Skip to main content

HAProxy - OpenTelemetry Collector

Thumbnail icon Thumbnail icon

HAProxy is open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers.

The Sumo Logic App for HAProxy helps you monitor activity in HAProxy. The preconfigured dashboards provide information about site visitors, including location of visitors, HTTP Error codes percentage, Backend and Frontend server statistics.

HAProxy logs are sent to Sumo Logic through OpenTelemetry filelog receiver.

Schematics

HAProxy Log Types

The app supports Logs from the open source version of HAProxy. The App is tested on the 2.3.9 version of HAProxy.

The HAProxy logs are generated in files as configured in the configuration file /etc/haproxy/haproxy.cfg (learn more).

Fields Create in Sumo Logic for HAProxy

Following are the Fields which will be created as part of HAProxy App install if not already present.

  • webengine.cluster.name. User configured. Enter a name to identify the Haproxy cluster. This cluster name will be shown in the Sumo Logic dashboards.
  • webengine.system. Has fixed value of haproxy
  • sumo.datasource. Has fixed value of haproxy

Prerequisites

This section provides instructions for configuring log collection for HAProxy running on a non-Kubernetes environment for the Sumo Logic App for HAProxy.

By default, HAProxy logs are forwarded to Syslog. This needs to be changed to send the logs to files. Configuration in the file /etc/haproxy/haproxy.cfg is needed to be modified to send logs to files.

HAProxy logs have several levels of verbosity. To select a level, set your loglevel to one of the following:

  • emerg - Errors such as running out of operating system file descriptors.
  • alert - Some rare cases where something unexpected has happened, such as being unable to cache a response.
  • info - TCP connection and http request details and errors.
  • err - Errors such as being unable to parse a map file, being unable to parse the HAProxy configuration file, and when an operation on a stick table fails.
  • warning - Certain important, but non-critical, errors such as failing to set a request header or failing to connect to a DNS nameserver.
  • notice - Changes to a server's state, such as being UP or DOWN or when a server is disabled. Other events at startup, such as starting proxies and loading modules are also included. Health check logging, if enabled, also uses this level.
  • debug - Complete information, useful for development/testing.

All logging settings are located in Haproxy.conf. For the dashboards to work properly, you'll need to set the log format.

%ci:%cp\ [%tr]\ %ft\ %b/%s\ %TR/%Tw/%Tc/%Tr/%Ta\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r
  1. You can enable HAProxy logs to syslog by adding the following line in the global section of /etc/haproxy/haproxy.cfg file. This means that HAProxy will send its messages to rsyslog on 127.0.0.1.
    global
         log 127.0.0.1  local2
  2. Create an etc/rsyslog.d/haproxy.conf file containing below lines.
    local2.*    /var/log/haproxy.log
    • You can, of course, be more specific and create separate log files according to the level of messages:
      local2.=info   /var/log/haproxy-info.log
      local2.=notice   /var/log/haproxy-notice.log
  3. Restart HAProxy and rsyslog server to enforce configuration changes.
    sudo service rsyslog restart
    sudo service haproxy reload

Collecting Logs, Metrics and installing HAProxy app

Here are the steps for Collecting Logs and installing the app.

Step 1: Set up Collector

note

If you want to use an existing OpenTelemetry Collector, you can skip this step by selecting the Use an existing Collector option.

To create a new Collector:

  1. Select the Add a new Collector option.
  2. Select the platform where you want to install the Sumo Logic OpenTelemetry Collector.

This will generate a command that you can execute in the machine environment you need to monitor. Once executed, it will install the Sumo Logic OpenTelemetry Collector.

Collector

Step 2: Configure integration

In this step, you will configure the yaml required for HAProxy Collection.

The path of the log file configured to capture haproxy logs is needed to be given here.

The files are typically located in /var/log/haproxy*.log. If you're using a customized path, check the haproxy.conf file for this information. You can add any custom fields which you want to tag along with the data ingested in Sumo. Click on the Download YAML File button to get the yaml file.

YAML

Step 3: Send logs and metrics to Sumo

Once you have downloaded the yaml file as described in the previous step, follow the below steps based on your platform.

  1. Copy the yaml file to /etc/otelcol-sumo/conf.d/ folder in the Haproxy instance which needs to be monitored.
  2. Restart the collector using:
    sudo systemctl restart otelcol-sumo

After successfully executing the above command, Sumo Logic will start receiving data from your host machine.

Click Next. This will install the app (dashboards and monitors) to your Sumo Logic Org.

Dashboard panels will start to fill automatically. It's important to note that each panel fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but within 20 minutes, you'll see full graphs and maps.

