JJumpp
LM ChampionJoined 3 years ago
User Profile
LM Champion
User Widgets
Contributions
Re: New user - looking for information on parsing fields from Syslog message field
@nageeb try one of these. Im honestly not sure why some of them work at the moment, but the deviceId works for me pretty much every time. and if your logs stop coming in, try that debug mode on the logging level for syslog. Anytime I’ve had logs stop (that wasnt from obvious user intervention) I was able to see the issue when i ran the debug command. system.deviceId -> ##system.deviceId## IP -> ##system.ips## Hostname -> ##system.hostname## Hostname without DNS -> ##system.sysname##90Views4likes0CommentsRe: New user - looking for information on parsing fields from Syslog message field
Ideally, if you are using the LogSource, you would not need to make any edits to your collector config, since all the settings, like resource mapping, are in the LogSource. It allows you to account for multiple types of logs from multiple resources, so I do think the answer about the type being part of the filter is “Yes” The LS that is type “syslog” would ignore a windows event from the same device, but if you needed to map them two different ways, maybe by IP for one and FQDN for the other, you could because thats what the LogSource is doing. It removes the need to change either your collector config or your resources. Resource mapping in the LogSource doesn't care what is in the collector config, so its going to try to map off whatever property you tell it to.69Views3likes0CommentsRe: New user - looking for information on parsing fields from Syslog message field
Im not a LogSource expert at the moment, but the HAProxy parsing was a situation that I recently tackled and am excited to share some knowledge around. So I’ll take a crack as some of these concerns too. For me, I think of the LogSources almost like PropertySources for a log. They are there to pull the “metadata” of the logs, not to sort and alert on them like pipelines and alert conditions. Its not a 1:1 translation by any means, and someone more versed in the LogSources might even cringe a little, but thats what works for me when thinking about them. So, just like PropertySources, the Applies to is relevant to the device, not the group(pipeline). So if all of my haproxy devices (all delightfully named haproxy01, 02 etc) are eventually going to be sending logs with the same format to LM Logs, then my applies to might look like “system.displayname =~ “haproxy” Over simplified, but you get where I’m going. When I build a LogSource, Im trying to break it down into as many components as makes sense for me to work with later. And sometimes that means being overly obvious when Im configuring fields/tags or filters. If i want the Facility, then i make a field with the syslog attribute method, Set the Key as Facility and pick Facility out of the value dropdown. If i want that to be something i filter on, then i set the filter. I do agree that there’s a lot of room for improvement in both the function and the documentation, so keep sending feedback. That’s how we make things change.61Views3likes0CommentsRe: New user - looking for information on parsing fields from Syslog message field
This isn’t enough. There should be more decoding happening with syslog given it’s maturity. Having priority as its own field is part of the way there, but there should be decoding ability to split it into facility and severity and map them to their well known labels. Why isn’t there a logsource out of the box to decode syslog and extract the relevant fields? Even if it’s just a template that I can copy and apply to certain sets of logs. You arent wrong. There should be LogSources available OOB that already have some of the basics configured so you can just clone and carry on with matching your specific use case. Since LogSources are still in Open Beta, I cant speak to if/when those would be available. In the meantime, we can still build our own. and for Syslog, the basic Application, Facility, Severity attributes can be parsed without using special regex. All 3 are predefined parameters under the Fields/Tags section if you choose Syslog Attribute from the dropdown.107Views5likes0CommentsRe: New user - looking for information on parsing fields from Syslog message field
A LogSource can break out all of these fields using the Regex Dynamic Group method. You can create multiple fields in a single line/expression. https://www.logicmonitor.com/support/syslog-logsource-configuration#h-configuration-options Before anything, make sure your collector is the right version to use LogSources and chose the “Enable LM Logs” option for the resource if the logs are being sent to a different collector than the one collecting regular monitoring metrics. Then build your Regex. It would start something like ([a-zA-Z0-9_ ]*\d+:\d+:\d+) (\S+) (\S+) .+:?.+ and keep breaking down each section you need to parse into different groups. Some characters may need to be escaped to be accepted by the LogSource, but once you have it in, it works pretty well. May take a few minutes to kick in, but you should start seeing them soon. Line up the keys that correspond to each group in your expression in a comma separated list, no spaces (log_time,server,socket, etc) May sure none of your fields are named something that could conflict with the standard format, like “timestamp” or “source” since that may break your ingestion. For troubleshooting, temporarily turn on your collector logging for syslog to debug (https://www.logicmonitor.com/support/collectors/collector-management/collector-logging) then go into your debug facility and try !tail ..\logs\wrapper.log 1000 to see any errors that may be associated with your logs. Make sure to turn off that debug level when you are done. Hope this helps!251Views7likes0CommentsRe: Ideas to maintain thresholds across thousands of devices and even more instances.
