netdata/logsmanagement/stock_conf/logsmanagement.d/default.conf

# ------------------------------------------------------------------------------
# Netdata Logs Management default configuration
# See full explanation on https://github.com/netdata/netdata/blob/master/logsmanagement/README.md
#
# To add a new log source, a new section must be added in this 
# file with at least the following settings:
#
# [LOG SOURCE NAME]
# 	enabled = yes
# 	log type = flb_tail
#
# For a list of all available log types, see:
# https://github.com/netdata/netdata/blob/master/logsmanagement/README.md#types-of-available-collectors
#
# ------------------------------------------------------------------------------

[kmsg Logs]
	## Example: Log collector that will collect new kernel ring buffer logs

	## Required settings
	enabled = yes
	log type = flb_kmsg

	## Optional settings, common to all log source. 
	## Uncomment to override global equivalents in netdata.conf.
	# update every = 1
	# update timeout = 10
	use log timestamp = no
	# circular buffer max size MiB = 64
	# circular buffer drop logs if full = no
	# compression acceleration = 1
	# db mode = none
	# circular buffer flush to db = 6
	# disk space limit MiB = 500

	## Drop kernel logs with priority higher than prio_level.
	# prio level = 8

	## Charts to enable
	# collected logs total chart enable = no
	# collected logs rate chart enable = yes
	severity chart = yes
	subsystem chart = yes
	device chart = yes

	## Example of capturing specific kmsg events:
	# custom 1 chart = USB connect/disconnect
	# custom 1 regex name = connect
	# custom 1 regex = .*\bNew USB device found\b.*

	# custom 2 chart = USB connect/disconnect
	# custom 2 regex name = disconnect
	# custom 2 regex = .*\bUSB disconnect\b.*

[Systemd Logs]
	## Example: Log collector that will query journald to collect system logs

	## Required settings
	enabled = yes
	log type = flb_systemd

	## Optional settings, common to all log source. 
	## Uncomment to override global equivalents in netdata.conf.
	# update every = 1
	# update timeout = 10
	# use log timestamp = auto
	# circular buffer max size MiB = 64
	# circular buffer drop logs if full = no
	# compression acceleration = 1
	# db mode = none
	# circular buffer flush to db = 6
	# disk space limit MiB = 500

	## Use default path to Systemd Journal
	log path = auto

	## Charts to enable
	# collected logs total chart enable = no
	# collected logs rate chart enable = yes
	priority value chart = yes
	severity chart = yes
	facility chart = yes

[Docker Events Logs]
	## Example: Log collector that will monitor the Docker daemon socket and
	## collect Docker event logs in a default format similar to executing 
	## the `sudo docker events` command.

	## Required settings
	enabled = yes
	log type = flb_docker_events

	## Optional settings, common to all log source. 
	## Uncomment to override global equivalents in netdata.conf.
	# update every = 1
	# update timeout = 10
	# use log timestamp = auto
	# circular buffer max size MiB = 64
	# circular buffer drop logs if full = no
	# compression acceleration = 1
	# db mode = none
	# circular buffer flush to db = 6
	# disk space limit MiB = 500

	## Use default Docker socket UNIX path: /var/run/docker.sock
	log path = auto

	## Submit structured log entries to the system journal
	# submit logs to system journal = no

	## Charts to enable
	# collected logs total chart enable = no
	# collected logs rate chart enable = yes
	event type chart = yes
	event action chart = yes

	## Example of how to capture create / attach / die events for a named container:
	# custom 1 chart = serverA events
	# custom 1 regex name = container create
	# custom 1 regex = .*\bcontainer create\b.*\bname=serverA\b.*

	# custom 2 chart = serverA events
	# custom 2 regex name = container attach
	# custom 2 regex = .*\bcontainer attach\b.*\bname=serverA\b.*

	# custom 3 chart = serverA events
	# custom 3 regex name = container die
	# custom 3 regex = .*\bcontainer die\b.*\bname=serverA\b.*

	## Stream to https://cloud.openobserve.ai/
	# output 1 name             = http
	# output 1 URI              = YOUR_API_URI
	# output 1 Host             = api.openobserve.ai
	# output 1 Port             = 443
	# output 1 tls              = On
	# output 1 Format           = json
	# output 1 Json_date_key    = _timestamp
	# output 1 Json_date_format = iso8601
	# output 1 HTTP_User        = test@netdata.cloud
	# output 1 HTTP_Passwd      = YOUR_OPENOBSERVE_PASSWORD
	# output 1 compress         = gzip

	## Real-time export to /tmp/docker_event_logs.csv
	# output 2 name             = file
	# output 2 Path             = /tmp
	# output 2 File             = docker_event_logs.csv

[Apache access.log]
	## Example: Log collector that will tail Apache's access.log file and 
	## parse each new record to extract common web server metrics.

