Monitoring
Logging
By default, Gate emits logs to the stderr
sink in json
format with log level info
.
If not specified, the default configuration is equivalent to the following:
- Environment variables
- HCL
- JSON
- TOML
- YAML
GATE_LOG_FORMAT=json
GATE_LOG_LEVEL=info
GATE_LOG_OUTPUTS_0_SINK=stderr
gate = {
log = {
format = "json"
level = "info"
outputs = [
{
sink = "stderr"
}
]
}
}
{
"gate": {
"log": {
"format": "json",
"level": "info",
"outputs": [
{
"sink": "stderr"
}
]
}
}
}
[gate.log]
format = "json"
level = "info"
[[gate.log.outputs]]
sink = "stderr"
gate:
log:
format: json
level: info
outputs:
- sink: stderr
Supported log levels:
panic
fatal
error
warn
info
debug
trace
Trace and debug logs may contain sensitive information from requests (like headers).
Please make sure to set the log-level to debug
only in environments where you can safely print the configuration.
Supported log formats:
text
json
Supported sinks:
stderr
stdout
syslog
Multiple outputs can be configured simultaneously, and each one can specify a different sink, log format and log level overriding the defaults. Refer to the following sections for logging to standard streams or SysLog
Logging to standard streams
Gate supports logging to the stdout
and stderr
standard streams.
For example, the following configuration outputs trace
and higher severity logs (i.e., all logs) to stdout
in textual format, and only warnings and higher severity to stderr
as JSON:
- Environment variables
- HCL
- JSON
- TOML
- YAML
GATE_LOG_OUTPUTS_0_SINK=stdout
GATE_LOG_OUTPUTS_0_FORMAT=text
GATE_LOG_OUTPUTS_0_LEVEL=trace
GATE_LOG_OUTPUTS_1_SINK=stderr
GATE_LOG_OUTPUTS_1_FORMAT=json
GATE_LOG_OUTPUTS_1_LEVEL=warn
gate = {
log = {
outputs = [
{
sink = "stdout"
format = "text"
level = "trace"
},
{
sink = "stderr"
format = "json"
level = "warn"
}
]
}
}
{
"gate": {
"log": {
"outputs": [
{
"sink": "stdout",
"format": "text",
"level": "trace"
},
{
"sink": "stderr",
"format": "json",
"level": "warn"
}
]
}
}
}
[[gate.log.outputs]]
sink = "stdout"
format = "text"
level = "trace"
[[gate.log.outputs]]
sink = "stderr"
format = "json"
level = "warn"
gate:
log:
outputs:
- sink: stdout
format: text
level: trace
- sink: stderr
format: json
level: warn
The format
and level
configuration parameters are optional for outputs and default to the top-level log.format
and log.level
values.
Buffering
By default, the output of the Gate process's standard streams is "unbuffered", only relying on the OS-provided stream buffers.
If your application produces logs to standard streams faster than your infrastructure or collectors can consume, you can
configure Gate to provide its own buffering by using the sink-specific parameters.buffer_size
:
- Environment variables
- HCL
- JSON
- TOML
- YAML
GATE_LOG_OUTPUTS_0_SINK=stdout
GATE_LOG_OUTPUTS_0_FORMAT=text
GATE_LOG_OUTPUTS_0_LEVEL=trace
GATE_LOG_OUTPUTS_0_PARAMETERS_BUFFER_SIZE=65536
gate = {
log = {
outputs = [
{
sink = "stdout"
format = "text"
level = "trace"
parameters = {
buffer_size = 65535
}
}
]
}
}
{
"gate": {
"log": {
"outputs": [
{
"sink": "stdout",
"format": "text",
"level": "trace",
"parameters": {
"buffer_size": 65535
}
}
]
}
}
}
[[gate.log.outputs]]
sink = "stdout"
format = "text"
level = "trace"
parameters.buffer_size = 65535
gate:
log:
outputs:
- sink: stdout
format: text
level: trace
parameters:
buffer_size: 65535
In the example above a stdout
sink has an extra Gate-managed buffer of 64KiB.
Logging to SysLog
Gate supports shipping logs to a RFC5424-compliant SysLog server by using the syslog
sink type.
These are the supported configuration values:
- Environment variables
- HCL
- JSON
- TOML
- YAML
GATE_LOG_OUTPUTS_0_SINK=syslog
GATE_LOG_OUTPUTS_0_FORMAT=<Log format>
GATE_LOG_OUTPUTS_0_LEVEL=<Log level>
GATE_LOG_OUTPUTS_0_PARAMETERS_NETWORK=<Network>
GATE_LOG_OUTPUTS_0_PARAMETERS_ADDRESS=<Address>
GATE_LOG_OUTPUTS_0_PARAMETERS_FACILITY=<SysLog facility>
GATE_LOG_OUTPUTS_0_PARAMETERS_TAG=<SysLog tag>
gate = {
log = {
outputs = [
{
sink = "syslog"
format = "<Log format>"
level = "<Log level>"
parameters = {
network = "<Network>"
address = "<Address>"
facility = <SysLog facility>
tag = "<SysLog tag>"
}
}
]
}
}
{
"gate": {
"log": {
"outputs": [
{
"sink": "syslog",
"format": "<Log format>",
"level": "<Log level>",
"parameters": {
"network": "<Network>",
"address": "<Address>",
"facility": <SysLog facility>,
"tag": "<SysLog tag>"
}
}
]
}
}
}
[[gate.log.outputs]]
sink = "syslog"
format = "<Log format>"
level = "<Log level>"
parameters.network = "<Network>"
parameters.address = "<Address>"
parameters.facility = <SysLog facility>
parameters.tag = "<SysLog tag>"
gate:
log:
outputs:
- sink: syslog
format: <Log format>
level: <Log level>
parameters:
network: <Network>
address: <Address>
facility: <SysLog facility>
tag: <SysLog tag>
where:
<Log format>
supports the same values as all other sinks:trace
,debug
,info
,warn
,error
,fatal
,panic
<Log level>
supports the same values as all other sinks:text
,json
<Network>
is the network type to connect to the SysLog server:tcp
,tcp4
(IPv4-only),tcp6
(IPv6-only),udp
,udp4
(IPv4-only),udp6
<Address>
is the network address of the remote SysLog server in thehost:port
format (e.g.,syslog.example.com:6514
)<SysLog facility>
is the SysLog facility value: between 0 and 23 (included)<SysLog tag>
is the SysLog application tag (also referred to as application name): any string value identifying the current Gate instance
By default, Gate connects to the specified remote SysLog server over TLS (v1.2 and above). You can optionally instruct Gate to skip certificate verification or disable TLS entirely by using the
tls.insecure
and tls.disabled
boolean parameters, respectively:
- Environment variables
- HCL
- JSON
- TOML
- YAML
GATE_LOG_OUTPUTS_0_SINK=syslog
...
