The tag has been specifically designed for all types of common data coming from unknown sources, like any product/technology not yet supported by Devo. When Devo receives an event with this tag for the first time, it will generate a notification to inform you on how to separate values to their own columns with correct values.

This tag can also be used to inject data from other tables and share it with other users and domains. Check the Data reinjection article to learn more about this.

Tag structure

The standard structure of this tag is, following the below rules:

  • The elements category, format, cluster and instance are free and optional, but we recommend to use at least the first two (category and format) to define the log type and to be able to store statistics regarding the log.
  • The elements category and format should be used to classify the log type and format and they should be prefixed elements.
  • The elements cluster and instance refer to any hierarchy to identify the events source and they can be free elements.

For more information on how tags work, see the Introduction to tags article.

Examples of tags

  • (in this case, the last part is the name of the server and it is the free component of the tag)
  • (in this case, the last two elements are free elements and they refer to server and environment name)

How to consult the table

If you want to visualize the table, go to the Data Search area and select the appropriate tag:

How to report unsupported technologies

If you come across with a case of an unsupported technology, please follow these steps:

  • Label the log with the nomenclature as explained above.
  • Build (as a sample) a small volume of logs using the label.
  • Contact the Devo support team indicating:
    • The type of technology/product that you would like Devo to support.
    • Your Devo user.
    • The tag you have used to generate the sample events.

Sending to Devo via files

Unix environments

Suppose you are working with a proprietary application or unsupported product that generate the logs as text files. In this case, the main mechanism to send the logs to Devo would rely on other tools, like rsyslog or syslog-ng. We will use the following configuration file for rsyslog:

/etc/rsyslog.d/46-myapp.conf file

$template myFileMonitorTemplate,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%"
# File access
$InputFileName /path/to/file.log
$InputFileTag my.devo.tag:
$InputFileStateFile stat-file1-myFileMonitor
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
if $syslogtag contains 'my.devo.tag' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;myFileMonitorTemplate
:syslogtag, contains, "my.devo.tag" ~ 

Note that you should customize the above template as it follows: 

  • Replace /PATH/TO/MYAPP.LOG with the absolute path were the log files are being located.
  • Define using the appropriate elements.
  • Replace stat-file1-MYAPPlog with a unique number that will identify the status file that keeps rsyslog on the log we are dealing with.
  • Replace DEVO-RELAY and PORT with the server and port of your Devo relay (this information is displayed in the application, under the Administration → Relays area).

Note that if you are going to send to a secure relay, you should uncomment section SSL of the configuration file. Also, you must verify that the file you are going to process and the directory where it is located, can be read by the user running rsyslog. 

Windows Environments

Suppose you are working with a proprietary application or unsupported product that generate the logs as text files. In this case, the main mechanism to be used is the Snare Agent.

Example of sending logs to from a Linux system

Use a test script as proprietary application:

Script /tmp/

while [ 1 ]; do
 uptime >> /var/log/uptime.log
 sleep 1

Run the following command:

#sh /tmp/ &

Create the following rsyslog configuration file (following the template discussed in this section):

$template myappTest,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%"
# File 1
$InputFileName /var/log/uptime.log
$InputFileStateFile stat-file-myApptTest-log
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
# SSL config for devo secure relay
#$DefaultNetstreamDriver gtls # use gtls netstream driver
#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt
#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt
#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key
#$ActionSendStreamDriverMode 1 # require TLS for the connection
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer collector
if $syslogtag contains '' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;myappTest
:syslogtag, contains, "" ~

Restart rsyslog:

Restart rsyslog daemon

/etc/init.d/rsyslog restart

You can consult the results by running the search:

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.