How to Install and Use Fluentd for Log Aggregation on RHEL 9

November 21, 2025
Linux
Comment off

Fluentd is an open-source data collector that unifies log aggregation across your infrastructure, enabling you to collect, parse, transform, and forward logs to multiple destinations from a single configuration file. Maintained by the Cloud Native Computing Foundation (CNCF), it has become the industry standard for centralized log management in cloud-native environments. The Treasure Data distribution, known as td-agent, bundles Fluentd with a stable set of plugins and a convenient RPM package. This guide walks through installing and configuring Fluentd on Red Hat Enterprise Linux 9 to collect Nginx access logs and forward them to an Elasticsearch backend or a remote Fluentd aggregator.

Prerequisites

RHEL 9 server with sudo or root access
Nginx installed and generating logs at /var/log/nginx/access.log
An Elasticsearch instance or a remote Fluentd aggregator reachable over the network
SELinux in enforcing mode (the guide covers required policy adjustments)
Firewall access to port 24224 (Fluentd forward protocol) if using aggregator mode

Step 1 — Add the Treasure Data Repository

Treasure Data provides an official installation script that configures the correct RPM repository for your OS version. Run it as root and then verify the repository is active.

curl -fsSL https://toolbelt.treasuredata.com/sh/install-redhat-td-agent4.sh | sh
dnf repolist | grep td-agent

Step 2 — Install td-agent and the Elasticsearch Plugin

Install the td-agent package, then use the bundled gem tool to add the Elasticsearch output plugin. The fluent-plugin-elasticsearch plugin enables direct forwarding to an Elasticsearch cluster.

dnf install -y td-agent
td-agent-gem install fluent-plugin-elasticsearch --no-document
td-agent --version

Step 3 — Configure Log Sources, Filters, and Outputs

The main configuration file is /etc/td-agent/td-agent.conf. Replace its contents with a configuration that tails Nginx access logs, parses them with a named pattern, and forwards matching events to Elasticsearch. The tag nginx.access routes events through the filter and into the match block.

# /etc/td-agent/td-agent.conf


  @type tail
  path /var/log/nginx/access.log
  pos_file /var/log/td-agent/nginx-access.pos
  tag nginx.access
  
    @type apache2
  



  @type record_transformer
  
    hostname "#{Socket.gethostname}"
    environment production
  



  @type elasticsearch
  host elasticsearch.example.com
  port 9200
  logstash_format true
  logstash_prefix nginx
  flush_interval 5s

To forward to a remote Fluentd aggregator instead of Elasticsearch, replace the <match> block with a forward output:


  @type forward
  
    host aggregator.example.com
    port 24224
  
  
    flush_interval 5s

Step 4 — Adjust SELinux and File Permissions

The td-agent user must be able to read Nginx log files. Add it to the appropriate group and allow SELinux to permit the tail access pattern.

usermod -aG adm td-agent
chmod o+rx /var/log/nginx
# Allow td-agent to read log files under SELinux
semanage fcontext -a -t var_log_t "/var/log/nginx(/.*)?"
restorecon -Rv /var/log/nginx

Step 5 — Enable and Start the td-agent Service

Enable td-agent as a systemd service so it starts automatically on boot, then verify it is collecting events from the Nginx log.

systemctl enable --now td-agent
systemctl status td-agent
# Tail the Fluentd log to verify event ingestion
tail -f /var/log/td-agent/td-agent.log

Generate a test request to your Nginx server and confirm the parsed event appears in the Fluentd log within a few seconds.

Step 6 — Fluent Bit as a Lightweight Alternative

Fluent Bit is a sub-project of Fluentd optimized for edge and resource-constrained nodes. It ships its own repository and uses a similar INI-style configuration syntax. Install it when memory footprint is critical, then forward its output to a central Fluentd aggregator.

# Install Fluent Bit
curl -fsSL https://packages.fluentbit.io/fluentbit.key | gpg --dearmor 
  -o /usr/share/keyrings/fluentbit-keyring.gpg

cat > /etc/yum.repos.d/fluent-bit.repo <<EOF
[fluent-bit]
name=Fluent Bit
baseurl=https://packages.fluentbit.io/centos/9/
gpgcheck=1
gpgkey=https://packages.fluentbit.io/fluentbit.key
enabled=1
EOF

dnf install -y fluent-bit
systemctl enable --now fluent-bit
fluent-bit --version

Conclusion

You now have a working Fluentd pipeline on RHEL 9 that tails Nginx access logs, enriches each record with hostname and environment metadata, and forwards structured JSON events to Elasticsearch or a central aggregator. The key takeaway is Fluentd’s tag-based routing model: every event carries a tag, and filters and match blocks select events by tag pattern, making it straightforward to build multi-stage processing pipelines. For production deployments, enable Fluentd’s persistent buffer with @type file to survive restarts without data loss, and configure retry limits appropriate to your SLA. Use Fluent Bit on high-density nodes where memory is scarce, and funnel its output into a Fluentd aggregator for enrichment and fan-out to multiple backends.

Next steps: How to Ship Logs to Elasticsearch with Filebeat on RHEL 9, How to Monitor Your Linux Stack with the ELK Stack on RHEL 9, and How to Configure Logrotate and Journald Log Retention on RHEL 9.

Links

Newsletter

Contact