Fluentd Blog

Fluentd v0.14.5 has been released

Hi users!

6 days after the last relase, we shipped the latest release, Fluentd v0.14.5. It's a bit quick release from the last one, to fix a problem which affects many people who tries Fluentd with existing configurations.

This release also includes some feature improvements. The biggest one is the update of Fluentd forward protocol and forward input/output plugins, to support authentication and authorization.

Here are major changes (full ChangeLog is available here):

forward plugins: Update protocol to v1

Fluentd forward plugins are to transfer Fluentd's events from one node to another via network. It's widely used by Fluentd processes, Docker logging driver for Fluentd, Fluent logger for programming languages and many others.

Before v0.14.5, Forward plugins/protocol was very simple one, to transfer events, without providing any safety, including network ACL, shared keys or password authentication. It was called as Forward Protocol version 0. Anyone who can connect TCP ports of in_forward can inject events into Fluentd processes on that version.

At v0.14.5, forward input/output plugins support Fluentd Forward Protocol version 1. This new protocol is perfectly compatible with older version 0, and provides the features below in addition to it.

• Server (in_forward) authentication using shared key
• Client (out_forward) authorization using shared key (per client) and pair of username/password

Once in_forward is configured with <security> section, the only nodes which are configured with correct shared_key and username/password can connect to that node.

# in_forward
<source>
  @type forward
  port 24224
  <secure>
    self_hostname aggregator1.fluentd.local
    shared_key    my_secret_string
    user_auth     true
    <user>
      username user1
      password pass1
    </user>
    <user>
      username user2
      password pass2
    </user>
    <client>
      network 10.0.0.0/16
      users user1,user2
    </client>
    <client>
      # more secure area
      network 192.168.0.0/24
      shared_key more_secret_string
      useers user1
    </client>
  </secure>
</source>

# out_forward
<match secure.data.*>
  @type forward
  <security>
    self_hostname edge110.fluentd.local
    shared_key    my_secret_string
  </security>
  <server>
    host 10.0.0.1
    port 24224
    username user1
    password pass1
  </server>
</match>

For now, This version doesn't provide encryption like SSL/TLS. So this authentication/authorization will be done on raw TCP transportation. Forward plugins never send raw shared keys and passwords... but you may have to wait next (or more) released to support SSL/TLS communication if you want more secure configurations (it's in our plan).

One good news: Fluentd forward protocol v1 is just same with the protocol implemented on fluent-plugin-secure-forward (except for TCP or SSL/TLS). So you can configure the total architecture like below using out_secure_forward, in_forward(v0.14.5) and SSL/TLS terminator like AWS ELB.

[out_secure_forward] ---> (SSL/TLS over internet) ---> [AWS ELB] ---> (TCP in AWS VPC) ---> [in_forward]

This configuration works pretty well, because Fluentd doesn't consume its CPU for encryption and decryption.

Major bug fixes

• fix to raise configuration error explicitly for missing @type in configuration file #1202
• fix bug to fail to launch Fluentd when configuration uses v0.12 MultiOutput plugins #1206

Enjoy logging!