Creating LogSources

Last updated on 22 November, 2022

With LogSources you can view and configure log integrations in the LogicMonitor portal. LogSources provides out-of-the-box setup and configuration for popular logsources. LogSources have similar configuration properties as the LM Logs Collector configuration with system properties to map log ingestion, filters, and so on.

For an overview of supported logsource types, see About LogSources.

Requirements

When using the LM Collector with LogSources, the Collectors installed in your infrastructure should be version 32.000 or higher. For information on how to upgrade a collector, see Managing Collectors.

Where to Create LogSources

  1. From the LogicMonitor navigation sidebar, click Settings, and under LogicModules, click LogSources.
  2. Click Add and select one of the following options:
    • Click LogSource to configure a new logsource from scratch for your account.
    • Select From LogicMonitor Repository to import configurations for a logsource from a LogicMonitor repository.
    • Select From File to import logsource configurations from an XML file, see Importing/Exporting XML LogicModules.

Configuring LogSources

To set up a new logsource for your account, enter values in the configuration sections as described in the following.

Note: Available configuration options vary depending on the type of logsource selected in the General Information section. See Configuring LogSources LINK for details for each logsource type.

General Information Section

Enter values as follows:

  1. Name: Add a descriptive name, this will be displayed in the list of logsources.
  2. Description and Technical Notes: Optional information about the logsource.
  3. Applies To: Enter the resources to which the logsource is applied. Optionally, click Wizard for a step-by-step guidance through the resource selection. Click Test AppliesTo to test the resource selection, and refine the criteria as needed.
  4. Type: Select the type of resource that the logsource is applied to. Depending on your selection here, available options in other sections will vary. 
  5. Group: The group under which the logsource should be present. Select the LogSource group or create a new one. If no group is specified, the logsource will be placed in @ungrouped.

Exclude/Include Filters Sections

Optionally, you can add filters to exclude or include events. If you add filters, events must meet the filter criteria in order to be detected and alerted on. Available filtering options depends on the selected logsource type, see Configuring LogSources for details. If no filter is provided all log events will be included by default.

Enter values as follows:

  1. In the list of Exclude/Include Filters, click the plus sign to add a filter.
  2. Attribute: Add the type of item to filter on, options depend on type of logsource. Example: “Level” for a Windows Event Logging type of logsource.
  3. Select a Comparison Operator, for example “Equal” or “RegexMatch”, depending on type of attribute.
  4. Add a Value, depends on attribute and comparison operator, for example “Warning”.
  5. Add an optional Comment.
  6. Save the filter.

When defining the severity level to be included for incoming log messages, you can include multiple levels specified with a pipe separator. You can also use level numbers such as 1 for error, 2 for warning, and 3 for information. Example: If you want to only include log messages for errors and warnings, you can set the filter with the attribute “Level”, comparison operator “In”, and value “1 | 2”.

As you’re defining filters, you can click Test AppliesTo to perform test runs to ensure events are filtered and captured as you intended. You can also use the testing capability before any filters are defined in order to return all messages from a device, and use this information to refine parameter values. 

Log Fields/Tags Section

Optionally, you can configure Log Fields/Tags to include additional metadata to be sent with the logs. You can also add LM resource properties as log metadata.

Enter values as follows:

  1. In the list of Log Fields/Tags, click the plus sign to add log field/tag.
  2. Method: Add the method for collecting the metadata, options depend on type of logsource. Example: “Windows Event Attribute” for a Windows Event Logging type of logsource.
  3. Enter a Key, for example “Source”.
  4. Add a Value, for example “Source Name”.
  5. Add an optional Comment.
  6. Save the log field/tag.

Resource Mapping Section

This is required for some logsource types and provides information about which resource the logs should map to. The settings define the resource properties to use for the collector device mapping. For more information see agent.conf Collector Collector Settings.

Enter values as follows:

  1. In the Resource Mapping list, click the plus sign to add a resource mapping.
  2. Method: Add the mapping method, for example “IP”. 
  3. Add a mapping Key, for example “system.hostname”.
  4. Add  a Value, depending on selected method.
  5. Add an optional Comment.
  6. Save the resource mapping.

Example
The resource mapping in the following example is equivalent of this collector configuration:

  • lmlogs.syslog.hostname.format=IP
  • lmlogs.syslog.property.name=system.hostname

Other Options Section

Specific for the logsource type. Can for example be the option to use the timestamp when the log was received by the collector (Syslog).

Saving Options

Click Save to add the new logsource, or when you have updated an existing one.

Other options:

  • Clone: Use this option to copy and modify an existing LogSource as base for a new one.
  • Show history: Information about updates to the LogSource.
  • Publish to Exchange: Use this option to make a LogSource available in LM Exchange.

More on Configuration

LogSources Versus Collector Configuration

LogSource configurations supercedes collector configurations. For example, say you are sending logs to a CollectorA resource using the traditional log collection method. Then you configure a new LogSource that contains an AppliesTo including that resource. In this case the LogSource configuration will be applied, which could cause potential resource mapping conflicts.

Configuring Alternative Collectors

If logs are sent to a different collector than the monitoring collector, you need to define the Logs Collector Group and Preferred Logs Collector on each resource. 

Do the following to update the configuration:

  1. For each resource, click Manage, and select Manage Device.
  2. Select the Enable LM Logs checkbox.
  3. Enter the Collector Group and the preferred LM Logs Collector.
  4. Click Save.
In This Article