GELF

    The following instructions assumes that you have a fully operational Graylog server running in your environment.

    According to GELF Payload Specification, there are some mandatory and optional fields which are used by Graylog in GELF format. These fields are determined with Gelf\*_Key_ key in this plugin.

    • If you’re using Fluent Bit to collect Docker logs, note that Docker places your log in JSON under key log. So you can set log as your Gelf_Short_Message_Key to send everything in Docker logs to Graylog. In this case, you need your log value to be a string; so don’t parse it using JSON parser.
    • The order of looking up the timestamp in this plugin is as follows:
      1. Value of key
      2. If you’re using , this parser can parse time and use it as timestamp of message. If all above fail, Fluent Bit tries to get timestamp extracted by your parser.
      3. Timestamp does not set by Fluent Bit. In this case, your Graylog server will set it to the current timestamp (now).
    • Your log timestamp has to be in UNIX Epoch Timestamp format. If the Gelf_Timestamp_Key value of your log is not in this format, your Graylog server will ignore it.
    • If you’re using Fluent Bit in Kubernetes and you’re using , this plugin adds host value to your log by default, and you don’t need to add it by your own.
    • The version of GELF message is also mandatory and Fluent Bit sets it to 1.1 which is the current latest version of GELF.

    If you’re using Fluent Bit for shipping Kubernetes logs, you can use something like this as your configuration file:

    By default, GELF tcp uses port 12201 and Docker places your logs in /var/log/containers directory. The logs are placed in value of the log key. For example, this is a log saved by Docker:

    Now, this is what happens to this log:

    1. Fluent Bit GELF plugin adds "version": "1.1" to it.
    2. The Nest Filter, unnests fields inside log key. In our example, it puts data alongside stream and time.
    3. We used this data key as Gelf_Short_Message_Key; so GELF plugin changes it to short_message.
    4. adds host name.
    5. Timestamp is generated.
    6. Any custom field (not present in GELF Payload Specification) is prefixed by an underline.

    Finally, this is what our Graylog server input sees: