Syslog LogSource Configuration
Last updated on 13 June, 2023Disclaimer: The LogSource LM LogicModule is currently in open Beta.
LogSource is a LogicModule that provides templates to help you enable LM Logs and configure log data collection and forwarding. LogSource contains details about which logs to get and where to get them, and which fields should be considered for parsing. LogSource is available for common sources of log data.
Requirements
The Syslog LogSource type uses the LM Collector. When using the LM Collector with LogSource, the LM Collectors installed in your infrastructure must be version EA 31.200 or later. For information on how to upgrade a collector, see Managing Collectors.
Configuration Options
The following describes configuration details specific to the Syslog type of LogSource. For general information on how to add a LogSource, see Configuring a LogSource.
Note: In cases with high volume of Linux syslog messages, some messages may not reach the collector. To prevent this, you can increase the rmem value on the Linux instance where the collector is installed. Do the following:
- Open the /etc/sysctl.conf file
- Add the line
net.core.rmem_max=15728640and save the file - Run the
sysctl --systemcommand
Basic Information
If you have Syslog events that do not include time information, toggle Use received time instead of log timestamp to use the timestamp for when the log was received by the Collector.
Include Filters
You can add filters to include resources of certain types, for example an application. The output matching the filter criteria will be forwarded to the log ingestion process.
Available parameters
| Attributes | Comparison operator | Value example | Description |
| Application | Equal, NotEqual, Contain, NotContain, Exist, NotExist, RegexMatch, RegexNotMatch. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| Facility | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist, GreaterThan, GreaterEqual, LessThan, LessEqual. | Predefined options like “kernel messages”, “system daemons”, and “log alert”, are available. | The Value field is disabled if you select “Exist” or “NotExist”. |
| Message | Equal, NotEqual, Contain, NotContain, RegexMatch, RegexNotMatch, Exist, NotExist. | The Value field is disabled if you select “Exist” or “NotExist”. | |
| Severity | Equal, MoreUrgentThan. | Emergency, Alert, Critical, Warning, Notice, Informational, Debug. |
Log Fields
You can configure Log Fields (tags) to send additional metadata with the logs.
Available parameters
| Method | Key example | Value example | Description |
| Static | “Customer” | “Customer_XYZ” | |
| Dynamic(REGEX) | “Host” | “host=*” | The query will run on the message field. |
| LM Property(Token) | “Device” | “##system.deviceId##” | The DeviceID extracted from the existing device property in LogicMonitor. |
| Syslog Attribute | Application, Facility, Severity. |
Resource Mappings
Configure the LM log property to match a monitored resource.
Available parameters
| Method | Key example | Value example | Description |
| Static | “Customer_Id” | “1921” | |
| IP | “system.ips” | “10.20.30.40” | Use the syslog host field information and resolve it to IP, for example “10.20.30.40”. The Value field is disabled if you select this method, you can only enter a Key. |
| FQDN | “system.hostname” | “application.service.example.com” | Fully Qualified Domain Name, from DNS resolution of hostname received from syslog message or socket address. |
| HOSTNAME | “system.hostname” | “host1.example.com” | The Value field is disabled if you select this method, you can only enter a Key. |
| HOST WITHOUT DNS | “system.hostname” | “host1” | The Value field is disabled if you select this method, you can only enter a Key. |
| Dynamic(REGEX) | “system.ServiceName” | “service=*” | The query will run on the message field. |
| LM Property(Token) | “token.resourceMap” | “syslog_test_collector” | The DeviceID extracted from the existing device property in LogicMonitor. |
Examples
General Setup
Basic Information
- Name: Syslog
- Description: Data collection template for data from monitored syslogs.
- AppliesTo (custom query): /*isLinux() || isNetwork()*/
- Type: LM Logs: Syslog
- Group: Syslog
Resource Mappings
| Method | Key | Value |
| Token | device | ##system.hostname## |
Resource Mapping
The following is an example of a resource mapping using the LM Property (Token) method. Say you provide a property to map to one of the monitored devices in the LM portal. The key for the LM Property is “token.resourceMap” and the value is “syslog_test_collector”.
When a LogSource is applied on the device, the resource mapping is done with LM_property as “token.resourceMap”, source as “LM Property”, parse method as “Token”, and value as anything starting with “##”, like “##token.resourceMap##”.
The collector receives the hostEntry from the feed, and replaces the ##token.resourceMap## with the value received against the LM_property “token.resourceMap” for that particular host, for example “syslog_test_collector”.
If there are multiple resources to which the log source is applied, the value for LM_property should be unique. Otherwise the Ingest API will not map it to the resource as there will be multiple resources having the same mapping.
The following image is from the Resources information for the example “syslog_test_collector”.
The following image is from the resource mapping in LogSource for the example “syslog_test_collector”.
The resource mapping on the collector side for this LogSource is as follows:
'{"metadata":{"logSource_id":"2249","logsource_name":"syslog_test_token"},"Severity":"3: Error","Host":"localhost","epochWhenAddedInQueue":1633501246808,"Facility":"1: user-level messages","message":"<11>Just a message with metadata test_md1 !!\u0000","_lm.resourceId":{"token.resourceMap":"syslog_test_collector"},"timestamp":1633501246808,"_lm.collectorId":"48"}', raw:'<11>Example message with metadata test_md1 !!'