You can forward your logs to New Relic using our infrastructure monitoring agent. This makes all of your logging data available in one location and provides deeper visibility into both your application and your platform performance data.
Forwarding your logs to New Relic will give you enhanced log management capabilities to collect, process, explore, query, and alert on your log data.
Basic process
To forward your logs through our infrastructure monitoring agent:
We are working to integrate log forwarding in the infrastructure agent for ARM architectures. In the meantime, you can follow the steps in the Explorers Hub post.
Configuration files describe which log sources are forwarded. Our infrastructure agent uses .yml files to configure logging. You can add as many config files as you want.
To add a new configuration file for the log forwarding feature:
Navigate to the log forwarder configuration folder:
Create a logging.yml configuration file, and add the parameters you need. The logging.d directory has various .yml.example files you can use as a reference or starting point.
The agent automatically processes new configuration files without having to restart the infrastructure monitoring service. The only exception to this is when configuring a custom Fluent Bit configuration.
Log forwarding parameters
The infrastructure log forwarding .yml config supports the following parameters:
Name (required)
To start, define a name of the log or logs you want to forward to New Relic.
Log source (required)
What you use for the log source will depend on where you want to forward your logs from. Available options include:
Path to the log file or files. The agent tracks changes on the log files in a way similar to tail -f shell.
Example:
logs:
- name: example-log
file: /var/log/example.log # Path to a single log file
- name: example-log-two
file: /var/log/example-two.log # Path to another single log file
The file parameter can point to a specific log file or multiple files by using wildcards applied to names and extensions; for example, /logs/*.log. You can use wildcards in place of directories in a file path, which can be used to tail files located in different directories.
Example:
logs:
- name: docker-logs
file: /var/lib/docker/containers/*/*.log # Path to multiple folders and files
重要
Use of wildcards may significantly increase the number of file descriptors the Fluent Bit process keeps open, which can interfere with log collection if the host's file descriptor limit is reached.
We recommend increasing the file descriptor limit on Linux hosts running Fluent Bit by adding the following to the host's /etc/security/limits.conf file:
root soft nofile 65536
root hard nofile 65536
*soft nofile 65536
*hard nofile 65536
If you add these changes, reboot the host to ensure your changes are applied.
Use the systemd parameter to forward log messages that are collected by the journald daemon in Linux environments. This input type requires the agent to run in root mode.
Example:
logs:
- name: systemd-example
systemd: cupsd
Syslog data source.
Parameters:
uri: Syslog socket. Format varies depending on the protocol:
parser: Syslog parser. Default is rfc3164. Use rfc5424 if your messages include fractional seconds. Note: rfc3164 currently does not work on SuSE.
unix_permissions: default is 0644 for domain sockets; this limits entries to processes running as root. You can use 0666 to listen for non-root processes, at your own risk.
When running the agent in privileged mode, ports and sockets must be available or owned by nri-agent, with 0666 file permissions, so that other processes can write logs to the sockets.
logs:
# TCP network socket
- name: syslog-tcp-test
syslog:
uri: tcp://0.0.0.0:5140 # Use the tcp://LISTEN_ADDRESS:PORT format
parser: rfc5424 # Default syslog parser is rfc3164
# UDP network socket
- name: syslog-udp-test
syslog:
uri: udp://0.0.0.0:6140 # Use the udp://LISTEN_ADDRESS:PORT format
max_line_kb: 35
# Unix TCP domain socket
- name: syslog-unix-tcp-test
syslog:
uri: unix_tcp:///var/unix-tcp-socket-test
unix_permissions: 0666 # Default is 0644. Change at your own risk
# Unix UDP domain socket
- name: syslog-unix-udp-test
syslog:
uri: unix_udp:///var/unix-udp-socket-test
parser: rfc5424
Logs retrieved over TCP connections.
