Fluentd forwarder
New in version 3.9.0.
This module allows Wazuh to forward messages to a Fluentd server. Fluentd it's an open source data collector logger that comes along with great plugins to build your own logging layer. Check it out at https://www.fluentd.org/
How it works
This module allows the forwarding of the received messages from a dedicated UDP socket to a Fluentd server. The Fluentd server could be located on the same local machine or a remote machine.
Note
This module works only on Unix systems.
Input
The socket_path
tag indicates the location of the Unix domain UDP socket to be created by the module. From this socket, the module will read the incoming messages and forward them
to the Fluentd server.
The tag
tag it's added to every message read from the UDP socket. This allows the user to specify the flow to the Fluentd server internal routing.
Note
An empty tag is not allowed, the module will shutdown if it is not present or empty.
Output
The output will be forwarded to the Fluentd server specified by the <address>
tag.
Example using logcollector
This example is for testing purposes on a Debian machine, with the Wazuh manager installed.
Given the following configuration:
<fluent-forward>
<enabled>yes</enabled>
<tag>debug.test</tag>
<socket_path>/var/run/fluent.sock</socket_path>
<address>localhost</address>
<port>24224</port>
</fluent-forward>
Set up the socket
for logcollector:
<socket>
<name>fluent_socket</name>
<location>/var/run/fluent.sock</location>
<mode>udp</mode>
</socket>
Set up a localfile
to read from:
<localfile>
<log_format>syslog</log_format>
<location>/path/to/your/log</location>
<target>fluent_socket</target>
</localfile>
On a terminal, run the following commands as root to start a Fluentd server:
apt-get install -y ruby ruby-dev
gem install fluentd
fluentd -s conf
fluentd -c conf/fluent.conf
Restart the Wazuh manager:
systemctl restart wazuh-manager
Write a string to your log file:
echo "message" >> /path/to/your/log
You should see the message on the Fluentd server:
2019-03-28 14:47:40.000000000 +0200 debug.test: "message"
For more information about Fluentd configuration options, check the documentation at https://docs.fluentd.org/v1.0/articles/quickstart