ActiveGate version 1.295+ recommended
Syslog, short for system logging protocol, is a logging mechanism that enables system administrators to oversee and control log files from various system components, such as network devices, Linux host syslog, syslog servers, or other syslog producers.
This guide shows you how to configure your Environment ActiveGate on Linux to collect syslog logs in your network and ingest them to Dynatrace.
Syslog ingestion is performed by an ActiveGate. The syslog ingestion throughput depends on the hardware your ActiveGate is deployed on.
This guide is intended for network and Dynatrace admins who are tasked to enable the syslog log ingestion into Dynatrace.
Enabling syslog log ingestion requires you to:
Deploy Environment ActiveGate.
See instructions for Linux. Use the remote technologies monitoring purpose.
Enable syslog ingestion on your ActiveGate.
Edit the /var/lib/dynatrace/remotepluginmodule/agent/conf/extensionsuser.conf
file and add the following flag:
syslogenabled=true
optional Edit the syslog receiver configuration.
ActiveGate uses an embedded Dynatrace OpenTelemetry Collector instance and stores the receiver configuration in the /var/lib/dynatrace/remotepluginmodule/agent/conf/syslog.yaml
file. The Collector is installed by default.
Use this configuration only for syslog ingestion.
If your syslog producers use the default ports per supported protocols, your syslog-enabled ActiveGate should receive syslog records right away.
You only need to modify the configuration if your syslog producers cast events on custom ports.
receivers:syslog/udp:udp:listen_address: '0.0.0.0:514'add_attributes: trueprotocol: rfc5424operators:- type: syslog_parserprotocol: rfc5424syslog/tcp:tcp:listen_address: '0.0.0.0:601'add_attributes: trueprotocol: rfc5424operators:- type: syslog_parserprotocol: rfc5424# syslog/tcp_tls:# tcp:# listen_address: "0.0.0.0:6514"# tls:# cert_file: "/absolute/path/to/server.crt"# key_file: "/absolute/path/to/server.key"# protocol: rfc5424# operators:# - type: syslog_parser# protocol: rfc5424#DO.NOT.MODIFYexporters:otlphttp/syslog: ${file:syslogendpoint.yaml}processors:batch:send_batch_size: 512send_batch_max_size: 1024transform:log_statements:- context: logstatements:- set(body, attributes["message"])attributes:actions:- key: net.host.nameaction: delete- key: net.peer.nameaction: delete- key: net.peer.portaction: delete- key: net.transportaction: delete- key: net.host.ipaction: delete- key: dt.ingest.portfrom_attribute: net.host.portaction: upsert- key: dt.ingest.source.ipfrom_attribute: net.peer.ipaction: upsert- key: net.peer.ipaction: delete- key: net.host.portaction: delete- key: syslog.hostnamefrom_attribute: hostnameaction: upsert- key: hostnameaction: delete- key: syslog.facilityfrom_attribute: facilityaction: upsert- key: facilityaction: delete- key: syslog.priorityfrom_attribute: priorityaction: upsert- key: priorityaction: delete- key: syslog.proc_idfrom_attribute: proc_idaction: upsert- key: proc_idaction: delete- key: syslog.versionfrom_attribute: versionaction: upsert- key: versionaction: delete- key: syslog.appnamefrom_attribute: appnameaction: upsert- key: appnameaction: delete- key: messageaction: deleteservice:telemetry:metrics:level: nonepipelines:logs/udp:receivers: [syslog/udp]processors: [transform, attributes, batch]exporters: [otlphttp/syslog]logs/tcp:receivers: [syslog/tcp]processors: [transform, attributes, batch]exporters: [otlphttp/syslog]# logs/tcp_tls:# receivers: [syslog/tcp_tls]# processors: [transform, attributes, batch]# exporters: [otlphttp/syslog]
Note: Do NOT modify the exporter configuration. The default configuration points to the embedded Collector.
For more information on syslog receiver configuration, see Ingest syslog data using OpenTelemetry Collector.
Verify the syslog ingestion is enabled.
After you enable syslog ingestion, check the following log files to verify it:
Open the newest ruxit_extensionmodule_*.log
log file in the extensions
log directory:
/var/lib/dynatrace/remotepluginmodule/log/extensions
It should contain the following line:
Otel syslog enabled: true
Enable syslog on the devices you want to monitor.
The way you enable syslog depends on the device and its platform, refer to specific documentation for details.
Example Configure Rsyslog on Linux Ubuntu to forward syslog logs to a remote server.
Add the following line to the syslog daemon configuration file (/etc/rsyslog.conf
)
*.* @<ActiveGate host IP>:514
@@ @<ActiveGate host IP>:601
*.*
or @@
instruct the daemon to forward all messages to the specified ActiveGate listening on the provided port and IP address. <ActiveGate host IP>
needs to point to the IP address of a syslog-enabled ActiveGate.
For more examples, see Syslog via OpenTelemetry Collector
Verify ActiveGate receives the syslog events.
After your syslog producers start to cast log records, open the latest dynatracesourceotelcollector.*.log
file in /var/lib/dynatrace/remotepluginmodule/log/extensions/datasources/otelSyslog
.
If ActiveGate receives the log records you should see entries as in the example below:
[otelSyslog][otelSyslog][37448][err]LogRecord #3[otelSyslog][oteiSyslog][37448][err]ObservedTimestamp: 2024-05-06 @9:52:10.6748723 +8000 UTC[otelSyslog][otelSyslog][37448][err]Timestamp: 2624-05-@6 11:52:16 +90e0 UTC[otelSyslog][otelsyslog][37448][err]SeverityText: info[otelSyslog][otelSyslog][37443][err]SeverityNumber: Info(9)[otelSyslog][otelSyslog][37448][err]Body: Str(<30>May 6 11:52:10 SOME-HOST systemd[1]: Finished Load Kernel Module fuse.)[otelSyslog][otelSyslog][37448][err]Attributes:[otelSyslog][otelSyslog][37448][err] -> priority: Int(3)[otelSyslog][otelSyslog][37448][err] -> facility: Int(3)[otelSyslog][otelSyslog][37448][err] -> appname: Str(systemd)[otelSyslog][otelSyslog][37448][err] -> proc_id: Str(1)[otelSyslog][otelSyslog][37443][err] -> log: Map({“source": “syslog"})[otelSyslog][otelSyslog][37443][err] -> hostname: Str(SOME-HOST)[otelSyslog][otelSyslog][37443][err] -> message: Str(Finished Load Kernel Module fuse.)[otelSyslog][otelSyslog][37448][err]Trace ID:[otelSyslog][otelSyslog][37448][err]Span ID:[otelSyslog][otelSyslog][37443][err]Flags: 0
For more information on troubleshooting the syslog receiver, see Collector troubleshooting.
You've arrived! Now, your syslog-ingested events are enriched with the host-specific attributes and become available in Grail for Davis® AI-based data analysis, log processing, or querying via DQL.
ActiveGate syslog ingestion supports the OpenTelemetry Transform Processor and OpenTelemetry Transformation Language (OTTL) to process your syslog data at edge, before sensitive data leaves your network.
This way, you can use it to mask or hash sensitive data in your syslog lines, so that no sensitive information is ingested into Dynatrace.
Let's assume your credit card data is visible in syslog as:
<14>2 2024-07-19T14:53:55Z example-host 0OOButHPbR 1234 - - New operation for CreditCard 1234567891011124
To mask a credit card number, add the following configuration under the processors node of the syslog.yaml
file:
processors:transform/redact_credict_cart:log_statements:- context: logstatements:- replace_pattern(body, "\\d{15,16}", "REDACTED")
The replace_pattern
function replaces the credit card number with the REDACTED
string. The credit card number in the content is matched by the body, "\\d{15,16}"
pattern.
You can also modify the default configuration if you want to group a set of various devices by configuring them to use a specific port. For example, using very generic log messages, you can enrich your syslog events cast on specific TCP ports with custom attributes using the configuration as in the example below.
receivers:syslog/f5:tcp:listen_address: "0.0.0.0:54526"protocol: rfc5424operators:- type: addfield: attributes.log.sourcevalue: syslog- type: addfield: attributes.dt.ip_addressesvalue: "1xx.xx.xx.xx1"- type: addfield: attributes.instance.namevalue: "ip-1xx-xx-x-xx9.ec2.internal"- type: addfield: attributes.device.typevalue: "f5bigip"syslog/host:tcp:listen_address: "0.0.0.0:54527"protocol: rfc5424operators:- type: addfield: attributes.log.sourcevalue: syslog- type: addfield: attributes.device.typevalue: "ubuntu-syslog"
You can also use:
delete
to exclude specific attributes from ingestion.upsert
to insert a new attribute to your log line where the key does not already exist, or to update an attribute where the key does exist.For example, if we can read the net.peer.port
attribute, its value is used for custom.remote.port
. Otherwise, the custom.report.port
isn't set.
attributes:actions:- key: custom.remote.portfrom_attribute: net.peer.portaction: upsert
For more information on attributes configuration, see Attributes Processor.
