Join fellow LogicMonitor users at the Elevate Community Conference and get hands-on with our latest product innovations.

Register Now

Platform

Get real-time insights and automation for comprehensive, seamless monitoring with agentless architecture.

Platform Overview
Infrastructure Monitoring
Cloud Monitoring
Digital Experience
AIOPS

Solutions

Whether you work in MSP, Enterprise IT or somewhere in between, the solution is clear.

Solutions Overview
By Initiative
By Industry

Resources

Explore our blogs, guides, case studies, eBooks, and more actionable insights to enhance your IT monitoring and observability.

View Resources
Learn

About us

Get to know LogicMonitor and our team.

About us
Get to know us
Services

Documentation

Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

View Resources
Support
TRY IT FREE
ON DEMAND DEMO

Product Documentation

Syslog LogSource Configuration

Last updated on 20 February, 2025

LogSource is a LogicModule that provides templates to help you enable LM Logs and configure log data collection and forwarding. LogSource contains details about which logs to get, where to get them, and which fields should be considered for parsing. LogSource is available for common sources of log data. 

Requirements for Configuring Syslog LogSources

The Syslog LogSource type uses the LM Collector. When using the LM Collector with LogSource, the LM Collectors installed in your infrastructure must be version EA 31.200 or later. For information on how to upgrade a collector, see Managing Collectors.

Configuration Options

The following describes configuration details specific to the Syslog type of LogSource. For general information on how to add a LogSource, see Configuring a LogSource.

Note: In cases with high volume of Linux syslog messages, some messages may not reach the collector. To prevent this, you can increase the rmem value on the Linux instance where the collector is installed. Do the following:

  • Open the /etc/sysctl.conf file
  • Add the line net.core.rmem_max=15728640 and save the file
  • Run the sysctl --system command

Basic Information

If you have Syslog events that do not include time information, toggle Use received time instead of log timestamp to use the timestamp for when the log was received by the Collector.

Important: If the Collector and device are off three hours or more, the logs are ignored. The Use received time instead of log timestamp setting mitigates timing issues between the Collector and device.

Add new logsource page

Apply LogSource to Collectors

With collector version EA-35.200, you can apply LogSource to a collector directly using the Apply to Collector(s) option. The AppliesTo option is also available to apply LogSource to a device. But, if you are using a collector version prior to EA-35.200, you can only use AppliesTo to apply LogSource to a device.

Applying a LogSource to the collector is useful in the following scenarios:

  • The device that is forwarding the Syslog to the collector is not monitored by the collector.
  • The device that is forwarding the Syslog to the collector is not monitored in LogicMonitor at all.

Applying LogSource on Collector

To apply LogSource to collector:

  1. While creating a LogSource, on the AppliesTo tab, toggle Apply to Collector(s) switch.
  2. Under Collector Mappings, select Add Collector.
AppliesTo option in add new logsource page

Note:

  • When you select Apply to Collector(s) toggle, the AppliesTo field becomes unavailable. It is not possible to use both the options together.
  • Only the self-monitoring collectors with a minimum version as EA-35.200 appear in the Collector Mapping field.
  • Only one LogSource of type Syslog can be applied on a self-monitoring collector.
  • If a device is monitored by a collector that is receiving the Syslog, then the LogSource that is applied on the device is preferred over the LogSource applied on the collector. To know more about it, refer Syslog Processing Preference.

Syslog Processing Preference

While applying LogSource on a collector, the collector can process Syslog in the following ways:

  • If the requirement is to ingest the Syslog events received by the collector, Collector’s agent.conf property “lmlogs.syslog.enabled” can be enabled. This property can also be enabled by turning on Enable log collection for Syslog and SNMP trap option on the Add collector page. With this property enabled, the collector will ingest all the Syslog events without any customization such as Filters, Resource Mapping, and others.
  • If the requirement is to add some customisation such as filtering some Syslog events or adding a different method for resource mapping, a LogSource can be created and applied on the Syslog receiving collector using the Apply to Collector(s) option on the LogSource.
  • If the requirement is to handle the Syslog events from a device using a specific LogSource definition, a usual LogSource can be applied on a device that is forwarding the Syslog events to the collector. 

A usual LogSource that is applied on a device, will be preferred over the LogSource applied on a collector for processing the syslog.

A LogSource that is applied on a collector, will be preferred over collector’s agent.conf property “lmlogs.syslog.enabled” for processing the syslog.

Syslog Logsource diagram

The following scenarios can be referred to understand the syslog processing preference by a collector which is receiving the syslog.

ScenarioIs the device monitored by the collector*Is a usual LogSource applied on the deviceIs a LogSource applied on collector using the Apply to Collector(s) switchIs collector’s agent.conf property lmlogs.syslog.enabled set to trueOutcome
1YesYesAny (Yes/No)Any (Yes/No)Syslog will be processed using the usual LogSource applied on the device that forwards the Syslog.
2YesNoYesAny (Yes/No)Syslog will be processed using the LogSource which is applied to the collector that receives the Syslog.
3NoAny (Yes/No)YesAny (Yes/No)Syslog will be processed using the LogSource which is applied to the collector that receives the Syslog.
4NoAny (Yes/No)NoYesSyslog will be processed using the agent.conf property (“lmlogs.syslog.enabled”) of the collector that receives the Syslog.

