Log Monitoring Classic
OneAgent version 1.251+ Dynatrace Cluster version 1.254+
In OneAgent version 1.249 and earlier, you need to add log files manually.
Custom log source configuration enables you to manually add log sources that have not been autodetected.
In such cases, you can define, configure, and customize log sources to your needs.
The entire process consists of two parts:
If you need to store your custom logs, you need to complete both steps.
Compared to the log addition in earlier versions of OneAgent versions, the process now has several improvements.
Custom log source configuration enables you to:
Automatically migrate your legacy custom log source configuration: each of your existing rules is migrated to the environment scope with the corresponding process group context set accordingly. The names of migrated rules have the auto-migrated
prefix.
Three hierarchy scopes are supported: host, host group, and environment. The narrower a given scope, the higher its priority.
To configure custom log sources at the host level
To configure custom log sources at the host group level
The Host group property is not displayed when the selected host doesn't belong to any host group.
<group name>
link, where <group name>
is the name of the host group that you want to configure.To configure custom log sources at the environment level
Go to the Custom log sources page at the host, host group, or environment level as described above.
Select Add custom log source and add Rule name.
optional Bind your rule to a process group by selecting the process group name from the dropdown menu.
In the Custom log source paths section, select Log source type. There are two source types available:
To define a log path, select Add custom log source path, enter your path (for example, /var/lib/*.log
or /var/log/sys.bin
), and select Add Path. You can add up to 100 values per log source. If you selected Windows Event Log, refer to Windows event example to add a proper log path.
optional Select Show advanced to expand the panel that lets you define the list of attributes which will enrich each log record from the defined log sources. Enter the attribute key or select it from the list, and then enter the attribute value. This is available only if you have selected the Log source type as Log Path.
When using wildcards in the log path, you may want to distinguish the paths matched by the wildcards. In such cases, you can define attributes that use the whole file path or a part of the path matched by the wildcards.
To define such an attribute, follow the steps below:
${N}
token, where N
denotes the index of the wildcard you refer to, starting from 1. ${0}
has a special meaning and expands to the full log file path.You can use multiple ${N}
tokens in a single attribute and combine them with other characters. For example, worker:${1}-${2}
.
If the ${N}
token refers to a wildcard index higher than the number of wildcards in the log path, it won't be replaced, and ${N}
will remain in the attribute value. The attribute key must contain only Latin alphanumeric characters (upper or lower case), dots (.
), underscores (_
), hyphens (-
), or colons (:
). It must not start with the dt.
prefix and must not be any of the following:
process.technology, log.source, log.content, timestamp, container.name, winlog.eventid, winlog.provider, winlog.opcode, winlog.task, k8s.namespace.name, k8s.container.name, k8s.deployment.name
You can define up to 100 attributes per log path. The minimum required version is OneAgent version 1.285.
Select Save changes.
To activate your rule, turn on the Active toggle.
When handling logs on NFS, access permissions are strictly enforced. This is true despite the increased capabilities of OneAgent, which allow it to access local files without having to read permissions for the dtuser
user.
To allow OneAgent to process and ingest NFS-mounted resources:
read
and execute
permissions set.read
permission set.Example log file to add:
/mnt/nfs/logs/app1/test.log
where /mnt/nfs
is mounted to an external NFS resource.
In this scenario, both /mnt/nfs/logs
and /mnt/nfs/logs/app1
need r-x
permissions for others
, and every test.log.*
file needs r--
permissions for others
as shown below:
$ ls -l /mnt/nfsdrwxr-xr-x 3 1001 1002 4096 Sep 8 17:11 logs
$ ls -l /mnt/nfs/logdrwxr-xr-x 3 1001 1002 4096 Sep 8 17:11 app1
$ ls -l /mnt/nfs/logs/app1-rw-rw-r-- 3 1001 1002 100 Jul 19 14:22 test.log-rw-rw-r-- 3 1001 1002 100 Jul 19 14:23 test.log.1-rw-rw-r-- 3 1001 1002 100 Jul 19 14:24 test.log.2
When configuring a custom log source, follow these rules:
any letter:\
/
//hostname/
#
replaces a string of numbers or a hash #
. It can only be used in file names.*
substitutes a string of any characters including the asterisk *
. It does not substitute the slash (/
) or backslash (\
). *
can be used both in file names and directories.Additionally, each custom log source path you add needs to be validated by OneAgent and abide by its security rules (file matching rules). The following security rules are applied on the OneAgent side:
Dynatrace's security rules for custom log sources ensure data protection by managing OneAgent access to log sources. By implementing these security measures, Dynatrace ensures defense against unauthorized access and data misuse. You also have the option to add or override these predefined security rules in the configuration file on the host where OneAgent is intalled, allowing for flexibility in adapting to specific security needs.
