> ## Documentation Index > Fetch the complete documentation index at: https://docs.onefirewall.com/llms.txt > Use this file to discover all available pages before exploring further. # HAProxy with Fluent Bit > Integrating HAProxy Logs with OneFirewall Using Fluent Bit This guide shows you how to capture logs from an HAProxy Docker container, extract relevant fields, and forward them to OneFirewall's traffic validation API using Fluent Bit and Lua scripting. ## Overview * HAProxy logs are sent directly to Fluent Bit over UDP (syslog) * Fluent Bit extracts fields (like source IP and HTTP status) * Lua script transforms log into a JSON payload * Fluent Bit posts the data to OneFirewall's API *** ## 1. Folder Structure ``` project-root/ ├── docker-compose.yml ├── fluent-bit/ │ ├── fluent-bit.conf │ ├── parsers.conf │ └── send_to_onefirewall.lua ├── haproxy/ │ └── haproxy.cfg ``` *** ## 2. HAProxy Configuration ### `haproxy.cfg` ```cfg theme={null} global log fluent-bit:5140 local0 daemon defaults log global mode http option httplog timeout connect 5s timeout client 30s timeout server 30s ``` This configuration sends logs over UDP to Fluent Bit, which must be running in the same Docker network. *** ## 3. Fluent Bit Parser ### `parsers.conf` ```ini theme={null} [PARSER] Name haproxy_raw Format regex Regex ^<\d+>\w+\s+\d+\s+\d+:\d+:\d+\s+haproxy\[\d+\]: (?\d+\.\d+\.\d+\.\d+):\d+ \[[^\]]+\] \S+ \S+ \d+/\d+/\d+/\d+/\d+ (?\d{3}) ``` *** ## 4. Lua Script for Transformation ### `send_to_onefirewall.lua` ```lua theme={null} function escape(s) s = string.gsub(s, '\\', '\\\\') s = string.gsub(s, '"', '\\"') return s end function cb_send(tag, ts, record) local src_ip = tostring(record["src_ip"]) local action = tostring(record["action"]) if not string.match(src_ip, "^%d+%.%d+%.%d+%.%d+$") then return -1 end local json = string.format( '{"src_ip":"%s","dst_ip":"192.168.0.1","src_port":3435,"dst_port":443,"service":"myservice","firewall":"haproxy","action":"%s","direction":"inbound"}', escape(src_ip), escape(action) ) return 1, ts, { body = json, headers = {} } end ``` *** ## 5. Fluent Bit Configuration ### `fluent-bit.conf` ```ini theme={null} [SERVICE] Flush 1 Log_Level info Parsers_File /fluent-bit/etc/parsers.conf [INPUT] Name syslog Mode udp Listen 0.0.0.0 Port 5140 Parser haproxy_raw Tag haproxy.syslog [FILTER] Name lua Match haproxy.* script /fluent-bit/etc/send_to_onefirewall.lua call cb_send [OUTPUT] Name http Match haproxy.* Host app.onefirewall.com Port 443 URI /api/v1/poc_traffic/direct Format msgpack tls On tls.verify On Header Authorization Bearer YOUR_TOKEN_HERE Header Content-Type application/json Body_Key body Headers_Key headers Compress off [OUTPUT] Name stdout Match * Format json_lines ``` *** ## 6. Docker Compose Example ```yaml theme={null} version: '3.8' services: haproxy: image: haproxy:lts-alpine3.21 container_name: haproxy ports: - "443:443" depends_on: - fluent-bit command: > sh -c "haproxy -f /usr/local/etc/haproxy/haproxy.cfg" volumes: - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg fluent-bit: image: fluent/fluent-bit:2.1 container_name: fluent-bit ports: - "5140:5140/udp" volumes: - ./fluent-bit:/fluent-bit/etc ``` > Ensure both containers are on the same network (Docker Compose does this by default). *** ## 7. OneFirewall Traffic Validation When Fluent Bit sends structured traffic data to OneFirewall: * OneFirewall **validates `src_ip` and `dst_ip` fields** * Invalid or private IPs are rejected with: ```json theme={null} { "message": "Not valid SRC or DST IP" } ``` * Ensure you're using valid **public IPv4 addresses** for testing. *** ## ✅ Result With this setup: * HAProxy sends logs over UDP to Fluent Bit * Fluent Bit parses and transforms the data with Lua * JSON is posted to OneFirewall's traffic validation API *** ## 🔒 Notes * Replace `YOUR_TOKEN_HERE` with your actual OneFirewall token * Consider adding retry/failure handling or S3 backup for production * Ensure `dst_ip` is not a private/local IP unless OneFirewall allows it *** ## 💬 Need Help? Feel free to reach out to [OneFirewall Support](https://app.onefirewall.com) if you need help debugging HTTP integration or validating traffic.