# ------------------------------------------------------------------------------ # Netdata Logs Management default configuration # See full explanation on https://github.com/netdata/netdata/blob/master/src/logsmanagement/README.md # # To add a new log source, a new section must be added in this # file with at least the following settings: # # [LOG SOURCE NAME] # enabled = yes # log type = flb_tail # # For a list of all available log types, see: # https://github.com/netdata/netdata/blob/master/src/logsmanagement/README.md#types-of-available-collectors # # ------------------------------------------------------------------------------ [kmsg Logs] ## Example: Log collector that will collect new kernel ring buffer logs ## Required settings enabled = yes log type = flb_kmsg ## Optional settings, common to all log source. ## Uncomment to override global equivalents in netdata.conf. # update every = 1 # update timeout = 10 use log timestamp = no # circular buffer max size MiB = 64 # circular buffer drop logs if full = no # compression acceleration = 1 # db mode = none # circular buffer flush to db = 6 # disk space limit MiB = 500 ## Drop kernel logs with priority higher than prio_level. # prio level = 8 ## Charts to enable # collected logs total chart enable = no # collected logs rate chart enable = yes severity chart = yes subsystem chart = yes device chart = yes ## Example of capturing specific kmsg events: # custom 1 chart = USB connect/disconnect # custom 1 regex name = connect # custom 1 regex = .*\bNew USB device found\b.* # custom 2 chart = USB connect/disconnect # custom 2 regex name = disconnect # custom 2 regex = .*\bUSB disconnect\b.* [Systemd Logs] ## Example: Log collector that will query journald to collect system logs ## Required settings enabled = yes log type = flb_systemd ## Optional settings, common to all log source. ## Uncomment to override global equivalents in netdata.conf. # update every = 1 # update timeout = 10 # use log timestamp = auto # circular buffer max size MiB = 64 # circular buffer drop logs if full = no # compression acceleration = 1 # db mode = none # circular buffer flush to db = 6 # disk space limit MiB = 500 ## Use default path to Systemd Journal log path = auto ## Charts to enable # collected logs total chart enable = no # collected logs rate chart enable = yes priority value chart = yes severity chart = yes facility chart = yes [Docker Events Logs] ## Example: Log collector that will monitor the Docker daemon socket and ## collect Docker event logs in a default format similar to executing ## the `sudo docker events` command. ## Required settings enabled = yes log type = flb_docker_events ## Optional settings, common to all log source. ## Uncomment to override global equivalents in netdata.conf. # update every = 1 # update timeout = 10 # use log timestamp = auto # circular buffer max size MiB = 64 # circular buffer drop logs if full = no # compression acceleration = 1 # db mode = none # circular buffer flush to db = 6 # disk space limit MiB = 500 ## Use default Docker socket UNIX path: /var/run/docker.sock log path = auto ## Submit structured log entries to the system journal # submit logs to system journal = no ## Charts to enable # collected logs total chart enable = no # collected logs rate chart enable = yes event type chart = yes event action chart = yes ## Example of how to capture create / attach / die events for a named container: # custom 1 chart = serverA events # custom 1 regex name = container create # custom 1 regex = .*\bcontainer create\b.*\bname=serverA\b.* # custom 2 chart = serverA events # custom 2 regex name = container attach # custom 2 regex = .*\bcontainer attach\b.*\bname=serverA\b.* # custom 3 chart = serverA events # custom 3 regex name = container die # custom 3 regex = .*\bcontainer die\b.*\bname=serverA\b.