The rules prohibit log paths in critical system directories (such as /etc
, /boot
, /proc
, and several others), paths containing .ssh
, paths with the .pem
extension, and paths in directories starting with a dot (indicating hidden directories). Additionally, acceptable log paths must either have a log extension, with certain separators, be located within the first or second level of a log
or logs
directory, be situated at any level of the /var/log
directory, or have the filename catalina.out
.
The rules take into account the resolved paths of symbolic links for security matching, emphasizing the importance of the actual file location over the symlink path.
/etc
, /boot
, /proc
, /dev
, /bin
, /sbin
, /usr
, WindowsRoot:\windows
, or WindowsRoot:\winnt
. However, Windows|winnt\system32\winevt\Logs
is accepted AND.ssh
AND.pem
extension AND.
(for example, /.hidden
) ANDlog
extension separated by .
, -
, or _
(it can be followed by another extension with the same separator set) OR
log
or logs
directory OR/var/log directory
ORcatalina.out
.Files with paths that do not fulfill one or more criteria are not accepted. Once the conditions above are met, log file matching takes place. Check the log file matching rules.
If the log file you've configured for ingestion is a symlink, Dynatrace will verify its log path (the path obtained after following the symlink) against security rules.
You can add or override predefined security rules only in the configuration file on the host where OneAgent is installed.
/var/lib/dynatrace/oneagent/agent/config/logmodule
on Linux and UNIX
%PROGRAMDATA%\dynatrace\oneagent\agent\config\logmodule
on Windows
Any log file with the .json
suffix is allowed in the above directories.
/opt/dynatrace/oneagent/agent/conf
on Linux and UNIX%PROGRAMFILES%\dynatrace\oneagent\agent\conf
on Windows/log/
will match /log/file
and /var/log/file
but not /log/dir/file
/log/*/
will match /log/dir/file
but not /log/dir/dir2/file
[-.\\_]
expression in a pattern means that one of the characters provided in the square brackets must be present for a match to occur.The following structure is given in the file:
allowed-log-paths-configuration
: Marks the array of the rules.Each rule consists of three key-value pairs, with the following mandatory keys:
directory-pattern
file-pattern
action
The description of the keys is given below:
directory-pattern
: This object specifies the pattern for matching directories. The directory pattern is executed from right to left, for example: /log/
will match /log/file.txt
and /var/log/file.txt
but not /log/dir/file.txt
. The following rules apply:
*
. For example, /log/*/
will match /log/dir/file.txt
but not /log/dir/dir2/file.txt
.**
matches any number of subdirectories. For example, the pattern /log/dir/**/file.txt
will match /log/dir/dir1/dir2/dir3/file.txt
.^
matches the start of the path. It anchors the pattern to the beginning of the examined path For example, ^/usr/*/
matches paths starting with /usr/
, such as /usr/log/file.txt
and /usr/local/file.txt
, but will not match /some/usr/log/file.txt
.
For Windows paths, the anchor can also skip the drive letter. For example, the pattern ^/Users/Public/
would match the actual path C:\Users\Public\file.txt
. JSON treats \ as an escape character, so when specifying Windows paths, you can use either C:\\Users\\Public
or C:/Users/Public
but not C:\Users\Public
.You can combine special characters such as *
, **
, and ^
within a single directory pattern to create more complex matching rules. For example, the pattern ^/log/**/dir/*/*/
will match the path /log/some/deep/dir/and/deeper/file.txt
.
file-pattern
: This object specifies the pattern for matching files within the directories matched by the directory pattern
. This pattern is applied using full match. This means that a pattern such as *.txt
will match error.txt
but not error.txt.1
.