That sounds like an RBAC related quirk for sure. I think your best course of action for that would be to submit feedback to the product team through your portal. Im sure this is something that other MSPs have encountered as well, since most would have a similar customer folder structure.20Views0likes0CommentsRe: Ideas to maintain thresholds across thousands of devices and even more instances.
I understand. Typically, the deepest folder would control the threshold, since that threshold would be “closer” to the device. I think of the threshold inheritance a little like group policies, where the last one that is applied is the one that takes effect, so the closest to the device( or deeper in the resource tree) is the winner. However, if a threshold is set somewhere in the clients tree (Clients/ACMECO/Chicago/Firewalls) and a more ‘global’ threshold set at a higher level group (Thresholds/Firewalls) then the one at the customer level will still win. If two groups that have thresholds configured and are at the same level of the device hierarchy, then the group that was created first wins. This can be determined by lowest group id. https://www.logicmonitor.com/support/alerts/about-alerts/tuning-alert-thresholds# When looking at a specific device, you should also be able to see what threshold is applied to a datapoint and from where/what group on the alert tuning tab. Is the goal to override anything set at deeper customer levels, or to make sure those deeper level threshold are maintained?31Views2likes0CommentsRe: Ideas to maintain thresholds across thousands of devices and even more instances.
Hi Joe, Setting a threshold at a group folder level would really be ideal. It eliminates the effect on other devices since you aren't setting it at the datasource, and gives you more control to set different thresholds for different customers if you need to adjust it down the line. It also makes it easier to manage the thresholds at group levels, than having to reach out and touch each device individually. However, if the threshold is going to be set at the same value across all customers, then an additional dynamic group that covers all devices would be ideal. You would end up with a single place/group to manage thresholds changes. LM users will often build out a separate group structure that is specifically to manage something like credentials or thresholds, so future management/manipulation is limited to that one tree, and therefore is less likely to conflict with another property value set somewhere else in the resource hierarchy. For your situation, you may have a top level group that is “Thresholds” and dynamic groups underneath for different device types, like “Switches” or “Firewalls” and all threshold manipulation is done there, but all the other groups are still used for things like RBAC, dashboard organization, etc. Do you think a strategy like this would work for you and your team? If not, can you explain a little more about what kinds of thresholds you have deeper in your folder structure?8Views0likes0CommentsRe: Groovy IDE recommendations for DataSource/ConfigSource development?
This does sounds like a great feature request! It would be awesome to dev within an IDE without having to copy and paste between windows. I also use VS Code since it helps me catch all my syntax errors and such, and then move it into the collector debug from there. I always do a final bit of testing directly in the LogicModule too, in case my output is not in quite the right format. I think the developers at LM have a preferred IDE (IntelliJ), but it never made sense for me not coming from a Java background. I use VS Code combined with the collector debug window. I run an interactive Groovy console through docker `docker run --rm -it groovy` which lets me test syntax and stuff. I would really love it if LM made an extension for VS Code that would let you run groovy or powershell scripts on a chosen collector against a chosen object. That would really speed up my development. As it is, I develop my code in VS Code, then copy and paste into a !groovy or !posh dialog in the collector debug. I have to choose the device every time. It’s not great, but it works. I may go to bard/chatgpt to have it help me develop the VS Code extension since all that stuff can be done through the API. There’s also coretools floating around somewhere that allow you to run .groovy files from your command line. It uses your browser’s cookies for authentication and uses the API to push !groovy tasks through the collector debug console. I really wish LM did more for developers.67Views4likes0CommentsRe: Introduce Yourself!
Hi everyone! I’m Jasmine and I am a Solutions Engineer with LogicMonitor’s Professional Services Team! I’m a big foodie, so I love seeing all the conversations around food, though it is also making me hungry! Over the last couple years, I picked up various craft related hobbies, currently teaching myself a few different fiber arts and now that the warmer weather is returning to the southeast of the United States, my wife and I are trying our hand at a little bit of backyard gardening. We are watching the first harvest of our blueberries start to grow and hope to be putting a bunch of summer fruits and veggies out in the raised beds over the next couple of weeks.13Views6likes0Comments