Splunk® Supported Add-ons

Splunk Add-on for HAProxy

Configure HAProxy to send syslog data

To configure HAProxy to log in syslog, edit the HAProxy server configuration file (/etc/haproxy/haproxy.cfg) and include the following lines:

global
log 127.0.0.1 local0

You need to configure HAProxy to send events to the Splunk platform through syslog and use one of the supported formats.


Custom log format

The Splunk HTTP format is a custom log format for the Splunk Add-on for HAProxy. This is the only format which provides CIM compliance. You can configure this format by using the following defaults and frontend config sections for the HAProxy server configuration file found in the following location: /etc/haproxy/haproxy.cfg. Do not change the order of the configuration. You can only add additional configurations at the end of all the capture statements specified in the configuration below.

defaults   
   option httplog
   log-format "%{+Q}o client_ip=%ci client_port=%cp datetime_of_request=[%tr] frontend_name_transport=%ft backend_name=%b server_name=%s time_to_receive_full_request=%TR Tw=%Tw Tc=%Tc response_time=%Tr active_time_of_request=%Ta status_code=%ST bytes_read=%B captured_request_cookie=%CC captured_response_cookie=%CS termination_state_with_cookie_status=%tsc actconn=%ac feconn=%fc beconn=%bc srv_conn=%sc retries=%rc srv_queue=%sq backend_queue=%bq captured_request_headers_default_style=%hr captured_response_headers_default_style=%hs server_ip=%si server_port=%sp frontend_name=%f http_method=%HM http_request_uri_without_query=%HP http_request_query_string=%HQ http_request_uri=%HU bytes_uploaded=%U ssl_ciphers=%sslc ssl_version=%sslv"


frontend frontend_name
   capture request header Host len <len>
   capture request header Content-Type len <len>
   capture request header User-Agent len <len>
   capture request header Referer len <len>
   capture request header X-Forwarded-For len <len>
   capture response header Content-Type len <len>
   capture cookie Cookie_2 len <len>

TCP format

For TCP format; Set option tcplog on the frontend to enable this format.

HTTP format

HTTP format; Set option httplog on the frontend to enable this format.

CLF HTTP format

The CLF HTTP format is equivalent to the HTTP format, but with the fields arranged in CLF form. Set option httplog clf on the frontend to enable this format.

Default format

The default format only provides basic information about the incoming connection and therefore it is not recommended.

Override character limit

By default, HAProxy will truncate log lines with more than 1024 characters before being sent. To overcome this limit you need to override the default value by using the following config in the global settings: log <address> len <length>.

For the <length>, specify a value between 80 to 65535. You must specify a large enough value to avoid truncation.

For more information about configuring logging in HAProxy, see http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#8.

Next, configure your data collection node to receive data from HAProxy as described in Configure inputs for the Splunk Add-on for HAProxy.

Last modified on 21 July, 2021
Install the Splunk Add-on for HAProxy   Configure inputs for the Splunk Add-on for HAProxy

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters