Custom log source configuration enables you to manually add log sources that have not been autodetected.
In such cases, you can define, configure, and customize log sources to your needs.
The entire process consists of two parts:
If you need to store your custom logs, you need to complete both steps.
Each custom log source path you add needs to be validated by OneAgent and abide by its security rules. See Security rules for configuration files and examples.
Compared to the log addition in earlier versions of OneAgent versions, the process now has several improvements.
Custom log source configuration enables you to:
Three hierarchy scopes are supported: host, host group, and environment. The narrower a given scope, the higher its priority.
To configure custom log sources at the host level
To configure custom log sources at the host group level
To configure custom log sources at the environment level
Go to the Custom log sources page at the host, host group, or environment level as described above.
Select Add custom log source and add Rule name.
optional Bind your rule to a process group by selecting the process group name from the dropdown menu.
In the Custom log source paths section, select Log source type. There are two source types available:
To define a log path, select Add custom log source path, enter your path (for example, /var/lib/*.log
or /var/log/sys.bin
), and select Add Path. You can add up to 100 values per log source.
As in the following example, you can display the log name and path by right-clicking on the chosen event log and selecting Properties:
optional Select Show advanced to expand the panel that lets you define the list of attributes which will enrich each log record from the defined log sources. Enter the attribute key or select it from the list, and then enter the attribute value. This is available only if you have selected the Log source type as Log Path.
When using wildcards in the log path, you may want to distinguish the paths matched by the wildcards. In such cases, you can define attributes that use the whole file path or a part of the path matched by the wildcards.
To define such an attribute, follow the steps below:
${N}
token, where N
denotes the index of the wildcard you refer to, starting from 1. ${0}
has a special meaning and expands to the full log file path.You can use multiple ${N}
tokens in a single attribute and combine them with other characters. For example, worker:${1}-${2}
.
If the ${N}
token refers to a wildcard index higher than the number of wildcards in the log path, it won't be replaced, and ${N}
will remain in the attribute value. The attribute key must contain only Latin alphanumeric characters (upper or lower case), dots (.
), underscores (_
), hyphens (-
), or colons (:
). It must not start with the dt.
prefix and must not be any of the following:
process.technology, log.source, log.content, timestamp, container.name, winlog.level, winlog.eventid, winlog.provider, winlog.opcode, winlog.task, winlog.keywords, winlog.username, k8s.namespace.name, k8s.container.name, k8s.deployment.name
Select Save changes.
To activate your rule, turn on the Active toggle.
When handling logs on NFS, access permissions are strictly enforced. This is true despite the increased capabilities of OneAgent, which allow it to access local files without having to read permissions for the dtuser
user.
To allow OneAgent to process and ingest NFS-mounted resources:
read
and execute
permissions set.read
permission set.Example log file to add:
/mnt/nfs/logs/app1/test.log
where /mnt/nfs
is mounted to an external NFS resource.
In this scenario, both /mnt/nfs/logs
and /mnt/nfs/logs/app1
need r-x
permissions for others
, and every test.log.*
file needs r--
permissions for others
as shown below:
$ ls -l /mnt/nfsdrwxr-xr-x 3 1001 1002 4096 Sep 8 17:11 logs
$ ls -l /mnt/nfs/logdrwxr-xr-x 3 1001 1002 4096 Sep 8 17:11 app1
$ ls -l /mnt/nfs/logs/app1-rw-rw-r-- 3 1001 1002 100 Jul 19 14:22 test.log-rw-rw-r-- 3 1001 1002 100 Jul 19 14:23 test.log.1-rw-rw-r-- 3 1001 1002 100 Jul 19 14:24 test.log.2
When configuring a custom log source, follow these rules:
any letter:\
/
//hostname/
#
replaces a string of numbers, while *
substitutes a string of any characters except for slash (/
) or backslash (\
). While *
can be used both in file names and directories, #
can be used only in file names.