Log content autodiscovery
Log Monitoring Classic
By default, Dynatrace automatically discovers all new log files that meet the requirements described below.
Default autodiscovery
Dynatrace automatically discovers, analyzes, and stores (if selected for storage) logs every 60 seconds.
Note: Whether your autodiscovered files are stored in Dynatrace depends on the log storage configuration.
By default, the OneAgent log module autodiscovers the following categories of log files:
-
System logs
On Windows:Windows Security LogWindows Application LogWindows System Log
On Linux:
/var/log/messages/var/log/syslog
-
Log files opened by running processes. For details, see Log content autodiscovery
-
IIS Logs (Windows only) - both event logs and plain log files
-
Container logs (Linux only) in Kubernetes, Openshift, and non-instrumented Docker. For details, see Log Monitoring in Kubernetes
Attributes selected in Windows event logs
For Windows event logs, Log Monitoring selects the following attributes:
| Semantic attribute name | Event property |
|---|---|
|
|
|
|
|
|
|
|
|
|
Autodiscovery requirements
A log file must meet all of the following requirements in order to be autodiscovered:
-
The log file must be opened by an important process.
-
The log file must exist for a minimum of one minute.
-
The logs must have a supported character encoding. By default, the supported encoding is UTF-8. Other supported types include UTF-8 BOM and, if the files contain the byte-order mark (BOM), UTF-16LE and UTF-16BE.
Binary logs and unsupported timestampBinary log files are not analyzed and stored (only the file status is reported). Files with an unsupported timestamp are automatically timestamped with the file reading time.
-
The log file must be at least 0.5 KB in size.
-
The log file must have been updated (written to) in the last 7 days.
Log files that have not been updated in the past 7 days while Log Monitoring is active will not be visible on dashboards. -
The log file must be in the actual
logorlogsfolder or in its subfolders:- Valid path examples:
c:\log\log_file.txt
c:\logs\NewFolder\log_file.txt - Invalid path example:
c:\log\NewFolder\NewFolder\log_file.txt
or the log filename must contain a
logstring preceded or followed by the period (.) or underscore (_) character:- Valid filename examples:
c:\NewFolder\abc.log
c:\NewFolder\0865842.log.txt - Invalid filename example:
c:\NewFolder\logfile.txt
- Valid path examples:
Turn off log autodiscovery
If you don't want Dynatrace to automatically discover new log files on a specific monitored host, you can turn off log autodiscovery.
- On the host, open the log analytics configuration file for editing.
- On Linux:
/var/lib/dynatrace/oneagent/agent/config/ruxitagentloganalytics.conf - On Windows:
%PROGRAMDATA%\dynatrace\oneagent\agent\config\ruxitagentloganalytics.conf
- On Linux:
- Set the following:
AppLogAutoDetection = false
OneAgent restart is not required.
Limits for your log autodiscovery when using OneAgent.
- Log files in OneAgent cannot be deleted earlier than a minute after creation.
- Log files in OneAgent must be appended (old content is not updated).
- Log files in OneAgent must have text content.
- Log files in OneAgent must be opened constantly (not just for short periods of adding log entry).
- Log files in OneAgent must be opened in write mode.
Unsupported autodiscovery scenarios
Scenarios that are not supported in the rotated log autodiscovery process include:
- Rotated log generation with a directory change. This process could lead to the creation of numerous non-aggregated and/or incomplete logs, as well as to resource overuse.
- Rotated log generation with immediate compression, where the application addresses a file with the same name. If a rotation criterion is met (for example, the required file size is reached), the file is moved to another location and immediately compressed.
Example:
/var/log/application.log -> /var/log/application.log.1.gz -> /var/log/application.log.2.gz -> /var/log/application.log.3.gz. This process might again lead to incomplete log creation.