*A device is said to be monitored by a collector if

  • The collector is assigned as a Preferred Collector on Manage Resource page
    -or-
  • The collector is assigned as Log Collector using Set LM Logs Collector option on Manage Resource page

Include Filters

You can add filters to include resources of certain types, for example an application. The output matching the filter criteria will be forwarded to the log ingestion process.

Available parameters

AttributesComparison operatorValue exampleDescription
ApplicationEqual, NotEqual, Contain, NotContain, Exist, NotExist, RegexMatch, RegexNotMatch.The Value field is disabled if you select “Exist” or “NotExist”. 
FacilityEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist, GreaterThan, GreaterEqual, LessThan, LessEqual.Predefined options like “kernel messages”, “system daemons”, and “log alert”, are available.The Value field is disabled if you select “Exist” or “NotExist”.
MessageEqual, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist.The Value field is disabled if you select “Exist” or “NotExist”.
SeverityEqual, MoreUrgentThan.Emergency, Alert, Critical, Warning, Notice, Informational, Debug.

Log Fields

You can configure Log Fields (tags) to send additional metadata with the logs.

Available parameters

MethodKey exampleValue exampleDescription
Static“Customer”“Customer_XYZ”
Dynamic(REGEX)“Host”“host=*”The query will run on the message field.
LM Property(Token)“Device”“##system.deviceId##”The DeviceID value extracted from the existing device property in LogicMonitor.
Syslog AttributeApplication, Facility, Severity.
Dynamic Group Regex“Scheme, Login”“(https*):\/\/([]a-z]+)”The query runs on the message field and captures the first group value from Regex. The keys for Dynamic Group Regex can be added as a comma separated list and values are read from same number of groups.
For the Key and Value example provided in this table, the regex results in metadata for key and value, which is, Scheme and Login. For example:
Scheme=https
Login=<Actual username extracted from the message>
Note: The Dynamic Group Regex method for log fields is available from the LM collector version 34.200 and later.

Resource Mappings

Configure the LM log property to match a monitored resource.

Available parameters

MethodKey exampleValue exampleDescription
Static“Customer_Id”“1921”
IP“system.ips”“10.20.30.40”Use the syslog host field information and resolve it to IP (For example “10.20.30.40”). The Value field is disabled if you select this method, you can only enter a Key.
FQDN“system.hostname”“application.service.example.com”Fully Qualified Domain Name, from DNS resolution of hostname received from syslog message or socket address. 
HOSTNAME“system.hostname”“host1.example.com”The Value field is disabled if you select this method, you can only enter a Key.
HOST WITHOUT DNS“system.hostname”“host1”The Value field is disabled if you select this method, you can only enter a Key.
Dynamic(REGEX)“system.ServiceName”“service=*”The query will run on the message field.
LM Property(Token)“token.resourceMap”“syslog_test_collector”The DeviceID extracted from the existing device property in LogicMonitor.
Dynamic Group Regex“Scheme, Login”“(https*):\/\/([]a-z]+)”The query runs on the message field and captures the first group value from Regex. The keys for Dynamic Group Regex can be added as a comma separated list and values are read from same number of groups.
For the Key and Value example provided in this table, the regex results in metadata for key and value, which is, Scheme and Login. For example:
Scheme=https
Login=<Actual username extracted from the message>
Note: The Dynamic Regex Group method for resource mapping is available from the LM collector version 35.200 and later.

Examples

General Setup

Basic Information

  • Name: Syslog
  • Description: Data collection template for data from monitored syslogs.
  • AppliesTo (custom query): /*isLinux() || isNetwork()*/ 
  • Type: LM Logs: Syslog
  • Group: Syslog

Resource Mappings

MethodKeyValue
Tokendevice##system.hostname##

Resource Mapping

The following is an example of a resource mapping using the LM Property (Token) method. Say you provide a property to map to one of the monitored devices in the LM portal. The key for the LM Property is “token.resourceMap” and the value is “syslog_test_collector”.

When a LogSource is applied on the device, the resource mapping is done with LM_property as “token.resourceMap”, source as “LM Property”, parse method as “Token”, and value as anything starting with “##”, like “##token.resourceMap##”.

The collector receives the hostEntry from the feed, and replaces the ##token.resourceMap## with the value received against the LM_property “token.resourceMap” for that particular host (For example “syslog_test_collector”).

If there are multiple resources to which the log source is applied, the value for LM_property should be unique. Otherwise the Ingest API will not map it to the resource as there will be multiple resources having the same mapping.

The following image is from the Resources information for the example “syslog_test_collector”.  

Custom properties page

The following image is from the resource mapping in LogSource for the example “syslog_test_collector”.

resource mapping page

The resource mapping on the collector side for this LogSource is as follows:

'{"metadata":{"logSource_id":"2249","logsource_name":"syslog_test_token"},"Severity":"3: Error","Host":"localhost","epochWhenAddedInQueue":1633501246808,"Facility":"1: user-level messages","message":"<11>Just a message with metadata test_md1 !!\u0000","_lm.resourceId":{"token.resourceMap":"syslog_test_collector"},"timestamp":1633501246808,"_lm.collectorId":"48"}', raw:'<11>Example message with metadata test_md1 !!'
In This Article

Start Your Trial

Full access to the LogicMonitor platform.
Comprehensive monitoring and alerting for unlimited devices.