Parameters:
uri: TCP/IP socket to listen for incoming data. The URI format is tcp://LISTEN_ADDRESS:PORT
format: format of the data. It can be json or none.
separator: If format: none is used, you can define a separator string for splitting records (default: \n).
logs:
- name: tcp-simple-test
tcp:
uri: tcp://0.0.0.0:1234 # Use the tcp://LISTEN_ADDRESS:PORT format
format: none # Raw text - this is default for 'tcp'
separator: \t # String for separating raw text entries
max_line_kb: 32
- name: tcp-json-test
tcp:
uri: tcp://0.0.0.0:2345 # Use the tcp://LISTEN_ADDRESS:PORT format
format: json
Collect events from Windows log channels.
Parameters:
channel: name of the channel logs will be collected from.
collect-eventids: a list of Windows Event IDs to be collected and forwarded to New Relic. Event ID ranges are supported.
exclude-eventids: a list of Windows Event IDs to be excluded from collection. Event ID ranges are supported.
All events are collected from the specified channel by default. Configure the collect-eventids and exclude-eventids sections to avoid sending unwanted logs to your New Relic account.
Add event IDs or ranges to collect-eventids or exclude-eventids to forward or drop specific events. exclude-eventids takes precedence over collect-eventids if the same event ID is present in both sections.
Example:
logs:
# Winlog log ingestion with eventId filters.
- name: windows-security
winlog:
channel: Security
collect-eventids:
- 4624
- 4265
- 4700-4800
exclude-eventids:
- 4735
# entries for the application, system, powershell, and SCOM channels
# Entry for IIS logs with logtype attribute for automatic parsing
- name: iis-log
file: C:\inetpub\logs\LogFiles\w3svc.log
attributes:
logtype: iis_w3c
Optional configuration
The following configuration parameters are not required but are still recommended.
List of custom attributes specified as key-value pairs that can be used to send additional data with the logs which you can then query. The attributes configuration parameter can be used with any log source.
One common use of the attributes configuration parameter is to specify the logtype attribute. This attribute allows leveraging one of the built-in parsing rules supported by New Relic Logs.
Example:
logs:
- name: example-file-attributes
file: /var/log/example.log
attributes:
logtype: nginx
region: example-us-02
team: A-team
- name: example-tcp-attributes
tcp:
uri: tcp://0.0.0.0:2345
format: json
attributes:
logtype: nginx
region: example-us-02
team: B-team
The infrastructure agent automatically inserts log attributes for your convenience. Some of them are inserted for any log record, while others depend on the configuration parameters you used while setting up the log forwarder.
Attribute name
Description
entity.guids
Always inserted.
The infrastructure agent inserts the Entity GUID assigned by New Relic to identify the host where it's running. It is available in the entity.guids field.
Note: If the captured logs belong to an application instrumented using APM, the entity.guids field contains both the entity GUID of infrastructure, as well as the GUID of APM, separated by a pipe ( | ) delimiter.
fb.input
Always inserted.
The underlying Fluent Bit input plugin type used to capture the logs. Currently its values are tail, systemd, winlog, syslog, and tcp.
filePath
Inserted when sing the file input type.
Absolute file path of the file being monitored.
hostname
Always inserted.
The hostname of the machine/VM/container executing the infrastructure agent.
plugin.type
Always inserted.
Indicates the utility used to capture the logs. In this case, it is the infrastructure agent itself, so this attribute always has the value nri-agent.
Regular expression for filtering records. Only supported for the tail, systemd, syslog, and tcp (only with format none) sources.
This field works in a way similar to grep -E in Unix systems. For example, for a given file being captured, you can filter for records containing either WARN or ERROR using:
Maximum size of log entries/lines in KB. If log entries exceed the limit, they are skipped. Default is 128.
External Fluent Bit configuration and parser files. If defined, they are merged with the existing configuration and parser files generated by the infrastructure agent.
The infrastructure agent processes the configuration files located in the logging.d directory and will generate a run-time Fluent Bit configuration file that contains the appropriate [INPUT], [FILTER] and [OUTPUT] sections. Optionally, it will also declare an @INCLUDE in case you provided an external Fluent Bit configuration file via the fluentbit option.
