Tags that start with my.app tag identify events generated by unknown sources - usually proprietary technologies, or public technologies not yet integrated by Devo.
This means that a formula for parsing the event fields needs to be created so that the data is displayed correctly in Devo. This is done by Devo's Customer Support team. To request a parser for a proprietary or not-yet-supported application, follow these instructions.
This article covers the following topics:
The full tag should have at least four levels and may have up to six. The first two are fixed as my.app. The third and fourth levels are free and should describe the application type and event type respectively. These levels are not required but we strongly recommend that you use them in the interest of better identifying the data collected.
Finally, the fifth and sixth levels are optional and should be used to identify the actual source of the events. For example, in the case you have several servers running the application and reporting events to Devo, these levels should help identify the actual event source.
|my||app||free, not required but highly recommended
free, not required but highly recommended
|free, not required||free, not required|
The following are examples of possible my.app tags:
For more information on how tags work, see the article about Devo tags.
Requesting support for a new technology
To send log events to Devo from a proprietary technology, or a public technology that's not yet supported by Devo, you'll need to request a new parser.
- Devise a tag naming scheme following the guidelines above. Remember it should have at least four levels including the my.app prefix, and up to six levels if it makes sense for you to identify source systems.
- Collect a small sample of the log events generated by the technology that you want to forward to Devo.
- Send an email to the Devo customer support team describing the technology and providing them the proposed tag and the sample log events.
The team will work with you to create the parser required to correctly identify, ingest, and parse the new events. When the parser is ready, you can start to send the events to Devo.
Sending to Devo using file monitoring
There are many possible ways of sending your data to Devo. Our customer support experts will help you determine the best way to send the data. That said, there are some common methods based on the operating system of the machine that hosts the log files.
Using rsyslog in Unix-like environments
You can read more about using rsyslog to monitor and send files to a Devo endpoint in the Sending data to Devo section of our documentation. Here we offer a sample rsyslog configuration file that is set up to monitor the server and boot logs and one access log, and forward them to a Devo In-House Relay.
$template myFileMonitorTemplate,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%" # File access $InputFileName /path/to/file.log $InputFileTag my.app.application.eventtype: $InputFileStateFile stat-file1-myAppLog $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # Enable rsyslog SSL/TLS mode #$DefaultNetstreamDriver gtls # use gtls netstream driver #$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA #$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key #$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key #$ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode x509/name #$ActionSendStreamDriverPermittedPeer collector if $syslogtag contains 'my.app.application' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;myFileMonitorTemplate :syslogtag, contains, "my.app.application" ~
Note the following placeholder values in the sample file above:
- /path/to/file.log should be the absolute path where your log file resides.
- Replace my.app.application.eventtype with the complete tag.
- Replace stat-file1-MyAppLog with a unique number that will identify the status file that keeps rsyslog on the log we are dealing with.
- Replace DEVO-RELAY and PORT with the IP address and port of your Devo Relay.
You can uncomment the SSL section of the file to send the events directly to the Devo Cloud. In this case, you should replace DEVO-RELAY and PORT with the hostname of your Devo domain and port 443.
If the proprietary application or unsupported product generates its log file in text format on a Windows machine, we recommend using MagicLog component of the Devo Agent for Windows to forward the log events to Devo. You can also use the third-party tool, Snare Epilog.