Log Monitoring configuration file

Each OneAgent provides a ruxitagentloganalytics.conf file where you can set configuration options.

Use template

If your OneAgent installation, freshly installed or upgraded, does not have the ruxitagentloganalytics.conf file, use ruxitagentloganalytics.conf.template as a template and create your own ruxitagentloganalytics.conf file.

AppLogContentAccess
Enables access to the log file content on this host. If set to false, the log file will be displayed in the user interface, but the content won't be accessible. Note that the OneAgent will still auto-detect log files unless the flag AppLogAutoDetection is set to false.

  AppLogContentAccess=false

AppLogRemoteConfiguration
Enables the manual configuration of logs to be accessed and monitored. If set to false, it won't be possible to add logs manually using the settings interface.

  AppLogRemoteConfiguration=true

AppLogAutoDetection
Enables auto-detection of log files on this host. If set to false, logs won't be auto-detected.

  AppLogAutoDetection=true

FilesInGroup
Defines how many files can be open by the specified process group.
Syntax: FilesInGroup=[process_group_ID], [warning_number_of_files], [maximum_number_of_files]

  FilesInGroup=0x0, 150, 200

EntryFilter
Defines the filter for a log entry. A matching definition for process group, log path, and line prefix will make this entry available on storage.
Syntax: EntryFilter=[process_group_ID], [log_path], [LAQL]

  EntryFilter=0x0,Windows Application Log,INFO======
  EntryFilter=0x201744FC09941B85,c:\ProgramData\CrashPlan\log\service.log.#,not INFO======

LogEntryPrefix
Defines the prefix of the log entry. If a match is found, the log line will be considered a log entry.

  LogEntryPrefix=/var/ossec/logs/alerts/alerts.log,** Alert

MainLoopInterval
Sets the time interval (in seconds) of OneAgent log operations. Defines how often the OneAgent will detect, analyze, and store logs.

By decreasing this value:
- You can configure the OneAgent to react faster to events happening on the monitored host.
- You might negatively affect performance as the LogAgent then requires more CPU cycles and performs more disk operations.
- There will be more writes to storage disks and a worse compression ratio. Data latency will however be lower.
  In case the server doesn't keep up with writing, the server will increase the interval to achieve an IOPS rate that the storage is able to handle.
By increasing this value:
- You can increase OneAgent performance. The OneAgent would then use less CPU and perform fewer disk operations. This might be beneficial if you monitor applications that write a small number of logs at short intervals.
- You could increase the latency on the UI. For example, the results of log analysis performed on stored data would not contain data from the last (up to) MainLoopInterval seconds.

  MainLoopInterval=60

AutomaticFile
Defines which files will be included in or excluded from the log analysis and storage.
AutomaticFile=Path, Include|Exclude

You can use the wildcard (*) to indicate specify all directories and subdirectories.
For example:
```
AutomaticFile= */log/*/*, Exclude
```
Configuration AutomaticFile= */log/*/*, Exclude would exclude the /dir1/dir2/log/dir3/test1.log file, but it would NOT exclude the /dir1/dir2/log/test2.log file. In this example, the test2.log file is not located at the directory depth indicated in the configuration. As a result, the condition set in the configuration is not met.

Wildcard examples

Configuration	Result
`AutomaticFile= /log//, Exclude`	`/dir1/dir2/log/dir3/test.log` will NOT be excluded `/dir1/dir2/log/test.log` will NOT be excluded `/log/test.log` will NOT be excluded `/log/dir3/test.log` will be excluded

Linux examples

Path	Configuration
/var/log/	AutomaticFile=/var/log/*, Include
/var/log/	AutomaticFile=/var/log/*, Exclude

Windows examples

Path	Configuration
c:\problemdir\file.log	AutomaticFile = /problemdir/*, Exclude
d:\nightly\sub\r16.0.0_sp12_nbld_win_64_daily.log	AutomaticFile= /nightly/ * / *, Exclude

JSONTimestampFieldNames
Defines a list of fields in a JSON-formatted log entry that will be used as a time stamp for automatic JSON parsing. This is a global configuration for all JSON log files. If more than one field is found, the first one will be used.

  JSONTimestampFieldNames=time,timestamp

Deprecated properties - version 1.155 and earlier

The following properties are still available, but they are deprecated and replaced by the AutomaticFile property in version 1.155.

AllowedLogs
Listed name patterns of log files that will be auto-detected for monitoring. You can add multiple name patterns for additional log file name matching.

  AllowedLogs=*[.\-_]log[.\-_]*
  AllowedLogs=*[.\-_]log
  AllowedLogs=catalina.out

AllowedDirLogs
Listed name patterns of directories for log files that will be auto-detected for monitoring. If a log file is discovered in a directory containing the defined string, it will be auto-detected for monitoring. You can add multiple name patterns for additional log directory matching.

  AllowedDirLogs=log
  AllowedDirLogs=logs

LogSearchLevel
Log directory depth. Logs found in directories defined in the AllowedDirLogs property will be added for monitoring only if found on the level defined in LogSearchLevel or below.

  LogSearchLevel=2

AllowedDirPrefixes
Allows log directories with defined prefix. If a log file is found in a directory path starting with what you define in AllowedDirPrefixes, it will be auto-detected for monitoring. You can add multiple directory name prefixes for allowing additional directories.

  AllowedDirPrefixes=/var/log/