Configuring LogSources for Syslog

Last updated on 05 May, 2023

LogSources is a LogicModule that provide templates to help you enable LM Logs and configure log data collection and forwarding. LogSources contain details about which logs to get and where to get them, and which fields should be considered for parsing. LogSources is available for common sources of log data. The following describes how to set up LogSources for Syslog.

Requirements

The Syslog logsource type uses the LM Collector. When using the LM Collector with LogSources, the LM Collectors installed in your infrastructure must be version EA 31.200 or later. For information on how to upgrade a collector, see Managing Collectors.

Configuration Options

The following describes configuration options specific to the Syslog type of logsource. For information on how to add a logsource, see Creating LogSources.

Note: In cases with high volume of Linux syslog messages, some messages may not reach the collector. To prevent this, you can increase the rmem value on the Linux instance where the collector is installed. Do the following:

  • Open the /etc/sysctl.conf file
  • Add the line net.core.rmem_max=15728640 and save the file
  • Run the sysctl --system command
  • Include Filters

    You can add filters to include resources of certain types, for example an application. The output matching the filter criteria will be forwarded to the log ingestion process.

    Available parameters

    AttributesComparison operatorValue exampleDescription
    ApplicationEqual, NotEqual, Contain, NotContain, Exist, NotExist, RegexMatch, RegexNotMatch.The Value field is disabled if you select “Exist” or “NotExist”. 
    FacilityEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist, GreaterThan, GreaterEqual, LessThan, LessEqual.Predefined options like “kernel messages”, “system daemons”, and “log alert”, are available.The Value field is disabled if you select “Exist” or “NotExist”.
    MessageEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.The Value field is disabled if you select “Exist” or “NotExist”.
    SeverityEqual, MoreUrgentThan.Emergency, Alert, Critical, Warning, Notice, Informational, Debug.

    Log Fields/Tags

    You can configure Log Fields/Tags to send additional metadata with the logs.

    Available parameters

    MethodKey exampleValue exampleDescription
    Static“Customer”“Customer_XYZ”
    Dynamic(REGEX)“Host”“host=*”The query will run on the message field.
    LM Property(Token)“Device”“##system.deviceId##”The DeviceID extracted from the existing device property in LogicMonitor.
    Syslog AttributeApplication, Facility, Severity.

    Resource Mapping

    Configure the LM log property to match a monitored resource.

    Available parameters

    MethodKey exampleValue exampleDescription
    Static“Customer_Id”For example “1921”.For example “syslog_test_collector”.
    IP“system.ips”Use the syslog host field information and resolve it to IP, for example “10.20.30.40”. The Value field is disabled if you select this method, you can only enter a Key.
    FQDN“system.hostname”Fully Qualified Domain Name, from DNS resolution of hostname received from syslog message or socket address. For example “application.service.example.com”.
    HOSTNAME“system.hostname”For example “host1.example.com”. The Value field is disabled if you select this method, you can only enter a Key.
    HOST WITHOUT DNS“system.hostname”For example “host1”. The Value field is disabled if you select this method, you can only enter a Key.
    Dynamic(REGEX)“system.ServiceName”For example “service=*”.The query will run on the message field.
    LM Property(Token)“token.resourceMap”For example “syslog_test_collector”.The DeviceID extracted from the existing device property in LogicMonitor.

    Other Options

    If you have Syslog events that do not include time information, select Use Received Time instead of Log Timestamp in the Other Options section to use the timestamp for when the log was received by the Collector.

    Examples

    General Setup Example

    General Information

    • Name: Syslog
    • Description: Data collection template for data from monitored syslogs.
    • AppliesTo (custom query): /*isLinux() || isNetwork()*/ 
    • Type: LM Logs: Syslog
    • Group: Syslog

    Resource Mapping

    MethodKeyValue
    Tokendevice##system.hostname##

    Resource Mapping Example

    The following is an example of a resource mapping using the LM Property (Token) method. Say you provide a property to map to one of the monitored devices in the LM portal. The key for the LM Property is “token.resourceMap” and the value is “syslog_test_collector”.

    When a LogSource is applied on the device, the resource mapping is done with LM_property as “token.resourceMap”, source as “LM Property”, parse method as “Token”, and value as anything starting with “##”, like “##token.resourceMap##”.

    The collector receives the hostEntry from the feed, and replaces the ##token.resourceMap## with the value received against the LM_property “token.resourceMap” for that particular host, for example “syslog_test_collector”.

    If there are multiple resources to which the log source is applied, the value for LM_property should be unique. Otherwise the Ingest API will not map it to the resource as there will be multiple resources having the same mapping.

    Example from the Resources information for the example “syslog_test_collector”. 

    Example of the resource mapping for the example “syslog_test_collector” in LogSources.

    The resource mapping on the collector side for this logsource is as follows:

    '{"metadata":{"logSource_id":"2249","logsource_name":"syslog_test_token"},"Severity":"3: Error","Host":"localhost","epochWhenAddedInQueue":1633501246808,"Facility":"1: user-level messages","message":"<11>Just a message with metadata test_md1 !!\u0000","_lm.resourceId":{"token.resourceMap":"syslog_test_collector"},"timestamp":1633501246808,"_lm.collectorId":"48"}', raw:'<11>Example message with metadata test_md1 !!'
    In This Article