Skip to main content

HAProxy - OpenTelemetry Collector

Thumbnail icon Thumbnail icon

HAProxy is open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers.

The Sumo Logic app for HAProxy helps you monitor activity in HAProxy. The preconfigured dashboards provide information about site visitors, including location of visitors, HTTP Error codes percentage, Backend and Frontend server statistics.

HAProxy logs are sent to Sumo Logic through OpenTelemetry filelog receiver.

Schematics

HAProxy log types

The app supports Logs from the open source version of HAProxy. The App is tested on the 2.3.9 version of HAProxy.

The HAProxy logs are generated in files as configured in the configuration file /etc/haproxy/haproxy.cfg (learn more).

Fields Create in Sumo Logic for HAProxy

Following are the Fields which will be created as part of HAProxy App install if not already present.

  • webengine.cluster.name. User configured. Enter a name to identify the Haproxy cluster. This cluster name will be shown in the Sumo Logic dashboards.
  • webengine.system. Has fixed value of haproxy
  • sumo.datasource. Has fixed value of haproxy

Prerequisites

This section provides instructions for configuring log collection for HAProxy running on a non-Kubernetes environment for the Sumo Logic app for HAProxy.

By default, HAProxy logs are forwarded to Syslog. This needs to be changed to send the logs to files. Configuration in the file /etc/haproxy/haproxy.cfg is needed to be modified to send logs to files.

  1. HAProxy logs have several levels of verbosity. To select a level, set your loglevel to one of the following:

    • emerg. Errors such as running out of operating system file descriptors.
    • alert. Some rare cases where something unexpected has happened, such as being unable to cache a response.
    • info. TCP connection and http request details and errors.
    • err. Errors such as being unable to parse a map file, being unable to parse the HAProxy configuration file, and when an operation on a stick table fails.
    • warning. Certain important, but non-critical, errors such as failing to set a request header or failing to connect to a DNS nameserver.
    • notice. Changes to a server's state, such as being UP or DOWN or when a server is disabled. Other events at startup, such as starting proxies and loading modules are also included. Health check logging, if enabled, also uses this level.
    • debug. Complete information, useful for development/testing.

    All logging settings are located in Haproxy.conf. For the dashboards to work properly, you'll need to set the log format.

    %ci:%cp\ [%tr]\ %ft\ %b/%s\ %TR/%Tw/%Tc/%Tr/%Ta\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
  2. You can enable HAProxy logs to syslog by adding the following line in the global section of /etc/haproxy/haproxy.cfg file. This means that HAProxy will send its messages to rsyslog on 127.0.0.1.

    global
    log 127.0.0.1  local2
  3. Create an etc/rsyslog.d/haproxy.conf file containing below lines.

    local2.*    /var/log/haproxy.log
    • You can, of course, be more specific and create separate log files according to the level of messages:
    local2.=info   /var/log/haproxy-info.log
    local2.=notice   /var/log/haproxy-notice.log
  4. Restart HAProxy and rsyslog server to enforce configuration changes.

    sudo service rsyslog restart
    sudo service haproxy reload

For Linux systems with ACL Support, the otelcol install process should have created the ACL grants necessary for the otelcol system user to access default log locations. You can verify the active ACL grants using the getfacl command. Install the ACL in your Linux environment, if not installed.

The required ACL may not be supported for some rare cases, for example, Linux OS Distro, which is officially not supported by Sumo Logic. In this case, you can run the following command to explicitly grant the permissions.

sudo setfacl -R -m d:u:otelcol-sumo:r-x,d:g:otelcol-sumo:r-x,u:otelcol-sumo:r-x,g:otelcol-sumo:r-x <PATH_TO_LOG_FILE>

Run the above command for all the log files in the directory that need to be ingested, which are not residing in the default location.

If Linux ACL Support is not available, traditional Unix-styled user and group permission must be modified. It should be sufficient to add the otelcol system user to the specific group that has access to the log files.

Collection configuration and app installation

As part of data collection setup and app installation, you can select the App from App Catalog and click on Install App. Follow the steps below.

Step 1: Set up Collector

note

If you want to use an existing OpenTelemetry Collector, you can skip this step by selecting the Use an existing Collector option.

To create a new Collector:

  1. Select the Add a new Collector option.
  2. Select the platform where you want to install the Sumo Logic OpenTelemetry Collector.

This will generate a command that you can execute in the machine environment you need to monitor. Once executed, it will install the Sumo Logic OpenTelemetry Collector.

Collector

Step 2: Configure integration

In this step, you will configure the yaml required for HAProxy Collection.

The path of the log file configured to capture haproxy logs is needed to be given here.

The files are typically located in /var/log/haproxy*.log. If you're using a customized path, check the haproxy.conf file for this information. You can add any custom fields which you want to tag along with the data ingested in Sumo. Click on the Download YAML File button to get the yaml file.

YAML

Step 3: Send logs and metrics to Sumo Logic

Once you have downloaded the yaml file as described in the previous step, follow the below steps based on your platform.

  1. Copy the yaml file to /etc/otelcol-sumo/conf.d/ folder in the Haproxy instance which needs to be monitored.
  2. Restart the collector using:
sudo systemctl restart otelcol-sumo

After successfully executing the above command, Sumo Logic will start receiving data from your host machine.

Click Next. This will install the app (dashboards and monitors) to your Sumo Logic Org.

Dashboard panels will start to fill automatically. It's important to note that each panel fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but within 20 minutes, you'll see full graphs and maps.

