• Home
  • How to use Dynatrace
  • Log Monitoring
  • Log data acquisition
  • Log content autodiscovery

Log content autodiscovery

By default, Dynatrace automatically discovers all new log files that meet the requirements described below.

Default autodiscovery

Dynatrace autodiscovers, analyzes, and stores (if selected for storage) logs every 60 seconds.

By default, log files are autodiscovered and analyzed if they are in:

  • Windows System Log
  • Windows Security Log
  • Windows Application Log
  • /var/log/messages

Autodiscovery requirements

A log file must meet all of the following requirements in order to be autodiscovered:

  • The log file must be opened by an important process.

  • The log file must exist for a minimum of one minute.

  • The log file must contain a supported timestamp.

    Binary logs and unsupported timestamp

    Binary log files and log files that contain an unsupported timestamp will be detected automatically but will not be analyzed.

  • The log file must be at least 0.5 KB in size.

  • The log file must have been updated (written to) in the last 7 days.
    Log files that have not been updated in the past 7 days while Log Monitoring is active will not be visible on dashboards.

  • The log file must be in the actual log or logs folder or in its subfolders:

    • Valid path examples:
      c:\log\log_file.txt
      c:\logs\NewFolder\log_file.txt
    • Invalid path example:
      c:\log\NewFolder\NewFolder\log_file.txt

    or the log filename must contain a log string preceded or followed by the period (.) or underscore (_) character:

    • Valid filename examples:
      c:\NewFolder\abc.log
      c:\NewFolder\0865842.log.txt
    • Invalid filename example:
      c:\NewFolder\logfile.txt

Additional limitations for automatically detected files

  • File cannot be deleted earlier than a minute after creation.
  • Files must be appended (old content is not updated).
  • Files must have text content.
  • Log files must be opened constantly (not just for short periods of adding log entry).
  • Log files must be opened in write mode.

What might prevent logs to appear on the server?

  • Over 200 rotated log file groups are detected for a process.

    Dynatrace detects a rotation scheme for log files and reports all the log files in the detected scheme as a group under one name, which typically maps to many files on disk. A large number of rotated file groups typically means that Dynatrace did not recognize the rotation pattern correctly and reports each physical file separately as a group. Once 200 reported rotated log file groups is reached, auto detection is turned off for this process. To resolve this issue, you can:

    • Check your Log Monitoring configuration (Log sources and storage and Add log files manually).
    • Push up the limit in the OneAgent configuration, FilesInGroup property (Log Monitoring configuration).

  • The files are growing very quickly.

    When a log file grows very quickly (at a pace over 10 MB/s), its content might be skipped. OneAgent will continue to send the log file as long as both the network and the server can handle the load. Note that 10 MB/s with typical compression is approximately 10 Mbps of upload traffic.

  • The file name or path doesn't match typical log naming.

    OneAgent checks whether logs match a file name and path pattern that is typical for log files. If there is no match, the file will not be reported and sent to the server. This is needed to avoid false positives on detection of files as logs, and to prevent pulling non-log data from hosts. To remedy this, you can set rules in the OneAgent configuration, AutomaticFile property (Log Monitoring configuration).

  • There are symbolic links in the file or the paths.

    This limitation applies to custom files that point to a path that contains symbolic links. The physical path of the file pointed to by a symbolic link must meet the criteria for a log. Otherwise, symbolic links could be used to read non-log data from a host.

  • The file size is below 500 bytes.

Turn off log autodiscovery

If you don't want Dynatrace to automatically discover new log files on a specific monitored host, you can turn off log autodiscovery.

  1. On the host, open the log analytics configuration file for editing.
    • On Linux:
      /var/lib/dynatrace/oneagent/agent/config/ruxitagentloganalytics.conf
    • On Windows:
      %PROGRAMDATA%\dynatrace\oneagent\agent\config\ruxitagentloganalytics.conf
  2. Set the following:
    AppLogAutoDetection = false

OneAgent restart is not required.