To properly detect files that follow rotation patterns, the file pattern must include a wildcard at the end. For example, to match files that rotate from error.txt to error.txt.1, the file pattern should be constructed as *.txt*
.
action
: This object specifies the action to be taken for the matched file. In this case, EXCLUDE
or INCLUDE
.
The [-.\\_]
expression in square brackets means that one of the characters provided in the square brackets must be present for a match to occur.
An example override configuration file is given below:
{"allowed-log-paths-configuration":[{"directory-pattern":"/","file-pattern":"*.pem","action":"EXCLUDE" // or INCLUDE},... your rules ...]}
Each custom log source path you add needs to be validated by OneAgent and abide by its security rules (file matching rules). Some predefined security rules are applied on the OneAgent side. Examples of exclude and include rules for UNIX, Linux, and Windows are listed in the table below.
Operating system | Directory pattern | File pattern | Action |
UNIX |
|
| EXCLUDE |
UNIX |
|
| INCLUDE |
Linux |
| * | EXCLUDE |
Linux |
|
| INCLUDE |
Windows |
| * | EXCLUDE |
Windows |
| * | INCLUDE |
The full list of security rules for UNIX:
{"allowed-log-paths-configuration": [{"directory-pattern":"/","file-pattern":"*.pem","action":"EXCLUDE"},{"directory-pattern":"/.ssh/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"/.*/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"/","file-pattern":".*","action":"EXCLUDE"},{"directory-pattern":"^/etc/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/boot/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/proc/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/dev/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/bin/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/sbin/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/usr/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern": "/","file-pattern": "*[-.\\_]log[-.\\_]*","action": "INCLUDE"},{"directory-pattern": "/","file-pattern": "*[-.\\_]log","action": "INCLUDE"},{"directory-pattern": "/","file-pattern": "catalina.out*","action": "INCLUDE"},{"directory-pattern": "/log/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/log/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/log/*/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/*/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "^/var/lib/docker/containers/*/","file-pattern": "*.log","action": "INCLUDE"},{"directory-pattern": "^/var/log/**/","file-pattern": "*","action": "INCLUDE"}]}
The full list of security rules for Linux:
{"allowed-log-paths-configuration": [{"directory-pattern":"/","file-pattern":"*.pem","action":"EXCLUDE"},{"directory-pattern":"/.ssh/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"/.*/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"/","file-pattern":".*","action":"EXCLUDE"},{"directory-pattern":"^/etc/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/boot/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/proc/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/dev/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/bin/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/sbin/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/usr/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern": "/","file-pattern": "*[-.\\_]log[-.\\_]*","action": "INCLUDE"},{"directory-pattern": "/","file-pattern": "*[-.\\_]log","action": "INCLUDE"},{"directory-pattern": "/","file-pattern": "catalina.out*","action": "INCLUDE"},{"directory-pattern": "/log/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/log/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/log/*/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/*/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "^/var/lib/docker/containers/*/","file-pattern": "*.log","action": "INCLUDE"},{"directory-pattern": "^/var/log/**/","file-pattern": "*","action": "INCLUDE"}]}
The full list of security rules for Windows:
{"allowed-log-paths-configuration":[{"directory-pattern":"/","file-pattern":"*.pem","action":"EXCLUDE"},{"directory-pattern":"/.ssh/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"/.*/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"/","file-pattern":".*","action":"EXCLUDE"},{"directory-pattern":"/windows/system32/winevt/Logs/","file-pattern":"*","action":"INCLUDE"},{"directory-pattern":"/winnt/system32/winevt/Logs/","file-pattern":"*","action":"INCLUDE"},{"directory-pattern":"^/windows/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"^/winnt/**/","file-pattern":"*","action":"EXCLUDE"},{"directory-pattern":"/","file-pattern":"*[-.\\_]log[-.\\_]*","action":"INCLUDE"},{"directory-pattern":"/","file-pattern":"*[-.\\_]log","action":"INCLUDE"},{"directory-pattern":"/","file-pattern":"catalina.out*","action":"INCLUDE"},{"directory-pattern": "/log/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/log/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/log/*/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/*/","file-pattern": "*","action": "INCLUDE"},{"directory-pattern": "/logs/*/*/","file-pattern": "*","action": "INCLUDE"}]}