Log Ingestion

Overview

In order to explore your logs, you need to configure a logging source to send the logs to Motadata ObserveOps. The following type of logs can be ingested in Motadata from your infrastructre, some of them directly and some of them through an agent.

Application Logs
Server Logs
Network Logs

Application Logs
Server Logs
Network Logs

Application Logs

A variety of applications are used in the current scenario across infrastructure around the world and these applications generate a large volume of log data that can be used for analysis to figure out why a particular issue occured in an application.

Example of Sending Application Logs to ObserveOps

Let us take an example to understand how to send Apache logs to Motadata ObserveOps.

Install agent on the Apache server.
Go to Settings. Select Monitor Settings. After that, select Agent Monitor Settings.
Select View Details against the agent for which you want to ingest the logs. Click on the Log tab to start the log configuration.

Enter the log configuration details as follows:

Field	Description
Log Agent Status	Toggle this button ON/OFF to start/stop the log ingestion for this agent.
Log Directory	Enter the exact path where the log file is located on the server. In this case for apache logs on the linux server we can see that the path is entered as '/var/log/apache2/'. This is the path where the Apache logs are located on the server.
Log Include	Mention the file name or the extension of the file in this field to make sure that only the logs from that particular file present at the path mentioned in Log Directory above are ingested in the system. For example, if you want to ingest logs from a file 'access.log' you can do that by mentioning the file name in this field as 'access.log'. You can ingest logs from all the log files with the extension '.log' by specifiying *'.log'** in this field.
Multiline Log	Use this toggle button to specify that the log you are ingesting are multiline logs.
File Pattern	This field is available only if you switch the Multiline Log toggle button ON. Specify the file from which you want to ingest the log data.
Log Pattern	This field is available only if you switch the Multiline Log toggle button ON.Specify the log pattern of the multiline logs that you want to ingest from the file that you have specified in the previous field. Enter the regex that could be used to identify the pattern that is used to differentiate two lines of logs in multiline logs.

We just looked into how you can ingest Apache logs into Motadata ObserveOps by just pointing ObserveOps towards the log file by providing the directory and log file details in the log configuration in the agent. Similarly, you can also do the same for other application logs such as IIS, NGINX, and many more.

Example of Ingesting Multiline Logs in Motadata ObserveOps

Ingesting multiline logs in Motadata ObserveOps requires identifying the start of each new log entry within the multiline logs. This is achieved using a specific log pattern that can be defined using regular expressions (regex). Let's take an example of multiline IBM MQ logs to illustrate this process.

IBM MQ Multiline Logs Example

Consider IBM MQ logs where each new log entry starts with a line similar to:

04/09/24 09:46:51 - Process(9241016.5111) User(mqm) Program(amqrmppa)

In these logs, each new entry begins with a timestamp followed by the word "Process". This pattern can be utilized to indicate the beginning of a new log entry.

Defining the Log Pattern

To help ObserveOps correctly ingest and parse these multiline logs, we need to define a regex pattern that matches the start of each new log entry. For our example, the regex would look like this:

\d+\/\d+\/\d+\s+\d+:\d+:\d+\s+-\s+Process

This regex pattern matches:

A date in the format MM/DD/YY (e.g., 04/09/24)
A time in the format HH:MM:SS (e.g., 09:46:51)
The literal string - Process

Configuring the Log Pattern in Motadata ObserveOps

In the Log Pattern field, enter the regex pattern: \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+-\s+Process.

By configuring the log pattern with this regex, Motadata ObserveOps will be able to recognize the start of each new log entry in the multiline IBM MQ logs. This allows ObserveOps to accurately ingest and parse the logs, ensuring that the log entries are correctly identified and processed.

This approach can be applied to other types of multiline logs by defining an appropriate regex pattern that matches the unique start of each log entry for those logs.

Server Logs

There are multiple servers in infrastructure setups used by IT teams to provide users access to a variety of services and applications. These servers in turn are accessed by a range of users who use it for a variety of purposes

For example, a web server might contain a log of page requests that users might have made. Apart from that there might be multiple requests including access logs and error logs. You might even want to analyse the Syslog from linux servers.

All of these server logs can be ingested by ObserveOps. We will now take examples of Linux Syslog and Windows Event Logs to see how we can send the server logs to ObserveOps.

Example of Sending Linux Server logs to ObserveOps

Let us take an example to understand how to send Syslog from Linux Server to Motadata ObserveOps.

Log in to the Linux Server for which you want to send the Syslog to ObserveOps.
Take the root access using the below command. $sudo su
Open the rsyslog.conf file which is typically located in '/etc'.
Look for the following text in the file:
$IncludeConfig /etc/rsyslog.d/*.conf
This text is typically located at the end of the file.
Now we need to provide the ObserveOps server details to send the Syslog to the ObserveOps server. In order to do that we need to enter the Motadata server IP below the text located in the step above so now the text looks as follows:
```
$IncludeConfig /etc/rsyslog.d/*.conf
*.* @ServerIP:PortNumber
```
where 'ServerIP' is the IP address of the Motadata ObserveOps server and 'PortNumber' is the log forwarding port number on the linux server.
note
Write @ServerIP to send UDP logs.
note
Write @@ServerIP to send TCP logs.
Now, restart the rsyslog service to start sending the Syslog to Motadata ObserveOps.

Example of Sending Windows Server logs to ObserveOps

Now, let us see how we can send the Windows event logs to ObserveOps.

Install agent on the Windows server.
Go to Settings. Select Monitor Settings. After that, select Agent Monitor Settings.
Select View Details against the agent for which you want to ingest the logs. Click on the Log tab to start the log configuration.

Enter the log configuration details for Windows event logs as follows:

Field	Description
Name	Specify the type of Windows event log that you want to send to ObserveOps i.e., Application, Security, or System.
Levels	Specify the event level of the Windows event log from the dropdown that you want to send to ObserveOps i.e., Trace, Critical, Error, Warning, Informational, or Verbose.
Events	Specify the Event Id of the Windows event log that you want to send to ObserveOps.

note

In case you do not specify any specific event level, then logs of ALL the event levels from the type of log selected will be sent to ObserveOps. Similarly, if you do not specify any Event ID, then ALL the logs from the selected log type and the selected event level will be sent to ObserveOps. For Example, if you specify the Name as Application and Levels as Critical, then ALL the critical application logs will be sent to ObserveOps.

We just looked into how you can ingest Windows event logs into Motadata ObserveOps. Now, let us look into how you can send network logs to ObserveOps.

Log Ingestion

Overview​

Application Logs​

Example of Sending Application Logs to ObserveOps​

Example of Ingesting Multiline Logs in Motadata ObserveOps​

IBM MQ Multiline Logs Example​

Defining the Log Pattern​

Configuring the Log Pattern in Motadata ObserveOps​

Server Logs​

Example of Sending Linux Server logs to ObserveOps​

Example of Sending Windows Server logs to ObserveOps​

Network Logs​