The runtime file does not define a [SERVICE] section, leaving all default Fluent Bit configuration values. You can still override Fluent Bit's default settings by defining your own [SERVICE] section in your external Fluent Bit configuration file and include it via the fluentbit option.
Parameters:
config_file: path to an existing Fluent Bit configuration file. Note that any overlapping source results in duplicate messages in New Relic Logs.
parsers_file: path to an existing Fluent Bit parsers file. The following parser names are reserved: rfc3164, rfc3164-local and rfc5424.
# Remember to only use spaces for indentation
logs:
# Example of 'file' source
- name: file-with-attributes
file: /var/log/test.log # Path to a single file or pattern
attributes: # You can use custom attributes to enrich your data
logtype: nginx
team: The A Team
pattern: Error # Regular expression to filter log entries
# Example of 'systemd' source (Linux only)
- name: systemd-example
systemd: cupsd
# Examples of 'syslog' source, one per protocol
# TCP network socket
- name: syslog-tcp-test
syslog:
uri: tcp://0.0.0.0:5140 # Use the tcp://LISTEN_ADDRESS:PORT format
parser: rfc5424 # Default syslog parser is rfc3164
# UDP network socket
- name: syslog-udp-test
syslog:
uri: udp://0.0.0.0:6140 # Use the udp://LISTEN_ADDRESS:PORT format
max_line_kb: 35
# Paths for Unix sockets are defined by combining protocol and path:
# unix_udp:// + /path/socket - for example, unix_udp:///tmp/socket
# Unix TCP domain socket
- name: syslog-unix-tcp-test
syslog:
uri: unix_tcp:///var/unix-tcp-socket-test
unix_permissions: 0666 # Default is 0644. Change at your own risk
# Unix UDP domain socket
- name: syslog-unix-udp-test
syslog:
uri: unix_udp:///var/unix-udp-socket-test
parser: rfc5424
# Examples of 'tcp' source for formats 'none' and 'json'
- name: tcp-simple-test
tcp:
uri: tcp://0.0.0.0:1234 # Use the tcp://LISTEN_ADDRESS:PORT format
format: none # Raw text - this is default for 'tcp'
separator: \t # String for separating raw text entries
attributes: # You can add custom attributes to any source of logs
tcpFormat: none
someOtherAttribute: associatedValue
max_line_kb: 32
- name: tcp-json-test
tcp:
uri: tcp://0.0.0.0:2345 # Use the tcp://LISTEN_ADDRESS:PORT format
format: json
attributes:
tcpFormat: json
yetAnotherAttribute: 12345
# Example of Fluent Bit configuration import
- name: fluentbit-import
fluentbit:
config_file: /path/to/fluentbit.config
parsers_file: /path/to/fluentbit/parsers.conf
View your log data
If everything is configured correctly and your data is being collected, you should see logs data in both of these places:
The log forwarding feature requires the agent to have permission to read the data sources. When running the infrastructure agent in privileged or non-privileged modes, make sure that the log files you want to forward (and any intermediary directory in its path) are readable by the user running nri-agent.
Example: Check file access under Linux
Let's check whether the file /var/log/restrictedLogs/logFile.log can be monitored by the nri-agent user. In Linux, you can do a quick check with the namei command:
This command failed because the file is not visible to the nri-agent user. By inspecting the previous output, we can detect that the restrictedLogs directory is missing the execution flag for others.
The file is now visible to the nri-agent user. You must ensure that the file is also readable by the nri-agent user. To check this, use:
# sudo -u nri-agent head /var/log/restrictedLogs/logFile.log
head: cannot open '/var/log/restrictedLogs/logFile.log' for reading: Permission denied
In this example, the file is missing the read rights for the others group (users other than vagrant and the vagrant user group). You could fix this by granting read permissions to others, but the application could change these permissions upon restart.
To avoid this, a better approach is to add the nri-agent user to the vagrant user group.
