Configuring LogSources for Syslog

Last updated on 22 November, 2022

With LogSources you can view and configure log integrations in the LogicMonitor portal. LogSources provides out-of-the-box setup and configuration for some popular logsources. This article describes specific configuration options when setting up logsources for Syslog types of resources.

Creating LogSources

Logsources are created from Settings in the LM portal. For general information on how to add a log source, see Creating LogSources.

Configuration Options

The Syslog log resource type uses the LM Collector. This runs on a Linux or Windows server within the infrastructure and uses standard monitoring protocols to monitor devices. The following describes configuration options specific for the Syslogs type of logsource.

Note: In cases with high volume of Linux syslog messages, some messages may not reach the collector. To prevent this, you can increase the rmem value on the Linux instance where the collector is installed. See Installing a Linux Collector.

Include Filters

You can add filters to specifically include resources of certain types, for example an application.

Available parameters

AttributesComparison OperatorValue
ApplicationEqual, NotEqual, Contain, NotContain, Exist, NotExist, RegexMatch, RegexNotMatch.
FacilityEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist, GreaterThan, GreaterEqual, LessThan, LessEqual.Predefined options like “kernel messages”, “system daemons”, and “log alert”, are available.
MessageEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.
SeverityEqual, MoreUrgentThan.Emergency, Alert, Critical, Warning, Notice, Informational, Debug.

Parameter explanation

  • Application: The Value field is disabled if you select “Exist” or “NotExist”. 
  • Facility and Message: The Value field is disabled if you select “Exist” or “NotExist”.

Log Fields/Tags

You can configure Log Fields/Tags to include additional metadata to be sent with the logs.

Available parameters

MethodKeyValue
StaticFor example “Customer”.For example “Customer_XYZ”.
Dynamic(REGEX)For example “Host”.For example “host=*”
LM Property(Token)For example “Device”.For example “##system.deviceId##”
Syslog AttributeApplication, Facility, Severity.

Parameter explanation

  • Dynamic(REGEX): The query will run on the message field.
  • LM Property(Token): The DeviceID extracted from the existing device property in LM.

Resource Mapping

Configure the LM log property to match a monitored device.

Available parameters

MethodKeyValue
StaticFor example “Customer_Id”.For example “1921”.For example “syslog_test_collector”.
IPFor example “system.ips”.
FQDNFor example “system.hostname”.
HOSTNAMEFor example “system.hostname”.
HOST WITHOUT DNSFor example “system.hostname”.
Dynamic(REGEX)For example “system.ServiceName”.For example “service=*”.
LM Property(Token)For example “token.resourceMap”.For example “syslog_test_collector”.

Parameter explanation

  • IP: Use the syslog host field information and resolve it to IP, for example “10.20.30.40”. The Value field is disabled if you select this method, you can only enter a Key.
  • FQDN: Fully Qualified Domain Name, from DNS resolution of hostname received from syslog message or socket address. For example “application.service.example.com”.
  • HOSTNAME: For example “host1.example.com”. The Value field is disabled if you select this method, you can only enter a Key.
  • HOST WITHOUT DNS: For example “host1”. The Value field is disabled if you select this method, you can only enter a Key.
  • Dynamic(REGEX): The query will run on the message field.
  • LM Property(Token): The DeviceID extracted from the existing device property in LM.

Other Options

If you have Syslog events that do not include time information, select Use Received Time instead of Log Timestamp in the Other Options section to use the timestamp for when the log was received by the Collector.

Examples

General Setup Example

General Information

  • Name: Syslog
  • Description: Data collection template for data from monitored syslogs.
  • AppliesTo (custom query): /*isLinux() || isNetwork()*/ 
  • Type: LM Logs: Syslog
  • Group: Syslog

Resource Mapping

MethodKeyValue
Tokendevice##system.hostname##

Resource Mapping Example

The following is an example of a resource mapping using the LM Property (Token) method. Say you provide a property to map to one of the monitored devices in the LM portal. The key for the LM Property is “token.resourceMap” and the value is “syslog_test_collector”.

When a LogSource is applied on the device, the resource mapping is done with LM_property as “token.resourceMap”, source as “LM Property”, parse method as “Token”, and value as anything starting with “##”, like “##token.resourceMap##”.

The collector receives the hostEntry from the feed, and replaces the ##token.resourceMap## with the value received against the LM_property “token.resourceMap” for that particular host, for example “syslog_test_collector”.

If there are multiple resources to which the logsource is applied, the only criteria required is that the value against LM_property should be unique. Otherwise the Ingest API will not map it to the resource as there will be multiple resources having the same mapping.

From the Resources information for the example “syslog_test_collector”. 

The resource mapping for the example “syslog_test_collector” in LogSources.

The resource mapping on the collector side for this logsource will be as follows:

'{"metadata":{"logSource_id":"2249","logsource_name":"syslog_test_token"},"Severity":"3: Error","Host":"localhost","epochWhenAddedInQueue":1633501246808,"Facility":"1: user-level messages","message":"<11>Just a message with metadata test_md1 !!\u0000","_lm.resourceId":{"token.resourceMap":"syslog_test_collector"},"timestamp":1633501246808,"_lm.collectorId":"48"}', raw:'<11>Example message with metadata test_md1 !!'
In This Article