GATE_LOG_OUTPUTS_0_PARAMETERS_TLS_INSECURE=<Skip certificate verification>
GATE_LOG_OUTPUTS_0_PARAMETERS_TLS_DISABLED=<Disable TLS>
gate = {
log = {
outputs = [
{
sink = "syslog"
...
parameters = {
...
tls = {
insecure = <Skip certificate verification>
disabled = <Disable TLS>
}
}
}
]
}
}
{
"gate": {
"log": {
"outputs": [
{
"sink": "syslog",
...
"parameters": {
...
"tls": {
"insecure": <Skip certificate verification>,
"disabled": <Disable TLS>
}
}
}
]
}
}
}
[[gate.log.outputs]]
sink = "syslog"
...
parameters.tls.insecure = <Skip certificate verification>
parameters.tls.disabled = <Disable TLS>
gate:
log:
outputs:
- sink: syslog
...
parameters:
...
tls:
insecure: <Skip certificate verification>
disabled: <Disable TLS>
Priority
The resulting SysLog priority value of each message is a combination for its "facility" value, as provided in the configuration, and the "severity" value of each log line. In particular, Gate maps log levels to SysLog severity values as follows:
panic
,fatal
: Criticalerror
: Errorwarn
: Warninginfo
: Informationaldebug
,trace
: Debug
Connection management
Gate automatically manages the connection to the remote SysLog server. In particular, it will try to connect immediately on start-up and fail to initialize if a connection cannot be established. If a connection or communication error is detected, Gate will automatically try to reconnect, with an exponential backoff delay. Gate continues to log without interruptions even while not connected to the SysLog server, as described in the message queueing section.
Message Queueing
To avoid a negative impact on performance due to slow or intermittent connectivity with the SysLog server, Gate's syslog
sink handles logs asynchronously.
Any logging operation simply adds the log entry to a transmission queue. The log is then asynchronously sent to the SysLog server as soon as a connection becomes available. Please
refer to the connection management section for details.
The transmission queue holds up to 64K log entries, but it may fill up entirely under certain circumstances, such as a prolonged disconnection from the SysLog server, or the server being consistently slow at ingesting messages. In this case, Gate prioritizes continuity of operations, dropping the oldest message in the queue in favor of each new entry.
Metadata
Gate populates the following fields for all outgoing SysLog messages:
HOSTNAME
: hostname of the machine as provided by the OSAPP-NAME
: application tag as specified in thesyslog
sink configuration parametersPROCID
: the PID of the Gate processTIMESTAMP
: current time with micro-second precision, the maximum allowed by the SysLog protocol
On top of the information provided in the header, Gate takes advantage of the SysLog Structured Data mechanism to enrich each message with the following extra information:
origin
:ip
: the local IP address of the connection to the SysLog serverenterpriseId
: always equal to60696
, SlashID's Private Enterprise Number as assigned by IANAsoftware
: always equal togate
swVersion
: a string representing Gate's version in the[version]-[commit]
format
meta
:sequenceId
: the sequence number for the message (starts at 1 and wraps around after 2147483647)
Health checks
ExtAuth mode
Gate implements the gRPC Health Checking Protocol v1. We also include grpc_health_probe
in all our docker images.
Here's an example of a Docker Compose setup:
version: "3"
services:
gate:
image: slashid/gate-free:latest
ports:
- "8080:8080"
healthcheck:
test: ["CMD", "/usr/local/bin/grpc_health_probe", "-addr=:8080"]
interval: 5s
timeout: 10s
retries: 3
Here's an example of a Kubernetes v1.23+ setup using Kubernetes' built-in gRPC health checking capability:
apiVersion: v1
kind: Pod
metadata:
name: gate
spec:
containers:
- name: gate
image: slashid/gate-free:latest
ports:
- containerPort: 8080
livenessProbe:
grpc:
port: 8080
initialDelaySeconds: 5
Finally, an example of a Kubernetes setup using grpc_health_probe
:
apiVersion: v1
kind: Pod
metadata:
name: gate
spec:
containers:
- name: gate
image: slashid/gate-free:latest
ports:
- containerPort: 8080
readinessProbe:
exec:
command: ["/usr/local/bin/grpc_health_probe", "-addr=:8080"]
initialDelaySeconds: 5
livenessProbe:
exec:
command: ["/usr/local/bin/grpc_health_probe", "-addr=:8080"]
initialDelaySeconds: 10