Re: Diego log grouping

Eric Malm <emalm@...>

Hi, Mike,

Thanks for the report! From your packet captures or on-VM logs, do you have
an example of the log line groups that Splunk is failing to ingest? Is it
all the log lines, or just ones coming from particular Diego components?

The dependency hasn't changed in diego-release
between 1099 and 1304, but it's possible that our use of it in
diego-release has. Likewise, the package
that's emitting logs has changed in only trivial ways between those
releases. We have upgraded the release to use Go 1.4.2 instead of 1.4,

Also, what stemcell versions are you using in the deployments? I'm assuming
that if CF is deployed alongside these Diego deployments, it's at the
corresponding recommended final version (v207 and v212, respectively). If
so, are there any problems with the syslog messages coming from those

Eric, CF Runtime Diego PM

On Mon, Jul 20, 2015 at 6:51 PM, Mike Jacobi <jacobi(a)> wrote:

We have a Diego 1099 deployment and syslog_daemon_config configured. We
see a 1:1 mapping for Diego platform messages to syslog messages. In other
words, for each syslog message that hits the wire, there is one platform
message as its payload. This works well with Splunk, which is ultimately
where the messages end up.

We have another deployment, but on Diego 1304, with its
syslog_daemon_config identical to the other, but Splunk is **not**
ingesting its logs. We ran a packet capture and discovered that this
deployment is grouping its log messages in a 1:n manner: For each syslog
message on the wire, we have multiple platform messages within, separated
by newlines. I suspect this is the reason the logs aren’t being ingested.

I took a quick glance at the code and it seems like this might be due to
ifrit/grouper, but I can’t say for sure.

Has anyone run into this issue?



cf-dev mailing list

Join { to automatically receive all group messages.