Skip to content

Logagent Command-line Parameters

# Parse all logs and stream them to Sematext Logs 1-Click managed Elasticsearch 
$ logagent -i LOGSENE_TOKEN /var/log/*.log 

# stream logs to local Elasticsearch
$ logagent -e https://localhost:9200 -i myindex /var/log/*.log 

# Act as Syslog server on UDP and forward messages to Sematext Logs
$ logagent -u 514 -i LOGSENE_TOKEN  

# Act as Syslog server on UDP and write YAML formatted messages to console
$ logagent -u 514 -y  

Use a glob pattern to build the file list

$ logagent -i LOGSENE_TOKEN -g '/var/log/**/*.log'
# pass multiple glob patterns
$ logagent -i LOGSENE_TOKEN -g '{/var/log/*.log,/opt/myapp/*.log}'

Watch selective log output on console by passing logs via stdin and format in YAML

$ tail -f /var/log/access.log | logagent -y -n httpd
$ tail -f /var/log/system.log | logagent -f my_own_patterns.yml  -y 

Command Line Parameters

$ logagent [options] [file list]

Options Description
Generate config files
-w, --writeConfig <file> write example config to a file. The arguments -i, -e, -g are applied in the generated config. See also -c
--writePatterns <file> write example patterns.yml to a file. See also -f
General options
-h, --help output Logagent help
-V, --version output Logagent version
-v, --verbose verbose debug output for all plugins
-c, --config <configFile> path to Logagent config file (see below)
--geoipEnabled <value> true/false to enable/disable geo IP lookups in patterns.
--geoipField <value> string name of the field to do geo IP lookup.
--diskBufferDir path directory to store status and buffered logs (during network outage)
--includeOriginalLine includes the original message in parsed logs
-f, --file <patternFile> file with pattern definitions, use multiple -f options for multiple files
--skipDefaultPatterns skips loading of default patterns.yml file
-s, --suppress silent, print no logs to stdout; print only stats on exit
--printStats print processing stats in the given interval in seconds, e.g. --printStats 30 to stderr. Useful with -s to see Logagent activity on the console without printing the parsed logs to stdout.
Log input options
--stdin read from stdin, default if no other input like files or UDP are set
list of files Every argument after the options list is interpreted as a file name. All files in the file list (e.g. /var/log/*.log) are watched by tail-forever starting at end of file
-g glob-pattern use a glob pattern to watch log files e.g. -g "{/var/log/*.log,/Users/stefan/myapp/*.log}". The complete glob expression must be quoted to avoid interpretation of special characters by the Linux shell.
--tailStartPosition bytes -1 to tail from end of file, >=0 to start from the given position (in bytes). This setting applies to new files without their read position saved (see --diskBufferDir)
-n name name for the log source only when stdin is used, important to make multi-line patterns working on stdin because the status is tracked by the log source name
-u <port> starts a syslogd UDP listener on the given port to act as syslogd
--journald <port> starts http server to receive logs from systemd-journal-upload.service
--docker <docker-socket> collect docker logs e.g. --docker /var/run/docker.sock
--dockerEvents collects Docker events from /var/run/docker.sock
--k8sEvents collects Kubernetes events from Kubernetes API. Detects automatically kubectl or in-cluster config for API access
--k8sContainerd enable Kubernetes containerd input-filter plugin to parse containerd logs from /var/log/pods
--heroku <port> listens for Heroku logs (http drain / framed syslog over http)
--cfhttp <port> listens for Cloud Foundry logs (syslog over http)
Output options
standard output stream (default) combine Logagent with any Unix tool via pipes
-y, --yaml prints parsed messages in YAML format to stdout
-p, --pretty prints parsed messages in pretty JSON format to stdout
-j, --ldjson print parsed messages in line-delimited JSON format to stdout
Elasticsearch or Sematext Cloud Log storage
-e, --elasticsearchUrl <url> Elasticsearch URL e.g. https://localhost:9200, default htpps://
-i, --index <index> Logs App token to ship data to Sematext Cloud Apps or Elasticsearch index (see --elasticsearchUrl)
--httpProxy <url> HTTP proxy url
--httpsProxy <url> HTTPS proxy url

The default output is line-delimited JSON for parsed log lines, as long as no format options like '-y' (YAML format), '-p' (pretty JSON), or '-s' (silent, no output to console) are specified.

Environment variables

Variable Description
LOGS_TMP_DIR Directory to store failed bulk requests for later retransmission.
LOG_INTERVAL Time to batch logs before a bulk request is done. Default is 10000 ms (10 seconds)
LOGS_BULK_SIZE Maximum size of a bulk request. Default is 1000.
LOGS_RECEIVER_URL URL for the Logsene receiver. For a local Elasticsearch server or for Sematext Enterprise version of Logsene. Defaults to Sematext Logsene SaaS receiver Example for Elasticsearch: LOGSENE_URL=https://localhost:9200/_bulk
HTTPS_PROXY Proxy URL for HTTPS endpoints, like Logsene receiver. export HTTPS_PROXY=https://my-proxy.example
HTTP_PROXY Proxy URL for HTTP endpoints (e.g. On-Premises or local Elasticsearch). export HTTP_PROXY=https://my-proxy.example
LOGAGENT_CONFIG Filename to read Logagent CLI parameters from a file, defaults to `/etc/sematext/logagent.conf
PATTERN_MATCHING_ENABLED Default is 'true'. The value 'false' disables parsing of logs.
SCAN_ALL_PATTERNS Default is 'false'. For performance reasons, patterns are matched by source name. Setting the value to 'true' enables pattern search regardless of source name
MAX_CLIENT_SOCKETS Default is 1. By default Logagent uses only one socket to ship logs. Letting Logagent use multiple sockets helps reduce the memory footprint in deployments with a really high volume of logs. Try setting the MAX_CLIENT_SOCKETS environmental variable to a higher value (e.g. 3, 5, or 10).