The my.app tag has been specifically designed for all types of common data coming from unknown sources, like any product/technology not yet supported by Devo. When Devo receives an event with this tag for the first time, it will generate a notification to inform you on how to separate values to their own columns with correct values.
This tag can also be used to inject data from other tables and share it with other users and domains. Check the Data reinjection article to learn more about this.
The standard structure of this tag is my.app.category.format.cluster.instance, following the below rules:
- The elements category, format, cluster and instance are free and optional, but we recommend to use at least the first two (category and format) to define the log type and to be able to store statistics regarding the log.
- The elements category and format should be used to classify the log type and format and they should be prefixed elements.
The elements cluster and instance refer to any hierarchy to identify the events source and they can be free elements.
For more information on how tags work, see the Introduction to tags article.
Examples of my.app tags
- my.app.unknownWebserver.access-log.demoSrv1 (in this case, the last part is the name of the server and it is the free component of the tag)
- my.app.unknownWebserver.access-log.demoSrv1.pro (in this case, the last two elements are free elements and they refer to server and environment name)
How to consult the my.app table
If you want to visualize the my.app table, go to the Data Search area and select the appropriate tag:
How to report unsupported technologies
If you come across with a case of an unsupported technology, please follow these steps:
- Label the log with the nomenclature as explained above.
- Build (as a sample) a small volume of logs using the label.
- Contact the Devo support team indicating:
- The type of technology/product that you would like Devo to support.
- Your Devo user.
- The tag you have used to generate the sample events.
Sending to Devo via files
Suppose you are working with a proprietary application or unsupported product that generate the logs as text files. In this case, the main mechanism to send the logs to Devo would rely on other tools, like rsyslog or syslog-ng. We will use the following configuration file for rsyslog:
$template myFileMonitorTemplate,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%" # File access $InputFileName /path/to/file.log $InputFileTag my.devo.tag: $InputFileStateFile stat-file1-myFileMonitor $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor if $syslogtag contains 'my.devo.tag' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;myFileMonitorTemplate :syslogtag, contains, "my.devo.tag" ~
Note that you should customize the above template as it follows:
- Replace /PATH/TO/MYAPP.LOG with the absolute path were the log files are being located.
- Define my.app.CATEGORY.FORMAT.CLUSTER.INSTANCE using the appropriate elements.
- Replace stat-file1-MYAPPlog with a unique number that will identify the status file that keeps rsyslog on the log we are dealing with.
- Replace DEVO-RELAY and PORT with the server and port of your Devo relay (this information is displayed in the application, under the Administration → Relays area).
Note that if you are going to send to a secure relay, you should uncomment section SSL of the configuration file. Also, you must verify that the file you are going to process and the directory where it is located, can be read by the user running rsyslog.
Suppose you are working with a proprietary application or unsupported product that generate the logs as text files. In this case, the main mechanism to be used is the Snare Agent.
Example of sending logs to my.app from a Linux system
Use a test script as proprietary application:
#!/bin/bash while [ 1 ]; do uptime >> /var/log/uptime.log sleep 1 done
Run the following command:
#sh /tmp/myappTest.sh &
Create the following rsyslog configuration file (following the template discussed in this section):
$template myappTest,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%" # File 1 $InputFileName /var/log/uptime.log $InputFileTag my.app.uptime.stats.demosrv.dev: $InputFileStateFile stat-file-myApptTest-log $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # SSL config for devo secure relay #$DefaultNetstreamDriver gtls # use gtls netstream driver #$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt #$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt #$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key #$ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode x509/name #$ActionSendStreamDriverPermittedPeer collector if $syslogtag contains 'my.app.uptime.stats.demosrv.dev' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;myappTest :syslogtag, contains, "my.app.uptime.stats.demosrv.dev" ~
Restart rsyslog daemon
You can consult the results by running the my.app search: