Configuring LogSources for Syslog
Last updated on 05 May, 2023LogSources is a LogicModule that provide templates to help you enable LM Logs and configure log data collection and forwarding. LogSources contain details about which logs to get and where to get them, and which fields should be considered for parsing. LogSources is available for common sources of log data. The following describes how to set up LogSources for Syslog.
Requirements
The Syslog logsource type uses the LM Collector. When using the LM Collector with LogSources, the LM Collectors installed in your infrastructure must be version EA 31.200 or later. For information on how to upgrade a collector, see Managing Collectors.
Configuration Options
The following describes configuration options specific to the Syslog type of logsource. For information on how to add a logsource, see Creating LogSources.
Note: In cases with high volume of Linux syslog messages, some messages may not reach the collector. To prevent this, you can increase the rmem value on the Linux instance where the collector is installed. Do the following:
net.core.rmem_max=15728640 and save the filesysctl --system commandInclude Filters
You can add filters to include resources of certain types, for example an application. The output matching the filter criteria will be forwarded to the log ingestion process.
Available parameters
| Attributes | Comparison operator | Value example | Description |
| Application | Equal, NotEqual, Contain, NotContain, Exist, NotExist, RegexMatch, RegexNotMatch. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| Facility | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist, GreaterThan, GreaterEqual, LessThan, LessEqual. | Predefined options like “kernel messages”, “system daemons”, and “log alert”, are available. | The Value field is disabled if you select “Exist” or “NotExist”. |
| Message | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| Severity | Equal, MoreUrgentThan. | Emergency, Alert, Critical, Warning, Notice, Informational, Debug. |
Log Fields/Tags
You can configure Log Fields/Tags to send additional metadata with the logs.
Available parameters
| Method | Key example | Value example | Description |
| Static | “Customer” | “Customer_XYZ” | |
| Dynamic(REGEX) | “Host” | “host=*” | The query will run on the message field. |
| LM Property(Token) | “Device” | “##system.deviceId##” | The DeviceID extracted from the existing device property in LogicMonitor. |
| Syslog Attribute | Application, Facility, Severity. |
Resource Mapping
Configure the LM log property to match a monitored resource.
Available parameters
| Method | Key example | Value example | Description |
| Static | “Customer_Id” | For example “1921”.For example “syslog_test_collector”. | |
| IP | “system.ips” | Use the syslog host field information and resolve it to IP, for example “10.20.30.40”. The Value field is disabled if you select this method, you can only enter a Key. | |
| FQDN | “system.hostname” | Fully Qualified Domain Name, from DNS resolution of hostname received from syslog message or socket address. For example “application.service.example.com”. | |
| HOSTNAME | “system.hostname” | For example “host1.example.com”. The Value field is disabled if you select this method, you can only enter a Key. | |
| HOST WITHOUT DNS | “system.hostname” | For example “host1”. The Value field is disabled if you select this method, you can only enter a Key. | |
| Dynamic(REGEX) | “system.ServiceName” | For example “service=*”. | The query will run on the message field. |
| LM Property(Token) | “token.resourceMap” | For example “syslog_test_collector”. | The DeviceID extracted from the existing device property in LogicMonitor. |
Other Options
If you have Syslog events that do not include time information, select Use Received Time instead of Log Timestamp in the Other Options section to use the timestamp for when the log was received by the Collector.
Examples
General Setup Example
General Information
- Name: Syslog
- Description: Data collection template for data from monitored syslogs.
- AppliesTo (custom query): /*isLinux() || isNetwork()*/
- Type: LM Logs: Syslog
- Group: Syslog
Resource Mapping
| Method | Key | Value |
| Token | device | ##system.hostname## |
Resource Mapping Example
The following is an example of a resource mapping using the LM Property (Token) method. Say you provide a property to map to one of the monitored devices in the LM portal. The key for the LM Property is “token.resourceMap” and the value is “syslog_test_collector”.
When a LogSource is applied on the device, the resource mapping is done with LM_property as “token.resourceMap”, source as “LM Property”, parse method as “Token”, and value as anything starting with “##”, like “##token.resourceMap##”.
The collector receives the hostEntry from the feed, and replaces the ##token.resourceMap## with the value received against the LM_property “token.resourceMap” for that particular host, for example “syslog_test_collector”.
If there are multiple resources to which the log source is applied, the value for LM_property should be unique. Otherwise the Ingest API will not map it to the resource as there will be multiple resources having the same mapping.
Example from the Resources information for the example “syslog_test_collector”.
Example of the resource mapping for the example “syslog_test_collector” in LogSources.
The resource mapping on the collector side for this logsource is as follows:
'{"metadata":{"logSource_id":"2249","logsource_name":"syslog_test_token"},"Severity":"3: Error","Host":"localhost","epochWhenAddedInQueue":1633501246808,"Facility":"1: user-level messages","message":"<11>Just a message with metadata test_md1 !!\u0000","_lm.resourceId":{"token.resourceMap":"syslog_test_collector"},"timestamp":1633501246808,"_lm.collectorId":"48"}', raw:'<11>Example message with metadata test_md1 !!'