How to configure rsyslog and API log sources

To import additional log sources from rsyslog or to use the API log import:

  • Make sure that you have Log Analytics enabled.
    Note that import of rsyslog and API log sources is not available with the free tier of Log Analytics.

  • Deploy a dedicated ActiveGate for Log Analytics.
    Go to Install an Environment ActiveGate to perform ActiveGate installation.

    Important

    Make sure you install the dedicated ActiveGate on a host that has access to your Dynatrace environment (connectivity to your Dynatrace cluster).

Configure a dedicated ActiveGate

Add the collector configuration to the custom.properties file for the ActiveGate.
See Where can I find ActiveGate files? for the location of the file.

[collector]
SyslogReceiverPort = 2000
SyslogCollectorEnabled = true
LogDiskBufferPath=/tmp/diskbuffer
AWSAgentEnabled = true
Important

Make sure the path defined in the LogDiskBufferPath property points to an existing directory with permissions matching that of an ActiveGate user (for example, dtuserag).

Restart your ActiveGate.
After you restart it, the ActiveGate will be connected to the environment with the Log Analytics Collector module running.

Create a template

In Dynatrace, go to Settings > Log Analytics > Sources and select Rsyslog/API import.

Select the host or custom device group, and then select the process group instance and the API token.
Optionally, you can create a new custom device group and generate a new API token. To generate and configure your API tokens, go to Settings > Integration > Dynatrace API. Make sure that Log import is within the access scope of your API token.

Custom devices

If you plan to use a custom device in your log import, make sure that you also have a license for custom metrics.

Click Create template to view automatically generated templates based on your settings.

  • Rsyslog stream receiver template:
Put the following two lines in the syslog configuration file, e.g. /etc/rsyslog.conf:

$template dynatrace,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag% [dt@31094 token=\"<DynatraceToken>=\"]%msg%"

*.* @@172.10.10.10;dynatrace
  • API import template:
[dt@31094 token="<DynatraceToken>"]

Note that your Dynatrace token is already included in templates.

For rsyslog stream receiver

You can stream the syslog over UPD or TCP. We recommend that you use TCP because it presents more options for communication error checking and encryption.

Modify the template to reflect the ActiveGate address and port.

The following line should contain the ActiveGate address and port:

*.* @@ActiveGateAddress;dynatrace

For example:

*.* @@172.10.10.10:2000;dynatrace
ActiveGate address

The ActiveGate address can be:

  • An IP address: 172.10.10.10:2000
  • A host name: myactivegate
  • A fully qualified domain name: myactivegate.mydomain.org

Append the modified template to the /etc/rsyslog.conf configuration files of all the systems you want to receive logs from. Authentication is based on the API token.

Restart the Syslog daemon.
After the daemon is restarted, log files should be visible in the Log Viewer.

For API import

Include the following token in POST messages sent over HTTP to endpoint https://ActiveGateAddress/loganalyticscollector, where ActiveGateAddress reflects the dedicated Log Analytics ActiveGate and port:

[dt@31094 token="<DynatraceToken>"]