Sample log messages

May 13 08:24:43 localhost haproxy[21813]:
27.2.81.92:64274 [13/May/2021:08:24:43.921] web-edupia.vn-4

Sample queries

This query example is from the HAProxy - Overview dashboard > Top 5 URLs with Errors panel:

webengine.cluster.name=* %"sumo.datasource"=haproxy
| json "log" as _rawlog nodrop 
| if (isEmpty(_rawlog), _raw, _rawlog) as haproxy_log_message
| parse regex field=haproxy_log_message "(?<syslog_host>.*)\]:\s+" nodrop
| parse regex field=haproxy_log_message ":\s+(?<c_ip>[\w\.]+):(?<c_port>\d+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+\[(?<accept_date>.+)\]\s+" nodrop
| parse regex field=haproxy_log_message "\s+\[(?<accept_date>.+)\]\s+(?<frontend_name>\S+)\s+(?<backend_name>\S+)/(?<server_name>\S+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+(?<tq>-?\d+)/(?<tw>-?\d+)/(?<tc>-?\d+)/(?<tr>-?\d+)/(?<tt>\+?\d+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+(?<status_code>\d+)\s+(?<bytes_read>[\d-]+)\s+(?<tsc>.*)\s+(?<act>\d+)/(?<fe>\d+)/(?<be>\d+)/(?<srv>\d+)/(?<retries>\+?\d+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+(?<queue_server>\d+)/(?<queue_backend>\d+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+\{(?<request_headers>.*)\}\s+" nodrop
| parse regex field=haproxy_log_message "\s+\"(?<http_request>.*)\"" nodrop
| parse regex field=request_headers "(?<referer>\S+)\|(?<user_agent>[^\"]*)"
| parse regex field=http_request "(?<method>\w+)\s+(?<request>[^\"]*)\s+(?<http_version>\w+)"| where status_code matches "4*" or status_code matches "5*" and  !isEmpty(c_ip) |count by status_code,request
| sort by _count
| limit 5

Viewing HAProxy dashboards

Overview

The HAProxy - Overview dashboard provides an at-a-glance view of HAProxy visitor location, response over time and url with errors. 

Use this dashboard to:

  • Gain insights into originated traffic location by region. This can help you allocate computer resources to different regions according to their needs.
  • Gain insights into Client, Server Responses on HAProxy Server. This helps you identify errors in HAProxy Server.
Overview

Error Log Analysis

The HAProxy - Error Logs Analysis dashboard provides a high-level view of log level breakdowns, comparisons, and trends. The panels also show the geographic locations of clients and clients with critical messages, new connections and outliers, client requests, request trends, and request outliers.

Use this dashboard to:

  • Track requests from clients. A request is a message asking for a resource, such as a page or an image.
  • To track and view client geographic locations generating errors.
  • Track critical alerts and emergency error alerts.
Error Log Analysis

Outlier Analysis

The HAProxy - Outlier Analysis dashboard provides a high-level view of HAProxy server outlier metrics for bytes served, number of visitors, and server errors. You can select the time interval over which outliers are aggregated, then hover the cursor over the graph to display detailed information for that point in time.

Use this dashboard to:

  • Detect the outliers in your infrastructure with Sumo Logic's machine learning algorithm.
  • To identify outliers in incoming traffic and the number of errors encountered by your servers.
Outlier Analysis

Threat Analysis

The HAProxy - Threat Analysis dashboard provides an at-a-glance view of threats to HAProxy servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.

Use this dashboard to:

  • To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the Sumo - Crowdstrikes threat feed.
Threat Analysis

The HAProxy - Trends dashboard provides an at-a-glance view of traffic to HAProxy servers on your network. Dashboard panels display the traffic count over one day time period, locations where traffic trends for visits by country one days time.

Trends

Visitor Access Types

The HAProxy - Visitor Access Types dashboard provides insights into visitor platform types, browsers, and operating systems, as well as the most popular mobile devices, PC and Mac versions used.

Use this dashboard to:

  • Understand which platform and browsers are used to gain access to your infrastructure. These insights can be useful for planning in which browsers, platforms, and operating systems (OS) should be supported by different software services.
Visitor Access Types

Visitor Locations

The HAProxy - Visitor Locations dashboard provides a high-level view of HAProxy visitor geographic locations both worldwide and in the United States. Dashboard panels also show graphic trends for visits by country over time and visits by US region over time.

Use this dashboard to:

  • Gain insights into geographic locations of your user base. This is useful for resource planning in different regions across the globe.
Visitor Locations

Visitor Traffic Insight

The HAProxy - Visitor Traffic Insight dashboard provides detailed information on the top documents accessed, top referrers, top search terms from popular search engines, and the media types served.

Use this dashboard to:

  • To understand the type of content that is frequently requested by users.
  • It helps in allocating IT resources according to the content types.
Visitor Traffic Insight

Web Server Operations

The HAProxy - Web Server Operations dashboard provides a high-level view combined with detailed information on the top ten bots, geographic locations, and data for clients with high error rates, server errors over time, and non 200 response code status codes. Dashboard panels also show information on server error logs, error log levels, error responses by a server, and the top URIs responsible for 404 responses.

Use this dashboard to:

  • Gain insights into Client, Server Responses on HAProxy Server. This helps you identify errors in HAProxy Server.
  • To identify geo locations of all Client errors. This helps you identify client location causing errors and helps you to block client IPs.
Web Server Operations
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.