Support Logging setup Linux file monitoring

Linux Log File Monitoring

This guide will help you setup Loggly as your continuous log file monitoring tool. This script configures both files and directories to send logs to Loggly. It will automatically watch files for new logs appended to the end of the file. Once you configured a directory, it automatically sends the newly added files within the directory to Loggly. It assumes you use rsyslog 5.8 or higher, TCP over port 514, and you have sudo permissions. For alternatives, please see the Advanced Options section.

Automatic Script

1.Run The Configure File Monitoring Script

Run our automatic configure-file-monitoring script below to continuously read the files and send the logs to Loggly through your syslog daemon. Alternatively, you can follow our manual configuration instructions below.

curl -O https://www.loggly.com/install/configure-file-monitoring.sh
sudo bash configure-file-monitoring.sh -a SUBDOMAIN -u USERNAME -f FILENAME -l ALIAS

Replace:

  • SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
  • USERNAME: your Loggly username, which is visible at the top right of the Loggly console
  • FILENAME: the file or directory you want to monitor, can contain wildcards but cannot contain spaces
  • ALIAS: an easy to recognize name for the syslog.appName field. Must be unique for each file.

You will need to enter your system root password so it can update your rsyslog configuration. It will then prompt for your Loggly password.

2. Verify Events

Search Loggly for events with the file tag over the past hour. It may take a few minutes to index the event. If it doesn’t work, see the troubleshooting section below.

tag:file
Linux File Monitoring

Manual Configuration

If you prefer, you can configure rsyslog directly. You can monitor files using the manual configuration. However, directory monitoring requires use of the script above.

1. Configure Syslog Daemon

If you haven’t already, run our automatic Configure-Syslog script below to setup rsyslog. Alternatively, you can Manually Configure Rsyslog or Syslog-ng.

curl -O https://www.loggly.com/install/configure-linux.sh
sudo bash configure-linux.sh -a SUBDOMAIN -u USERNAME

Replace:

  • SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
  • USERNAME: your Loggly username, which is visible at the top right of the Loggly console

2. Setup Apache File Monitoring

Copy this to your terminal window and run it. It will make sure the working directory exists. If it’s an Ubuntu system, it will set the proper permissions. It will then open a file monitoring configuration file.

sudo mkdir -v /var/spool/rsyslog
if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then
   sudo chown -R syslog:adm /var/spool/rsyslog
fi
sudo vim /etc/rsyslog.d/21-filemonitoring-loggly.conf

Copy in this additional configuration to add file monitoring, replacing the variables below.

If you are using version 7.x or lower, paste this configuration:

$ModLoad imfile
$InputFilePollInterval 10 
$PrivDropToGroup adm

# Input for FILE1
$InputFileName /FILE1
$InputFileTag APPNAME1
$InputFileStateFile stat-APPNAME1 #this must be unique for each file being polled
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

# Add a tag for file events
$template LogglyFormatFile,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag="file"] %msg%n"

# Send to Loggly then discard
if $programname == 'APPNAME1' then @@logs-01.loggly.com:514;LogglyFormatFile
if $programname == 'APPNAME1' then ~

If you are using version 8.x or higher, paste this configuration:

module(load="imfile")

# Input for FILE1
input(type="imfile" tag="APPNAME1" ruleset="filelog" file="/FILE1") #wildcard is allowed at file level only

# Add a tag for file events
template(name="LogglyFormatFile" type="string" string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058  tag="file" ] %msg%n")

ruleset(name="filelog"){
     action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="514" template="LogglyFormatFile") stop
}

Replace:

  • FILE1: the name of the file you’d like to monitor, or multiple files using a wildcard (*). For example, /home/ubuntu/myapp/logs/*
  • APPNAME1: an application name for the file
  • TOKEN: your customer token from the source setup page

NOTE: Wildcard is only supported on 8.x or higher versions and are supported at the file level, not at the directory level. If you have 7.x or lower you have to use cron generated by the script.

Restart rsyslogd

$ sudo service rsyslog restart

3. Verify Events

Search Loggly for events with the file tag tag over the past hour. It may take events a few minutes to index. If it doesn’t work, see the troubleshooting section below.

tag:file
Linux File Monitoring Example

Advanced Log File Monitoring Options

  • Upload a single log file – to do a quick test by uploading a single file using curl
  • Windows File Monitoring – monitor a file on Windows systems
  • Linux File Monitoring – monitor a file on Linux systems
  • Script Source on GitHub – View the source or suggest improvements
  • Log Rotation – if you use log rotation, you must add commands to refresh the files
  • Scrub Sensitive Data – scrub private or secure data before it leaves your network
  • NOTE: For wildcard, the kernel should support inotify. If your kernel does not support inotify you have to include $InputFilePollInterval 10 in 8.x configuration
  • Search or post your own Windows, Linux, or general log file monitoring questions in the community forum.

Log File Monitoring Troubleshooting

If you don’t see any data show up in the verification step, then check for these common problems.

Check File Monitoring Config:

    • Wait a few minutes in case indexing needs to catch up
    • Make sure you replaced your customer token in the configuration file
    • Check the log files to make sure they exist and you have the right path

Check Your Syslog Daemon:

Still Not Working?

Thanks for the feedback! We'll use it to improve our support documentation.