Shipping Custom Logs
Sematext Agent supports configuring log shipping through a YAML file, custom-logs.yml. This feature allows users to specify log file locations and custom parsing rules, which is useful for log files not discovered automatically or when custom log parsing rules are needed.
How it works¶
The Sematext Agent periodically checks the custom-logs.yml file. If valid log shipping rules are found, the agent starts collecting, parsing, and shipping logs from the specified files to the Sematext Cloud Logs App that matches the provided App token. You can configure multiple log files, multiple parsing rules, and multiple destination Logs Apps. To stop log shipping, remove the rule(s) from the file.
Requirements¶
Sematext Agent version 3.6.0 and newer.
How to start¶
Create a new Logs App in Sematext Cloud. If you have custom log files, create a Generic Logs App. For log files generated from one of our supported integrations, create a Logs App of the relevant type.
As soon as the Sematext Agent is installed, ignore the Discovery screen and keep a copy of the App token. To retrieve this token, navigate to the Ship Logs screen from the left Menu panel and select Custom Integrations.
The next step is to edit the custom-logs.yml file (see below) with your own log rules.
Once this is done, the logs will start shipping to your Logs App.
File location¶
Edit the custom-logs.yml file in the configuration directory of your Sematext Agent. For baremetal environments it's under the /opt/spm/properties/ directory.
File structure¶
myapp-logs: # log type
files: ["/path/to/myapp.log"] # log file paths
token: "your-sematext-logs-app-token" # Sematext Cloud Logs App token
isJSON: false # for JSON formatted files
regexPatterns: # regex patterns to parse logs
- '^(?P<timestamp>\d{4}-\d{2}-\d{2}[\s|T][\d+|:]+.\d+)\s(?P<message>[\s|\S]+)'
patternTypes: # data types for each regex pattern
timestamp: "string"
message: "string"
Configuration Details¶
Each section in the custom-logs.yml file defines a log shipping rule. There are also several variables to configure how the Sematext Agent collects and parses your log files. You can configure multiple log shipping rules in the file.
Log type¶
- Description: The type of your logs. You can define your own type or use a pre-defined type. The type name should be in lowercase kebab case, meaning it should use lowercase letters with words separated by dashes (e.g.,
myapp-logsormy-other-app-logs). - Required: Yes
- Example:
myapp-logswhich is a custom type,nginxwhich is pre-defined
The log type can be a custom type defined by the user or a pre-defined type that maps to one of Sematext's supported Logs Apps (e.g., nginx for Nginx Logs). All available types can be found below.
| Integration | Type |
|---|---|
| ActiveMQ | activemq |
| Apache | apache |
| Elasticsearch | elasticsearch |
| OpenSearch | opensearch |
| JVM apps | jvm |
| Linux daemons | linux-daemon |
| MySQL | mysql |
| Nginx | nginx |
| Postgres | postgresql |
| RabbitMQ | rabbitmq |
| Solr | solr |
| Varnish Cache | varnishcache |
files¶
- Description: Specifies the paths to the log files. You can use either block sequence format (e.g.,
files:followed by a list of paths each on a new line with a dash) or inline sequence format (e.g.,files: ["/path/to/file1", "/path/to/file2"]). Glob patterns are not supported. - Required: Yes
- Example:
or
token¶
- Description: The token for your Sematext Cloud Logs App.
- Required: Yes
- Example:
isJSON¶
- Description: Set to
trueif your log files are JSON formatted. Iftrue,regexPatternsandpatternTypesare not needed and if specified will be ignored. - Required: No
- Default:
false - Example:
regexPatterns¶
- Description: Defines the regex patterns to parse logs. If defined, pre-defined types won't be used. Regular expressions are wrapped with single quotes (r'...'). The value between the quotes uses the Rust regex syntax. To verify your regex patterns, you can use tools like Rustexp and Regex101.
- Required: No
- Example:
patternTypes¶
- Description: Defines the data types for each regex pattern parser group. Supported types include
string,int,floatandbool. - Required: No
- Example:
Example configurations¶
NGINX Logs¶
Using a pre-defined type for Nginx logs:
JSON Formatted Logs¶
For logs in JSON format:
a-json-logs-app:
files: ["/var/log/myapp/myapp.json", "/var/log/myapp/errors.json"]
isJSON: true
token: "af526914-15fe-481e-b06c-e7e07daf793c"
Custom Log Format¶
Let's say we have two log files named myapp.log and errors.log in the /var/log/myapp/ folder that contain log events like the ones below:
2024/07/16 12:07:16 [WARN] 6423#3847: User account deleted
2024/07/16 12:08:16 [INFO] 6423#5403: User updated profile
2024/07/16 12:09:16 [INFO] 6423#9266: User updated profile
2024/07/16 12:10:16 [INFO] 6423#7614: User role changed
Below is the log rule that needs to be added in custom-logs.yml file:
myapp-logs:
files:
- "/var/log/myapp/myapp.log"
- "/var/log/myapp/errors.log"
token: "0d63b278-4eae-40de-8862-db6b490634db"
regexPatterns:
- '^(?P<timestamp>\d{4}/\d{2}/\d{2}\s[\d|:]+)\s\[(?P<level>.+?)]\s(?P<pid>\d+)#(?P<tid>\d+):\s(?P<message>.*)'
patternTypes:
timestamp: "string"
level: "string"
pid: "int"
tid: "int"
message: "string"
Troubleshooting tips and known issues¶
- Support for Windows is coming soon
- Support for Kubernetes and containerized environments is coming soon