	## Required settings
	enabled = yes
	log type = flb_web_log

	## Optional settings, common to all log source. 
	## Uncomment to override global equivalents in netdata.conf.
	# update every = 1
	# update timeout = 10
	# use log timestamp = auto
	# circular buffer max size MiB = 64
	# circular buffer drop logs if full = no
	# compression acceleration = 1
	# db mode = none
	# circular buffer flush to db = 6
	# disk space limit MiB = 500

	## This section supports auto-detection of log file path if section name
	## is left unchanged, otherwise it can be set manually, e.g.:
	## log path = /var/log/apache2/access.log
	## See README for more information on 'log path = auto' option
	log path = auto

	## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage.
	use inotify = yes
	
	## Auto-detect web log format, otherwise it can be set manually, e.g.:
	## log format = %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"
	## see https://httpd.apache.org/docs/2.4/logs.html#accesslog
	log format = auto

	## Detect errors such as illegal port numbers or response codes.
	verify parsed logs = yes

	## Submit structured log entries to the system journal
	# submit logs to system journal = no

	## Charts to enable
	# collected logs total chart enable = no
	# collected logs rate chart enable = yes
	vhosts chart = yes
	ports chart = yes
	IP versions chart = yes
	unique client IPs - current poll chart = yes
	unique client IPs - all-time chart = no
	http request methods chart = yes
	http protocol versions chart = yes
	bandwidth chart = yes
	timings chart = yes
	response code families chart = yes
	response codes chart = yes
	response code types chart = yes
	SSL protocols chart = yes
	SSL chipher suites chart = yes

[Nginx access.log]
	## Example: Log collector that will tail Nginx's access.log file and 
	## parse each new record to extract common web server metrics.

	## Required settings
	enabled = yes
	log type = flb_web_log

	## Optional settings, common to all log source. 
	## Uncomment to override global equivalents in netdata.conf.
	# update every = 1
	# update timeout = 10
	# use log timestamp = auto
	# circular buffer max size MiB = 64
	# circular buffer drop logs if full = no
	# compression acceleration = 1
	# db mode = none
	# circular buffer flush to db = 6
	# disk space limit MiB = 500

	## This section supports auto-detection of log file path if section name
	## is left unchanged, otherwise it can be set manually, e.g.:
	## log path = /var/log/nginx/access.log
	## See README for more information on 'log path = auto' option
	log path = auto

	## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage.
	use inotify = yes

	## see https://docs.nginx.com/nginx/admin-guide/monitoring/logging/#setting-up-the-access-log
	log format = $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent $request_length $request_time "$http_referer" "$http_user_agent"
	
	## Detect errors such as illegal port numbers or response codes.
	verify parsed logs = yes

	## Submit structured log entries to the system journal
	# submit logs to system journal = no

	## Charts to enable
	# collected logs total chart enable = no
	# collected logs rate chart enable = yes
	vhosts chart = yes
	ports chart = yes
	IP versions chart = yes
	unique client IPs - current poll chart = yes
	unique client IPs - all-time chart = no
	http request methods chart = yes
	http protocol versions chart = yes
	bandwidth chart = yes
	timings chart = yes
	response code families chart = yes
	response codes chart = yes
	response code types chart = yes
	SSL protocols chart = yes
	SSL chipher suites chart = yes

[Netdata daemon.log]
	## Example: Log collector that will tail Netdata's daemon.log and 
	## it will generate log level charts based on custom regular expressions.

	## Required settings
	enabled = yes
	log type = flb_tail

	## Optional settings, common to all log source. 
	## Uncomment to override global equivalents in netdata.conf.
	# update every = 1
	# update timeout = 10
	# use log timestamp = auto
	# circular buffer max size MiB = 64
	# circular buffer drop logs if full = no
	# compression acceleration = 1
	# db mode = none
	# circular buffer flush to db = 6
	# disk space limit MiB = 500

	## This section supports auto-detection of log file path if section name
	## is left unchanged, otherwise it can be set manually, e.g.:
	## log path = /tmp/netdata/var/log/netdata/daemon.log
	## See README for more information on 'log path = auto' option
	log path = auto

	## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage.
	use inotify = yes

	## Submit structured log entries to the system journal
	# submit logs to system journal = no

	## Charts to enable
	# collected logs total chart enable = no
	# collected logs rate chart enable = yes
	
	## Examples of extracting custom metrics from Netdata's daemon.log:

	## log level chart
	custom 1 chart = log level
	custom 1 regex name = emergency
	custom 1 regex = level=emergency
	custom 1 ignore case = no

	custom 2 chart = log level
	custom 2 regex name = alert
	custom 2 regex = level=alert
	custom 2 ignore case = no

	custom 3 chart = log level
	custom 3 regex name = critical
	custom 3 regex = level=critical
	custom 3 ignore case = no

	custom 4 chart = log level
	custom 4 regex name = error
	custom 4 regex = level=error
	custom 4 ignore case = no

	custom 5 chart = log level
	custom 5 regex name = warning
	custom 5 regex = level=warning
	custom 5 ignore case = no

	custom 6 chart = log level
	custom 6 regex name = notice
	custom 6 regex = level=notice
	custom 6 ignore case = no

	custom 7 chart = log level
	custom 7 regex name = info
	custom 7 regex = level=info
	custom 7 ignore case = no

	custom 8 chart = log level
	custom 8 regex name = debug
	custom 8 regex = level=debug
	custom 8 ignore case = no

[Netdata fluentbit.log]
	## Example: Log collector that will tail Netdata's 
	## embedded Fluent Bit's logs

	## Required settings
	enabled = no
	log type = flb_tail

	## Optional settings, common to all log source. 
	## Uncomment to override global equivalents in netdata.conf.
	# update every = 1
	# update timeout = 10
	# use log timestamp = auto
	# circular buffer max size MiB = 64
	# circular buffer drop logs if full = no
	# compression acceleration = 1
	# db mode = none
	# circular buffer flush to db = 6
	# disk space limit MiB = 500

	## This section supports auto-detection of log file path if section name
	## is left unchanged, otherwise it can be set manually, e.g.:
	## log path = /tmp/netdata/var/log/netdata/fluentbit.log
	## See README for more information on 'log path = auto' option
	log path = auto

	## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage.
	use inotify = yes

	## Submit structured log entries to the system journal
	# submit logs to system journal = no

	## Charts to enable
	# collected logs total chart enable = no
	# collected logs rate chart enable = yes
	
	## Examples of extracting custom metrics from fluentbit.log:

	## log level chart
	custom 1 chart = log level
	custom 1 regex name = error
	custom 1 regex = \[error\]
	custom 1 ignore case = no

	custom 2 chart = log level
	custom 2 regex name = warning
	custom 2 regex = \[warning\]
	custom 2 ignore case = no

	custom 3 chart = log level
	custom 3 regex name = info
	custom 3 regex = \[ info\]
	custom 3 ignore case = no

	custom 4 chart = log level
	custom 4 regex name = debug
	custom 4 regex = \[debug\]
	custom 4 ignore case = no

	custom 5 chart = log level
	custom 5 regex name = trace
	custom 5 regex = \[trace\]
	custom 5 ignore case = no

[auth.log tail]
	## Example: Log collector that will tail auth.log file and count 
	## occurences of certain `sudo` commands, using POSIX regular expressions.

	## Required settings
	enabled = no
	log type = flb_tail

	## Optional settings, common to all log source. 
	## Uncomment to override global equivalents in netdata.conf.
	# update every = 1
	# update timeout = 10
	# use log timestamp = auto
	# circular buffer max size MiB = 64
	# circular buffer drop logs if full = no
	# compression acceleration = 1
	# db mode = none
	# circular buffer flush to db = 6
	# disk space limit MiB = 500

	## This section supports auto-detection of log file path if section name
	## is left unchanged, otherwise it can be set manually, e.g.:
	## log path = /var/log/auth.log
	## See README for more information on 'log path = auto' option
	log path = auto

	## Use inotify instead of file stat watcher. Set to 'no' to reduce CPU usage.
	use inotify = yes

	## Submit structured log entries to the system journal
	# submit logs to system journal = no

	## Charts to enable
	# collected logs total chart enable = no
	# collected logs rate chart enable = yes
	
	## Examples of extracting custom metrics from auth.log:
	# custom 1 chart = failed su
	# # custom 1 regex name = 
	# custom 1 regex = .*\bsu\b.*\bFAILED SU\b.*
	# custom 1 ignore case = no

	# custom 2 chart = sudo commands
	# custom 2 regex name = sudo su
	# custom 2 regex = .*\bsudo\b.*\bCOMMAND=/usr/bin/su\b.*
	# custom 2 ignore case = yes

	# custom 3 chart = sudo commands
	# custom 3 regex name = sudo docker run
	# custom 3 regex = .*\bsudo\b.*\bCOMMAND=/usr/bin/docker run\b.*
	# custom 3 ignore case = yes