* ## Stream to https://cloud.openobserve.ai/ # output 1 name = http # output 1 URI = YOUR_API_URI # output 1 Host = api.openobserve.ai # output 1 Port = 443 # output 1 tls = On # output 1 Format = json # output 1 Json_date_key = _timestamp # output 1 Json_date_format = iso8601 # output 1 HTTP_User = test@netdata.cloud # output 1 HTTP_Passwd = YOUR_OPENOBSERVE_PASSWORD # output 1 compress = gzip ## Real-time export to /tmp/docker_event_logs.csv # output 2 name = file # output 2 Path = /tmp # output 2 File = docker_event_logs.csv [Apache access.log] ## Example: Log collector that will tail Apache's access.log file and ## parse each new record to extract common web server metrics. ## Required settings enabled = yes log type = flb_web_log ## Optional settings, common to all log source. ## Uncomment to override global equivalents in netdata.conf. # update every = 1 # update timeout = 10 # use log timestamp = auto # circular buffer max size MiB = 64 # circular buffer drop logs if full = no # compression acceleration = 1 # db mode = none # circular buffer flush to db = 6 # disk space limit MiB = 500 ## This section supports auto-detection of log file path if section name ## is left unchanged, otherwise it can be set manually, e.g.: ## log path = /var/log/apache2/access.log ## See README for more information on 'log path = auto' option log path = auto ## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage. use inotify = yes ## Auto-detect web log format, otherwise it can be set manually, e.g.: ## log format = %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i" ## see https://httpd.apache.org/docs/2.4/logs.html#accesslog log format = auto ## Detect errors such as illegal port numbers or response codes. verify parsed logs = yes ## Submit structured log entries to the system journal # submit logs to system journal = no ## Charts to enable # collected logs total chart enable = no # collected logs rate chart enable = yes vhosts chart = yes ports chart = yes IP versions chart = yes unique client IPs - current poll chart = yes unique client IPs - all-time chart = no http request methods chart = yes http protocol versions chart = yes bandwidth chart = yes timings chart = yes response code families chart = yes response codes chart = yes response code types chart = yes SSL protocols chart = yes SSL chipher suites chart = yes [Nginx access.log] ## Example: Log collector that will tail Nginx's access.log file and ## parse each new record to extract common web server metrics. ## Required settings enabled = yes log type = flb_web_log ## Optional settings, common to all log source. ## Uncomment to override global equivalents in netdata.conf. # update every = 1 # update timeout = 10 # use log timestamp = auto # circular buffer max size MiB = 64 # circular buffer drop logs if full = no # compression acceleration = 1 # db mode = none # circular buffer flush to db = 6 # disk space limit MiB = 500 ## This section supports auto-detection of log file path if section name ## is left unchanged, otherwise it can be set manually, e.g.: ## log path = /var/log/nginx/access.log ## See README for more information on 'log path = auto' option log path = auto ## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage. use inotify = yes ## see https://docs.nginx.com/nginx/admin-guide/monitoring/logging/#setting-up-the-access-log log format = $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent $request_length $request_time "$http_referer" "$http_user_agent" ## Detect errors such as illegal port numbers or response codes. verify parsed logs = yes ## Submit structured log entries to the system journal # submit logs to system journal = no ## Charts to enable # collected logs total chart enable = no # collected logs rate chart enable = yes vhosts chart = yes ports chart = yes IP versions chart = yes unique client IPs - current poll chart = yes unique client IPs - all-time chart = no http request methods chart = yes http protocol versions chart = yes bandwidth chart = yes timings chart = yes response code families chart = yes response codes chart = yes response code types chart = yes SSL protocols chart = yes SSL chipher suites chart = yes [Netdata daemon.log] ## Example: Log collector that will tail Netdata's daemon.log and ## it will generate log level charts based on custom regular expressions. ## Required settings enabled = yes log type = flb_tail ## Optional settings, common to all log source. ## Uncomment to override global equivalents in netdata.conf. # update every = 1 # update timeout = 10 # use log timestamp = auto # circular buffer max size MiB = 64 # circular buffer drop logs if full = no # compression acceleration = 1 # db mode = none # circular buffer flush to db = 6 # disk space limit MiB = 500 ## This section supports auto-detection of log file path if section name ## is left unchanged, otherwise it can be set manually, e.g.: ## log path = /tmp/netdata/var/log/netdata/daemon.log ## See README for more information on 'log path = auto' option log path = auto ## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage. use inotify = yes ## Submit structured log entries to the system journal # submit logs to system journal = no ## Charts to enable # collected logs total chart enable = no # collected logs rate chart enable = yes ## Examples of extracting custom metrics from Netdata's daemon.log: ## log level chart custom 1 chart = log level custom 1 regex name = emergency custom 1 regex = level=emergency custom 1 ignore case = no custom 2 chart = log level custom 2 regex name = alert custom 2 regex = level=alert custom 2 ignore case = no custom 3 chart = log level custom 3 regex name = critical custom 3 regex = level=critical custom 3 ignore case = no custom 4 chart = log level custom 4 regex name = error custom 4 regex = level=error custom 4 ignore case = no custom 5 chart = log level custom 5 regex name = warning custom 5 regex = level=warning custom 5 ignore case = no custom 6 chart = log level custom 6 regex name = notice custom 6 regex = level=notice custom 6 ignore case = no custom 7 chart = log level custom 7 regex name = info custom 7 regex = level=info custom 7 ignore case = no custom 8 chart = log level custom 8 regex name = debug custom 8 regex = level=debug custom 8 ignore case = no [Netdata fluentbit.log] ## Example: Log collector that will tail Netdata's ## embedded Fluent Bit's logs ## Required settings enabled = no log type = flb_tail ## Optional settings, common to all log source. ## Uncomment to override global equivalents in netdata.conf. # update every = 1 # update timeout = 10 # use log timestamp = auto # circular buffer max size MiB = 64 # circular buffer drop logs if full = no # compression acceleration = 1 # db mode = none # circular buffer flush to db = 6 # disk space limit MiB = 500 ## This section supports auto-detection of log file path if section name ## is left unchanged, otherwise it can be set manually, e.g.: ## log path = /tmp/netdata/var/log/netdata/fluentbit.log ## See README for more information on 'log path = auto' option log path = auto ## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage. use inotify = yes ## Submit structured log entries to the system journal # submit logs to system journal = no ## Charts to enable # collected logs total chart enable = no # collected logs rate chart enable = yes ## Examples of extracting custom metrics from fluentbit.log: ## log level chart custom 1 chart = log level custom 1 regex name = error custom 1 regex = \[error\] custom 1 ignore case = no custom 2 chart = log level custom 2 regex name = warning custom 2 regex = \[warning\] custom 2 ignore case = no custom 3 chart = log level custom 3 regex name = info custom 3 regex = \[ info\] custom 3 ignore case = no custom 4 chart = log level custom 4 regex name = debug custom 4 regex = \[debug\] custom 4 ignore case = no custom 5 chart = log level custom 5 regex name = trace custom 5 regex = \[trace\] custom 5 ignore case = no [auth.log tail] ## Example: Log collector that will tail auth.log file and count ## occurences of certain `sudo` commands, using POSIX regular expressions. ## Required settings enabled = no log type = flb_tail ## Optional settings, common to all log source. ## Uncomment to override global equivalents in netdata.conf. # update every = 1 # update timeout = 10 # use log timestamp = auto # circular buffer max size MiB = 64 # circular buffer drop logs if full = no # compression acceleration = 1 # db mode = none # circular buffer flush to db = 6 # disk space limit MiB = 500 ## This section supports auto-detection of log file path if section name ## is left unchanged, otherwise it can be set manually, e.g.: ## log path = /var/log/auth.log ## See README for more information on 'log path = auto' option log path = auto ## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage. use inotify = yes ## Submit structured log entries to the system journal # submit logs to system journal = no ## Charts to enable # collected logs total chart enable = no # collected logs rate chart enable = yes ## Examples of extracting custom metrics from auth.log: # custom 1 chart = failed su # # custom 1 regex name = # custom 1 regex = .*\bsu\b.*\bFAILED SU\b.* # custom 1 ignore case = no # custom 2 chart = sudo commands # custom 2 regex name = sudo su # custom 2 regex = .*\bsudo\b.*\bCOMMAND=/usr/bin/su\b.* # custom 2 ignore case = yes # custom 3 chart = sudo commands # custom 3 regex name = sudo docker run # custom 3 regex = .*\bsudo\b.*\bCOMMAND=/usr/bin/docker run\b.* # custom 3 ignore case = yes