\d-(\d)?\d-(\d)?\d \d\d:\d\d:\d\d)[ ]{1,3}(?<message>.*)$/
  time_format %Y-%m-%d %H:%M:%S
</source>

<match jvm.**>
  type copy
  <store>
    type secure_forward
    shared_key    **************
    self_hostname    ${hostname}
    keepalive 120

    <server>
      host ******************
    </server>

    buffer_type file
    buffer_path C:\fluentd\myapp-buffer
    retry_limit 50
    flush_interval 20s
  </store>
</match>

License missing from gemspec

RubyGems.org doesn't report a license for your gem. This is because it is not specified in the gemspec of your last release.

via e.g.

spec.license = 'MIT'
# or
spec.licenses = ['MIT', 'GPL-2']

Including a license in your gemspec is an easy way for rubygems.org and other tools to check how your gem is licensed. As you can image, scanning your repository for a LICENSE file or parsing the README, and then attempting to identify the license or licenses is much more difficult and more error prone. So, even for projects that already specify a license, including a license in your gemspec is a good practice. See, for example, how rubygems.org uses the gemspec to display the rails gem license.

There is even a License Finder gem to help companies/individuals ensure all gems they use meet their licensing needs. This tool depends on license information being available in the gemspec. This is an important enough issue that even Bundler now generates gems with a default 'MIT' license.

I hope you'll consider specifying a license in your gemspec. If not, please just close the issue with a nice message. In either case, I'll follow up. Thanks for your time!

Appendix:

If you need help choosing a license (sorry, I haven't checked your readme or looked for a license file), GitHub has created a license picker tool. Code without a license specified defaults to 'All rights reserved'-- denying others all rights to use of the code.
Here's a list of the license names I've found and their frequencies

p.s. In case you're wondering how I found you and why I made this issue, it's because I'm collecting stats on gems (I was originally looking for download data) and decided to collect license metadata,too, and make issues for gemspecs not specifying a license as a public service :). See the previous link or my blog post aobut this project for more information.

Question regarding the plugin design

I have some questions regarding the secure forward plugin design.

Why was the plugin designed to have a separate custom protocol over SSL ? If it was simple SSL for securing client-server connections, we could have used other systems(loadbalancers like HAProxy, Nginx) to terminate the SSL. Moreover, It could have been faster with standard SSL connection. What are the reasons for using a custom protocol over SSL?

Make shared_key optional for output plugin

If we want to be able to ship logs securely with this plugin to another log aggregator that may not be fluentd (e.g. logstash), we should be able to not provide a shared_key for authentication.

Logstash can use SSL communication, and it has a Fluent codec to interpret events sourced from Fluentd. However using this plugin we cannot ship to them given that shared_key is required and Logstash has no means of using a shared_key.

uninitialized constant Fluent::Input on fluentd 0.14.1

Getting this on the new version of fluentd:

 adding source type="secure_forward"
 unexpected error error="uninitialized constant Fluent::Input"
 /usr/lib/ruby/gems/2.3.0/gems/fluent-plugin-secure-forward-0.4.1/lib/fluent/plugin/in_secure_forward.rb:6:in `<module:Fluent>'
 /usr/lib/ruby/gems/2.3.0/gems/fluent-plugin-secure-forward-0.4.1/lib/fluent/plugin/in_secure_forward.rb:5:in `<top (required)>'
 /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
 /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/registry.rb:81:in `block in search'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/registry.rb:79:in `each'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/registry.rb:79:in `search'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/registry.rb:42:in `lookup'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/plugin.rb:146:in `new_impl'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/plugin.rb:100:in `new_input'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/root_agent.rb:229:in `add_source'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/root_agent.rb:95:in `block in configure'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/root_agent.rb:92:in `each'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/root_agent.rb:92:in `configure'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/engine.rb:119:in `configure'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/engine.rb:93:in `run_configure'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/supervisor.rb:594:in `run_configure'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/supervisor.rb:389:in `block in run_worker'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/supervisor.rb:527:in `main_process'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/supervisor.rb:385:in `run_worker'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/lib/fluent/command/fluentd.rb:271:in `<top (required)>'
 /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
 /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
 /usr/lib/ruby/gems/2.3.0/gems/fluentd-0.14.1/bin/fluentd:5:in `<top (required)>'
 /usr/bin/fluentd:23:in `load'
 /usr/bin/fluentd:23:in `<main>'

Issue with Intermediate certificates

When I use my SSL certificates in server plugin, I am seeing errors "Certificate verify failed" in client. My ssl certs are signed using Godaddy's Intermediate certificates. (https://certs.godaddy.com/repository/) If i use certfile parameter in client fluentd, it works fine. Is there a possibility to make changes only in server side so that client configs are still same? (Like SSLCertificateChainFile config in Apache?) How do I install Intermediate certificates in server side?

Could I set a backup log destination on a network failure?

Consider a situation that all the fluentd aggregator (log receiver) were down, I wish my fluentd forwarder could write logs into a backup destination such as local log file.
It seems that currently this plugin does not support <secondary> config just like what the out_forward plugin does. Is there a plan for this, or is there any other way to accomplish my requirement?
Thanks!

Multiple destinations with out_copy - cert verification fails

I couldn't find any previous posts about the issue I'm experiencing, so I'm hoping to find out if it's a bug or a PEBKAC situation.

I'm attempting to securely forward logs in the following manner:

Logs hit internal server "syslog01" using in_syslog and get tagged
Logs are forwarded from "syslog01" to "fluentd01" using out_secure
On "fluentd01" I have a match statement using out_copy, with statements for the following destinations:
a. One copy is being stored locally for debug purposes until everything works as intended
b. One copy is being forwarded to "splunkfwd01" via out_secure
c. One copy is supposed to be forwarded to "efk01" via out_secure

The issue that I'm running into is that if I have both of the out_secure destinations in the config file at step 3, only the first one is able to establish the SSL connection. The second one errors out by failing the SSL verification.

If I comment out one of the 2 out_secure destinations and forward the logs only to one destination at a time (either "splunkfwd01" or "efk01") the logs are forwarded successfully. This tells me my certs/shared secret/passphrase are accurate for either combination of fluentd01->splunkfwd01 or fluentd01->efk01. I am using a separate cert/key pair for each connection.

2016-07-20 15:44:12 -0400 [warn]: failed to establish SSL connection error_class=OpenSSL::SSL::SSLError error=#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed> host="10.10.10.54" address="10.10.10.54" port=24285

(I tried using a different port for "efk01", 24285, as a troubleshooting step)

To sum it up, the behavior I'm seeing is that for a given out_copy match I can only use one out_secure store at a time.

Am I just missing something blatantly obvious?

Edit: "fluentd01" is running fluentd 0.12.20, while "splunkfwd01 and "efk01" are running fluentd 0.12.26. All servers are running 'fluent-plugin-secure-forward' version '0.4.2'.
Edit2: The certificates were generated using 'secure-forward-ca-generate' from this plugin. They work fine with a single connection from either fluentd01->splunkfwd01, or for a single connection from fluentd01->efk01. The issue only occurs when I try to forward traffic to both splunkfwd01 and efk01 under the same match statement with out_copy.

Question about Flush Interval

Using this plugin to forward messages from OpenShift cluster pods to an external Splunk instance. I need the forwarder to collect and send all messages to the external Splunk every 10 seconds. How do I configure this?