Outcold Solutions LLC

Monitoring Linux - Version 5

Logs forwarding


With the default configuration collectorforlinux forwards logs from /var/log folder, including syslog files, and journald logs.

When you need to configure forwarding from a custom location you can add additional sections in 002-user.conf file.

# Input syslog(.\d+)? files

# disable host level logs
disabled = false

# root location of log files
path = /opt/myapp/logs

# glob pattern
glob = *.log

# regex matching pattern (use it instead of glob pattern if you need more complicated filtering)
# match = 

# limit search only on one level
recursive = false

# files are read using polling schema, when reach the EOF how often to check if files got updated
pollingInterval = 250ms

# how often o look for the new files under logs path
walkingInterval = 5s

# include verbose fields in events (file offset)
verboseFields = false

# override type (source type)
type = linux_host_logs

# specify Splunk index
index =

# regexp to specify the beginning of the event line
eventPattern = 

# regexp field extraction
extraction = 

# timestamp field (if field extraction is used)
timestampField =

# format for timestamp
# the layout defines the format by showing how the reference time, defined to be `Mon Jan 2 15:04:05 -0700 MST 2006`
timestampFormat = Jan 2 15:04:05

# Adjust date, if month/day aren't set in format
timestampSetMonth = false
timestampSetDay = false

# timestamp location (if not defined by format)
timestampLocation = Local

# sample output (-1 does not sample, 20 - only 20% of the logs should be forwarded)
samplingPercent = -1

# sampling key for hash based sampling (should be regexp with the named match pattern `key`)
samplingKey =

# set output (splunk or devnull, default is [general]defaultOutput)
output =

# configure default thruput per second for for each container log
# for example if you set `thruputPerSecond = 128Kb`, that will limit amount of logs forwarded
# from the single container to 128Kb per second.
thruputPerSecond =

# Configure events that are too old to be forwarded, for example 168h (7 days) - that will drop all events
# older than 7 days
tooOldEvents =

# Configure events that are too new to be forwarded, for example 1h - that will drop all events that are 1h in future
tooNewEvents =


Will be added in the future

About Outcold Solutions

Outcold Solutions provides solutions for monitoring Kubernetes, OpenShift and Docker clusters in Splunk Enterprise and Splunk Cloud. We offer certified Splunk applications, which give you insights across all containers environments. We are helping businesses reduce complexity related to logging and monitoring by providing easy-to-use and deploy solutions for Linux and Windows containers. We deliver applications, which help developers monitor their applications and operators to keep their clusters healthy. With the power of Splunk Enterprise and Splunk Cloud, we offer one solution to help you keep all the metrics and logs in one place, allowing you to quickly address complex questions on container performance.