Linux Log File Monitoring

This guide will help you setup Loggly as your continuous log file monitoring tool. This script configures both files and directories to send logs to Loggly. It will automatically watch files for new logs appended to the end of the file. Once you configured a directory, it automatically sends the newly added files within the directory to Loggly. It assumes you use rsyslog 1.19 or higher, TCP over port 514, and you have sudo permissions. For alternatives, please see the Advanced Options section.

Automatic Script

  1. Run The Configure File Monitoring Script
  2. Run our automatic configure-file-monitoring script below to continuously read the files and send the logs to Loggly through your syslog daemon. Alternatively, you can follow our manual configuration instructions below.

    curl -O https://www.loggly.com/install/configure-file-monitoring.sh
    sudo bash configure-file-monitoring.sh -a SUBDOMAIN -u USERNAME -f FILENAME -l ALIAS
    

    Replace:

    • SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
    • USERNAME: your Loggly username, which is visible at the top right of the Loggly console
    • FILENAME: the file or directory you want to monitor, can contain wildcards but cannot contain spaces
    • ALIAS: an easy to recognize name for the syslog.appName field. Must be unique for each file.

    You will need to enter your system root password so it can update your rsyslog configuration. It will then prompt for your Loggly password.

  3. Verify Events
  4. Search Loggly for events with the file tag over the past hour. It may take a few minutes to index the event. If it doesn’t work, see the troubleshooting section below.

    tag:file

    Log File Monitoring

Manual Configuration

If you prefer, you can configure rsyslog directly. You can monitor files using the manual configuration. However, directory monitoring requires use of the script above.

  1. Configure Syslog Daemon
  2. If you haven’t already, run our automatic Configure-Syslog script below to setup rsyslog. Alternatively, you can Manually Configure Rsyslog or Syslog-ng.

    curl -O https://www.loggly.com/install/configure-linux.sh
    sudo bash configure-linux.sh -a SUBDOMAIN -u USERNAME
    

    Replace:

    • SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
    • USERNAME: your Loggly username, which is visible at the top right of the Loggly console

  3. Setup File Monitoring
  4. Copy this to your terminal window and run it. It will make sure the working directory exists. If it’s an Ubuntu system, it will set the proper permissions. It will then open a file monitoring configuration file.

    sudo mkdir -v /var/spool/rsyslog
    if [ "$(lsb_release -ds | grep Ubuntu)" != "" ]; then
       sudo chown -R syslog:adm /var/spool/rsyslog
    fi
    sudo vim /etc/rsyslog.d/21-filemonitoring-loggly.conf
    

    Copy in this additional configuration to add file monitoring, replacing the variables below.

    If you are using version 6.x or lower, paste this configuration:

    $ModLoad imfile
    $InputFilePollInterval 10 
    $PrivDropToGroup adm
    $WorkDirectory /var/spool/rsyslog
    
    # Input for FILE1
    $InputFileName /FILE1
    $InputFileTag APPNAME1
    $InputFileStateFile stat-APPNAME1 #this must be unique for each file being polled
    $InputFileSeverity info
    $InputFilePersistStateInterval 20000
    $InputRunFileMonitor
    
    # Add a tag for file events
    $template LogglyFormatFile,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"file\"] %msg%\n"
    
    # Send to Loggly then discard
    if $programname == 'APPNAME1' then @@logs-01.loggly.com:514;LogglyFormatFile
    if $programname == 'APPNAME1' then ~
    

    If you are using version 7.x or higher, paste this configuration:

    $ModLoad imfile
    $InputFilePollInterval 10
    $PrivDropToGroup adm
    $WorkDirectory /var/spool/rsyslog
    
    # Input for FILE1
    $InputFileName /FILE1
    $InputFileTag APPNAME1
    $InputFileStateFile stat-APPNAME1 #this must be unique for each file being polled 
    $InputFileSeverity info
    $InputFilePersistStateInterval 20000
    $InputRunFileMonitor
    
    #Add a tag for file events
    template(name="LogglyFormatFile" type="string"
    string="%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"file\"] %msg%\n")
    
    # Send to Loggly then discard
    if $programname == 'APPNAME1' then action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="514" template="LogglyFormatFile")
    if $programname == 'APPNAME1' then ~
    

    Replace:

    • FILE1: the name of the file you’d like to monitor
    • APPNAME1: an application name for the file
    • TOKEN: your customer token from the source setup page

    Restart rsyslogd

    $ sudo service rsyslog restart

  5. Verify Events
  6. Search Loggly for events with the file tag tag over the past hour. It may take events a few minutes to index. If it doesn’t work, see the troubleshooting section below.

    tag:file

    Log File Monitoring Tool

Advanced Log File Monitoring Options

Log File Monitoring Troubleshooting

If you don’t see any data show up in the verification step, then check for these common problems.

Check File Monitoring Config:

    • Wait a few minutes in case indexing needs to catch up
    • Make sure you replaced your customer token in the configuration file
    • Check the log files to make sure they exist and you have the right path

Check Your Syslog Daemon:

Still Not Working?

Thanks for the feedback! We'll use it to improve our support documentation.


Top