Add the 'newsyslog' gem to Azure OMS Agent (fluentd) crashes the agent

[SamirFarhat]

Hi All,
I have installed the OMS Linux Agent in order to send syslog messages to OMS.
I'm using a version which is based on ruby 2.3 (No yet published)
The aim is to use the 'newsyslog' input type which solves some limitations encountered with the 'syslog' input type
I have installed the newsyslog gem using this command :
./fluent-gem install fluent-plugin-newsyslog
The installation was successful

The following is my omsagent.conf file (which uses the same fluentd syntax)

type newsyslog # format none port 20514 bind 0.0.0.0 protocol_type udp tag oms.networkdevices

When restarting the OMS Agent, i encountered the following error : ( service omsagent status -l)
.

I also noticed that the in_newsyslog.rb is not located under "/opt/microsoft/omsagent/ruby/lib/ruby/gems/2.3.0/gems/fluentd-0.12.24/lib/fluent/plugin/" where all the rb files were supposed to be located.
Fluentd version : fluentd-0.12.24
OS : Centos 7.3

What do you think that is missing ?
Thanks

[SamirFarhat]

I think that the best to help me is @repeatedly (if he can)

[repeatedly]

Maybe, this is the cause: athenahealth/fluent-plugin-newsyslog#3

[repeatedly]

I checked newsyslog plugin code and the main difference is supporting rfc5424 format.
in_syslog with newsyslog rfc5424 regexp format seems to realize same thing.

[SamirFarhat]

Thanks repeatedly. So what m'i supposed to do please. Use the time_format with the appropriate regexp ?
Can i use multiple time formats and use the 'OR' (|) statement on the regexp ? Do you think it's supported.
If this will cover my needs, i will wait for the final OMS agent with the newsyslog format and the right documentation.

[repeatedly]

Can i use multiple time formats and use the 'OR' (|) statement on the regexp ? Do you think it's supported.

This is hard for now. BTW, if your case is in_syslog receives rfc3614 and rfc5424 formats at the same time, supporting it in in_syslog is good idea.

[SamirFarhat]

Hi Masahiro,
Thanks for your support. What do you mean by "supporting it in in_syslog is good idea" ?
The goal is to support different equipments using different rfc implementations (rfc3614 and rfc5424 formats) which is not native with fluentD. Can you point me to any documentation that allow me properly configure it ?
Infinite thanks

[repeatedly]

What do you mean by "supporting it in in_syslog is good idea" ?

It means adding feature to handle both spec to in_syslog.

[SamirFarhat]

I think that the in_newsyslog and parser_newsyslog is doiing this ? Am i right ?

[repeatedly]

We just merged this patch: #1492
This can accept RFC3614 and RFC5424 formats in one source.
Is it enough?
Do you want to use different time format in RFC3614 message?

[repeatedly]

v0.12.33 includes #1492 features.
Could you check this is enough or not?
#1492 seems to cover newsyslog plugin feature.

[SamirFarhat]

Hi,
Thanks for pointing me out to this. I'm currently testing it. Will report back here.