You can filter the syslog data to drop irrelevant log lines and reduce your consumption at edge, before the data leaves your network.
For example, assume we want to ignore log lines categorized with syslog facility 21
,
<21> 2024-07-19T14:53:55Z example-host 0OOButHPbR 1234 - - Spam mail
Add the following filter to the syslog.yaml
file.
filter/mail:logs:log_record:- attributes["syslog.facility"] == 21
The log line isn't ingested based on the 21
syslog facility.
Some devices send syslog in a non-standard format that doesn't comply with the RFC3164 and RFC5424 standards.
For example, the Cisco switch series C9300 produces the following non-standard lines:
<189>: Jul 18 07:15:58: %WEBSERVER-5-SESS_TIMEOUT: Switch 1 Session timeout from host 172.31.100.31 by user 'snmptest' using crypto cipher 'TLS_AES_256_GCM_SHA384'
In comparison with the RFC3164 standard, there are two additional colon (:
) characters, one after the priority value (PRIVAL) <189>
and the other after the timestamp. Additionally, instead of hostname and tag, error description %WEBSERVER-5-SESS_TIMEOUT
is provided.
The message format according to the standard is:
<PRIVAL>TIMESTAMP HOSTNAME TAG: MESSAGE
To ingest such lines, after you enable the syslog ingestion, you can transform them with the Dynatrace OpenPipeline to the supported format.
To fix the format from the example above, create a new logs pipeline or use an existing logs pipeline and add the following DQL processor:
Name: Cisco syslog
Matching condition: This condition matches lines with the colon (:
) character after the timestamp.
(matchesPhrase(content, ">: Jan") ormatchesPhrase(content, ">: Feb") ormatchesPhrase(content, ">: Mar") ormatchesPhrase(content, ">: Apr") ormatchesPhrase(content, ">: May") ormatchesPhrase(content, ">: Jun") ormatchesPhrase(content, ">: Jul") ormatchesPhrase(content, ">: Aug") ormatchesPhrase(content, ">: Sep") ormatchesPhrase(content, ">: Oct") ormatchesPhrase(content, ">: Nov") ormatchesPhrase(content, ">: Dec")) and(matchesPhrase(content, "-0-") ormatchesPhrase(content, "-1-") ormatchesPhrase(content, "-2-") ormatchesPhrase(content, "-3-") ormatchesPhrase(content, "-4-") ormatchesPhrase(content, "-5-") ormatchesPhrase(content, "-6-") ormatchesPhrase(content, "-7-")) andmatchesPhrase(content, ": %")
DQL processor definition:
parse content, "'<'INT:syslog.priority'>:'SPACETIMESTAMP('MMM dd hh:mm:ss')':'SPACE'%'LD:syslog.facility_type'-'INT:syslog.severity'-'LD:syslog.mnemonic':'SPACE?LD:content", preserveFieldsOnFailure: true| fieldsAddsyslog.facility = syslog.priority / 8,status = if(syslog.severity <= 3 , "ERROR",else: if(syslog.severity == 4, "WARN",else: if(syslog.severity <= 7, "INFO",else: "NONE"))),loglevel = if(syslog.severity == 0 , "EMERGENCY",else: if(syslog.severity <= 3, "ERROR",else: if(syslog.severity == 4, "WARN",else: if(syslog.severity == 5 orsyslog.severity == 6, "INFO",else: if(syslog.severity == 7, "DEBUG",else: "NONE")))))
Sample data
{"timestamp": "2024-07-19 11:49:32.319","content": "<189>: Jul 29 09:08:38: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: snmptest] [Source: 10.107.0.239] [localport: 22] at 09:08:38 UTC Mon Jul 29 2024","dt.ingest.port": "514"}
When you select Run sample data, the processor returns the following preview matching the standard syslog format:
{"results": [{"matched": true,"record": {"syslog.facility_type": "SEC_LOGIN","syslog.severity": 5,"syslog.mnemonic": "LOGIN_SUCCESS","syslog.priority": 189,"loglevel": "INFO","dt.ingest.port": "514","syslog.facility": 23,"content": "Login Success [user: snmptest] [Source: 10.107.0.239] [localport: 22] at 09:08:38 UTC Mon Jul 29 2024","timestamp": "2024-07-19T11:49:32.319000000Z","status": "INFO"}}]}
For general instructions on processors, see Configure a processing pipeline.