Sample Log Messages

May 13 08:24:43 localhost haproxy[21813]:
27.2.81.92:64274 [13/May/2021:08:24:43.921] web-edupia.vn-4

Sample Queries

This query example is from the HAProxy - Overview dashboard > Top 5 URLs with Errors panel:

webengine.cluster.name=* %"sumo.datasource"=haproxy
| json "log" as _rawlog nodrop 
| if (isEmpty(_rawlog), _raw, _rawlog) as haproxy_log_message
| parse regex field=haproxy_log_message "(?<syslog_host>.*)\]:\s+" nodrop
| parse regex field=haproxy_log_message ":\s+(?<c_ip>[\w\.]+):(?<c_port>\d+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+\[(?<accept_date>.+)\]\s+" nodrop
| parse regex field=haproxy_log_message "\s+\[(?<accept_date>.+)\]\s+(?<frontend_name>\S+)\s+(?<backend_name>\S+)/(?<server_name>\S+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+(?<tq>-?\d+)/(?<tw>-?\d+)/(?<tc>-?\d+)/(?<tr>-?\d+)/(?<tt>\+?\d+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+(?<status_code>\d+)\s+(?<bytes_read>[\d-]+)\s+(?<tsc>.*)\s+(?<act>\d+)/(?<fe>\d+)/(?<be>\d+)/(?<srv>\d+)/(?<retries>\+?\d+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+(?<queue_server>\d+)/(?<queue_backend>\d+)\s+" nodrop
| parse regex field=haproxy_log_message "\s+\{(?<request_headers>.*)\}\s+" nodrop
| parse regex field=haproxy_log_message "\s+\"(?<http_request>.*)\"" nodrop
| parse regex field=request_headers "(?<referer>\S+)\|(?<user_agent>[^\"]*)"
| parse regex field=http_request "(?<method>\w+)\s+(?<request>[^\"]*)\s+(?<http_version>\w+)"| where status_code matches "4*" or status_code matches "5*" and  !isEmpty(c_ip) |count by status_code,request
| sort by _count
| limit 5

Viewing HAProxy Dashboards

Overview

The HAProxy - Overview dashboard provides an at-a-glance view of HAProxy visitor location, response over time and url with errors. 

Use this dashboard to:

  • Gain insights into originated traffic location by region. This can help you allocate computer resources to different regions according to their needs.
  • Gain insights into Client, Server Responses on HAProxy Server. This helps you identify errors in HAProxy Server.
Overview

Error Log Analysis

The HAProxy - Error Logs Analysis dashboard provides a high-level view of log level breakdowns, comparisons, and trends. The panels also show the geographic locations of clients and clients with critical messages, new connections and outliers, client requests, request trends, and request outliers.

Use this dashboard to:

  • Track requests from clients. A request is a message asking for a resource, such as a page or an image.
  • To track and view client geographic locations generating errors.
  • Track critical alerts and emergency error alerts.
Error Log Analysis

Outlier Analysis

The HAProxy - Outlier Analysis dashboard provides a high-level view of HAProxy server outlier metrics for bytes served, number of visitors, and server errors. You can select the time interval over which outliers are aggregated, then hover the cursor over the graph to display detailed information for that point in time.

Use this dashboard to:

  • Detect the outliers in your infrastructure with Sumo Logic's machine learning algorithm.
  • To identify outliers in incoming traffic and the number of errors encountered by your servers.
Outlier Analysis

Threat Analysis

The HAProxy - Threat Analysis dashboard provides an at-a-glance view of threats to HAProxy servers on your network. Dashboard panels display the threat count over a selected time period, geographic locations where threats occurred, source breakdown, actors responsible for threats, severity, and a correlation of IP addresses, method, and status code of threats.

Use this dashboard to:

  • To gain insights and understand threats in incoming traffic and discover potential IOCs. Incoming traffic requests are analyzed using the Sumo - Crowdstrikes threat feed.
Threat Analysis

The HAProxy - Trends dashboard provides an at-a-glance view of traffic to HAProxy servers on your network. Dashboard panels display the traffic count over one day time period, locations where traffic trends for visits by country one days time.

Trends

Visitor Access Types

The HAProxy - Visitor Access Types dashboard provides insights into visitor platform types, browsers, and operating systems, as well as the most popular mobile devices, PC and Mac versions used.

Use this dashboard to:

  • Understand which platform and browsers are used to gain access to your infrastructure. These insights can be useful for planning in which browsers, platforms, and operating systems (OS) should be supported by different software services.
Visitor Access Types

Visitor Locations

The HAProxy - Visitor Locations dashboard provides a high-level view of HAProxy visitor geographic locations both worldwide and in the United States. Dashboard panels also show graphic trends for visits by country over time and visits by US region over time.

Use this dashboard to:

  • Gain insights into geographic locations of your user base. This is useful for resource planning in different regions across the globe.
Visitor Locations

Visitor Traffic Insight

The HAProxy - Visitor Traffic Insight dashboard provides detailed information on the top documents accessed, top referrers, top search terms from popular search engines, and the media types served.

Use this dashboard to:

  • To understand the type of content that is frequently requested by users.
  • It helps in allocating IT resources according to the content types.
Visitor Traffic Insight

Web Server Operations

The HAProxy - Web Server Operations dashboard provides a high-level view combined with detailed information on the top ten bots, geographic locations, and data for clients with high error rates, server errors over time, and non 200 response code status codes. Dashboard panels also show information on server error logs, error log levels, error responses by a server, and the top URIs responsible for 404 responses.

Use this dashboard to:

  • Gain insights into Client, Server Responses on HAProxy Server. This helps you identify errors in HAProxy Server.
  • To identify geo locations of all Client errors. This helps you identify client location causing errors and helps you to block client IPs.
Web Server Operations
Legal
Privacy Statement
Terms of Use

Copyright © 2023 by Sumo Logic, Inc.