opEvents enables you to design a centralized logging system for the purposes of issue management, compliance, audit, etc. While designing the logging system, you can determine the devices and applications that can send the logs, the protocols that should be used for sending them, and the severity levels of the events that should be logged.

Similarly, you can also configure Archive Logging in opEvents to archive any specific log entries you require, for any length of time (to learn more about how to configure and activate purging policies, see Purging of old data in opEvents). 

This document describes how you can enable and configure the Archive Logging feature as well as view the archived logs on the opEvents page. 

This feature works only with the log files that opEvents is tailing from `opevents_logs` in `opCommon.json`. Logs created through the API or CLI will not be archived.

Enabling the Feature

To enable the Archive Logging feature, open the `opCommon.json` file and set the configuration option `log_archive_enabled` to `true`.

If the option is set to anything but `false`, the script will start archiving log entries.

Configuring the Archive Logs Rules

To configure the Archive Logging feature -

  1. Open the configuration file `EventListRules.json` at `/usr/local/omk/conf/`
  2. Under the `archiveList` block, define the rules with two keys (see the illustration below):
    • archive - the name opEvents uses 

    • regex - a Perl-style regular expression used to match log entries

      /usr/local/omk/conf/EventListRules.json
       "archiveList" : {
      "30" : {
         "regex" : "Node (Up|Down)",
         "archive" : "NodeEvents"
      },
      "20" : {
         "archive" : "SoftwareErrorArchive",
         "regex" : "INVMEMINT|MALLOCFAIL"
      },
      "10" : {
         "archive" : "SyslogArchive",
         "regex" : "SYS-[0123]-\\w+"
      }
   }

      The list of rules is sorted by keys; for instance, rule 10 will run before rule 20.

  3. In the `opCommon.json`, specify the length of time you want to retain the archived logs.  

      "opevents_archivelogs_purge_older_than" : "365d"

  4. Save the files. 

The feature matches the log entry against the regex of each rule and if matched, adds it to a temporary list. The entries from this list are then inserted into the database. 

The matched log line will be saved into the opEvents MongoDB database with the following keys:

  • time (Current time of the opEvents server)
  • type (Name of the log tailer from opevents_logs)
  • archive (Name of the rule that archived this log line)
  • entry (Raw one-line entry the opEvents has read)

Note here that a single log entry can be archived into multiple archives based on matching rules.

To view the archived logs, go to the opEvents page and click Views > Archive Logs.



Related Topics