Skip to main content

Configure the Logfile LAM

The Logfile LAM allows you to parse data in log files and send it to Moogsoft Onprem as events.

There is no UI integration for the Logfile LAM. Follow these instructions to configure the LAM.

Before You Begin

Before you configure the Logfile LAM, ensure you have met the following requirements:

  • You know the location of the log files you want to parse.

  • You know the format of the log file names.

  • The log files are accessible from Moogsoft Onprem.

If you are configuring the Logfile LAM for high availability, refer to High Availability Overview first. You will need the details of the server configuration you are going to use for HA.

Configure the LAM

Edit the configuration file to control the behavior of the Logfile LAM. You can find the file at $MOOGSOFT_HOME/config/logfile_lam.conf

See the Logfile LAM Reference and LAM and Integration Reference for a full description of all properties. Some properties in the file are commented out by default. Uncomment properties to enable them.

  1. Configure the location and format of the target log file name:

    • target: Path and file name of the target log file.

    • date_format: Format of the date if present in the target log file name.

  2. Configure the log file processing:

    • load_at_start: Whether the LAM processes the contents of the target file at startup then waits for additional data to be written to the file.

    • exit_after_initial_load: Whether the LAM processes the contents of the target file and then exits.

  3. Configure the LAM behavior:

    • event_ack_mode: When Moogfarmd acknowledges events from the Logfile LAM during the event processing pipeline.

    • num_threads: Number of worker threads to use when processing events.

  4. Optionally configure the LAM identification and capture logging details:

    • name: Maps to $Laminstancename, so that the agent field indicates events Moogsoft Onprem ingests from this LAM.

    • capture_log: Name and location of the LAM's capture log file, which it writes to for debugging purposes.

  5. Optionally configure severity conversion. See Severity Reference for further information and "Conversion Rules" in Tokenize Source Event Data for details on conversions in general.

  6. Optionally configure the process logging details:

    • configuration_file: Name and location of the LAM's process log configuration file. See Configure Logging for more information.Configure Logging

Example

The following example demonstrates a Logfile LAM configuration.

monitor:
{
    target                   : "/var/log/system-07-27-2018.log",
    date_format              : "MM-dd-yyyy",
    load_at_start            : true,
    exit_after_initial_load  : false,
    event_ack_mode           : "queued_for_processing",
    num_threads              : 5
},
agent:
{
    name                     : "Logfile"
},
log_config:
{
    configuration_file       : "$MOOGSOFT_HOME/config/logging/logfile_lam_log.json"
},

Configure for High Availability

Configure the Logfile LAM for high availability if required. See High Availability Overview for details.

Configure Parsing and Mapping

You configure parsing to break the log file up into tokens that Moogsoft Onprem uses to assemble events. You can also map parsed parameters to alert fields.

See Tokenize Source Event Data for further information and examples.

Configure the LAMbot

The Logfile LAMbot processes and filters events before sending them to the Message Bus. You can customize or bypass this processing if required. You can also load JavaScript files into the LAMbot and execute them.

See LAMbot Configuration for more information. An example Logfile LAM filter configuration is shown below.

filter:
{
    presend: "LogfileLam.js"
}

Start and Stop the LAM

Restart the Logfile LAM to activate any changes you make to the configuration file or LAMbot.

The LAM service name is logfilelamd.

See Control Moogsoft Onprem Processes for further details.