Creating LogSources

LogSources is a LogicModule that provide templates to help you enable logs and configure log data collection and forwarding. LogSources have similar configuration properties as the LM Logs Collector configuration with system properties to map log ingestion, filters, and so on. LogSources is available for Syslog, Windows Events, Kubernetes Events, and other common sources of log data.

For an overview of supported logsource types, see About LogSources. For an overview of various methods for sending logs to LM Logs, see About Log Ingestion.

Requirements

When using the LM Collector with LogSources, the LM Collectors installed in your infrastructure must be version EA 31.200 or later. For information on how to upgrade a collector, see Managing Collectors.

Adding LogSources

1. In your LogicMonitor portal, select Settings > LogicModules > LogSources.
2. Select Add and select one of the following options:
   • Select LogSource to configure a new logsource from scratch for your account.
   • Select From LogicMonitor Repository to import configurations for a logsource from a LogicMonitor repository.
   • Select From File to import logsource configurations from an XML file, see Importing/Exporting XML LogicModules.

Configuring LogSources

To set up a new logsource for your account, enter values in the configuration sections as described in the following.

General Information Section

Enter values as follows:

1. Name: Add a descriptive name, this will be displayed in the list of logsources.
2. Description and Technical Notes: Optional information about the logsource.
3. Applies To: Enter the resources to which the logsource is applied. Optionally, select Wizard for a step-by-step guidance through the resource selection. Select Test AppliesTo to test the resource selection, and refine the criteria as needed.
4. Type: Select the type of resource that the logsource is applied to. Depending on your selection here, available configuration options in other sections will vary. 
5. Group: The group under which the logsource should be present. Select the LogSource group or create a new one. If no group is specified, the logsource will be placed in @ungrouped.

Exclude/Include Filters Sections

Optionally, you can add filters to exclude or include events. If you add filters, events must meet the filter criteria in order to be detected and alerted on. Available filtering options depend on the selected logsource type. If no filter is provided all log events will be included by default.

Enter values as follows:

1. In the list of Exclude/Include Filters, select the plus sign to add a filter.
2. Attribute: Add the type of item to filter on, options depend on type of logsource. Example: “Level” for a Windows Event Logging type of logsource.
3. Select a Comparison Operator, for example “Equal” or “RegexMatch”, depending on type of attribute.
4. Add a Value, depends on attribute and comparison operator, for example “Warning”.
5. Add an optional Comment.
6. Save the filter.

When defining the severity level to be included for incoming log messages, you can include multiple levels specified with a pipe separator. You can also use level numbers such as 1 for error, 2 for warning, and 3 for information.

Example: If you want to only include log messages for errors and warnings, you can set the filter with the attribute “Level”, comparison operator “In”, and value “1 | 2”.

As you’re defining filters, you can select Test AppliesTo to perform test runs to ensure events are filtered and captured as you intended. You can also use the testing capability before any filters are defined in order to return all messages from a device, and use this information to refine parameter values. 

Log Fields/Tags Section

Optionally, you can configure Log Fields/Tags to include additional metadata to be sent with the logs. You can also add LogicMonitor resource properties as log metadata.

Enter values as follows:

1. In the list of Log Fields/Tags, select the plus sign to add log field/tag.
2. Method: Add the method for collecting the metadata, options depend on type of logsource. Example: “Windows Event Attribute” for a Windows Event Logging type of logsource.
3. Enter a Key, for example “Source”.
4. Add a Value, for example “Source Name”.
5. Add an optional Comment.
6. Save the log field/tag.

Resource Mapping Section

This is required for some logsource types and provides information about which resource the logs should map to. The settings define the resource properties to use for the collector device mapping. For more information see agent.conf Collector Settings.

Enter values as follows:

1. In the Resource Mapping list, select the plus sign to add a resource mapping.
2. Method: Add the mapping method, for example “IP”. 
3. Add a mapping Key, for example “system.hostname”.
4. Add  a Value, depending on selected method.
5. Add an optional Comment.
6. Save the resource mapping.

Example
The resource mapping in the following example is equivalent of this collector configuration:

• lmlogs.syslog.hostname.format=IP
• lmlogs.syslog.property.name=system.hostname

Other Options Section

Specific for the logsource type. Can for example be the option to use the timestamp when the log was received by the collector (Syslog).

Saving LogSources

Select Save to add the new logsource, or when you have updated an existing one.

Other options:

• Clone: Use this option to copy and modify an existing logsource as base for a new one.
• Show history: Information about updates to the logsource.

More on Configuration

LogSources Versus Collector Configuration

Configuring Alternative Collectors

If logs for LM Logs ingestion should be sent to a different collector than the one monitoring the resource, you need to define the Logs Collector Group and Preferred Logs Collector on each resource. 

Do the following to update the configuration:

1. For each resource, select Manage, and select Manage Device.
2. Select the Enable LM Logs checkbox.
3. Enter the Collector Group and the preferred LM Logs Collector.
4. Select Save.