I'm trying to configure a rsyslog server for receiving logs from docker containers. I am currently usinsg the following commando for running a docker container:
sudo docker run -d --log-driver=syslog --log-opt syslog-address=udp://localhost:514 --log-opt syslog-format=rfc5424 --log-opt tag="remote:shouldshow" alpine echo "some random message"
I'm using the rfc5424 because the standard log format from docker to rsyslog breaks the message at the colon characters, spliting the tag remote:shouldshow and adding shouldshow to the message. More info about this situation here: https://github.com/docker/docker/issues/18712
The problem is that my log message coming from docker has an additional three digit number before the message, like the 127 at the following example(rawmsg property from rsyslog):
127 <30>1 2016-07-12T00:51:13-03:00 vitor-Lenovo-G50-70 docker/remote:shouldshow 2910 docker/remote:shouldshow some random message
When I try to use the syslog properties like the APP-NAME, or syslogtag, they all have <30>1 as its value.
I have copied this message without the 127 and sent it to the syslog server through netcat, and the values were parsed correctly, like this:
echo '<30>1 2016-07-12T00:15:53-03:00 vitor-Lenovo-G50-70 docker/remote:shouldshow 2910 docker/remote:shouldshow some random message' | nc -u -v localhost 514
Anyone has any idea why this is happening? Any help would be really appreciated. Thanks in advance.
Looking into the docker code I've found that this three digit number is the length of the message. Still I am facing the same problem, rsyslog cannot parse correctly this message including that includes the length of it before the actual log message.
After a lot of struggling I have figured it out. It turns out if you configure Docker log driver to use RFC5424 syslog format, Docker uses a lib that sends syslog messages using the RFC5425 standard, which defines the standard way of sending syslog messages through TLS. https://www.rfc-editor.org/rfc/rfc5425
So if you configure Docker log driver to use TLS, and configure your rsyslog server to receive encrypted messages, rsyslog parses the message correctly.