The log forwarding feature requires that the agent has permission to read the data sources. When running the infrastructure agent in privileged or non-privileged modes:
If you're using Unix domain socket files, make sure that the nri-agent user can access these files (please refer to the previous section) and that they have read and write permissions (666) so that other users than nri-agent can write to them.
If you're using IP sockets, ensure that the port that you are using is not a system reserved one (like port 80, for example).
As explained in the infrastructure agent configuration guidelines, the proxy parameter must use either HTTP or HTTPS and be in the form https://user:password@hostname:port. The agent can parse the parameter without the HTTP or HTTPS, but the log forwarder cannot. You will see an error like the following in the agent verbose logs:
[ERROR] building HTTP transport: parse \"hostname:port\":
first path segment in URL cannot contain colon
To solve this problem, check your newrelic-infra.yml file, and ensure the proxy parameter adheres to this form.
If you're using caBundleFile or caBundleDir in order to specify any certificate, we recommend to follow the below rules for each OS:
Linux
For HTTP proxies you don't need to setup any certificates. The plugin loads the system certificates and New Relic sends logs into the logging endpoint. However, you can specify the proxy self-signed certificate (PEM file) using either the caBundleFile or caBundleDir parameters.
Windows
For HTTP proxies you don't need to setup any certificates. The plugin loads the system certificates.
For HTTPS, you can configure it in one of the following ways:
Import the proxy certificate to the system pool (Recommended)
Import the proxy self-signed certificate (PEM file) by using the MMC tool. Refer to this link, and in Step 2 ensure to import it in your Trusted Root Certification Authorities, instead of in the Intermediate Certification Authorities.
Using the caBundleFile and caBundleDir parameters
On Windows, we cannot load both the certificates from the system certificate pool and the ones specified with the caBundleFilecaBundleDir parameters. So, if you are using caBundleFile or caBundleDir, ensure that the following certificates are placed in the same PEM file (when using caBundleFile) or in the same directory (when using caBundleDir):
The Proxy certificate (because it's an HTTPS proxy).
The Logging Endpoint certificate (eg. https://log-api.newrelic.com/log/v1).
The Infrastructure Agent certificate (eg. https://infra-api.newrelic.com).
You can configure the infrastructure agent to send its own logs to New Relic. This is useful for troubleshooting issues with log forwarding, the agent, or when contacting support.
To forward the infrastructure agent logs to New Relic:
Edit your newrelic-infra.yml file.
Enable agent logging in troubleshooting mode by adding verbose: 3.
On Windows and systems that don't use systemd or where journald is inaccessible, verbose:3 causes the agent to write the logs on the disk. Revert to verbose:0 to prevent this.
(Recommended): Enable agent logging in JSON format to log_format: json.
This configuration sets up the agent in troubleshooting mode, but the log forwarder (based on Fluent Bit) will continue in a non-verbose mode.
Sometimes you can have issues with the log forwarder itself. For example, there may be problems accessing a specific channel when shipping Windows log events or when accessing a particular log file. In these situations, you can also enable the verbose mode for the log forwarder:
Set verbose to a value other than 0.
Add the configuration option: trace: ["log.fw"].
注意
Check whether you are using the [fluentbit] option. When setting verbose: 3andtrace: ["log.fw"], ensure that you don't define any [OUTPUT] section pointing to stdout in an external Fluent Bit configuration file,
重要
Fluent Bit's tail plugin does not support network drives.
For Linux versions prior to 2016, you may need to update the OpenSSL library to 1.1.0 (or higher). To check if you have this problem:
See if infra-agent has started Fluent Bit by running:
ps -aux | grep fluent-bi
If it isn't running go to /var/db/newrelic-infra/newrelic-integrations/logging and run:
./fluent-bit -i systemd -o stdout
If you get the following error, update OpenSSL to 1.1.0 or higher:
error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
One of the following error messages may appear when enabling log forwarding on Windows:
The code execution cannot proceed because VCRUNTIME140.dll was not found.
OR
error="exit status 3221225781" process=log-forwarder
To uninstall log forwarding capabilities, go to your logging.d directory, and remove files with the .yml extension that were originally added during the configuration process.