The Logsnarf configuration file
General
Logsnarf looks in XDG_CONFIG_DIRS for configuration files by default, named {RESOURCE_NAME}.ini with a default resource name of ‘logsnarf’. So a user configuration will, by default be (on linux) ~/.config/logsnarf/logsnarf.ini
The same directories are searched for a logging.ini which should be a
logging.config.fileConfig()
configuration. If no file is found,
logging.basicConfig()
is called with no arguments.
Within the logsnarf config file there must be a logsnarf section with an apps entry. This should contain a list of sections where the various apps are configured.
An app is a combination of directories watched, and bigquery upload information. If you’re configuring multiple apps, you can also use the [DEFAULT] section to provide defaults for these (e.g. upload credentials)
Example
An example configuration file:
[DEFAULT]
project_number=<your google project number>
service_email=<service account email address>
dataset=logging
keyfile=key.p12
default_domain=my.domain
max_buffer=2000
batchsize=400
[logsnarf]
apps=app1, app2
threadpool_size=20
[app1]
table_name_schema=syslog_{YEAR}{MONTH}{DAY}
directories=["/var/log/syslog/hosts"]
recursive=True
pattern=(syslog|.*\.log$)
schema=syslog_schema.json
[app2]
table_name_fmt=apache_{YEAR}{MONTH}{DAY}
directories=["/var/log/apache"]
recursive=False
pattern=(access|error)\.log$
In this example schema_file
for app2 would be app2_schema.json
. The state
files would be app1_state.json
and app2_state.json
(using the defaults and
ConfigParser interpolation.)
Configuration file fields
Where %(value)s
is listed in a default, it uses
ConfigParser.SafeConfigParser
interpolation. __name__
in this
case refers to the section name.
logsnarf section
- apps:
list of sections with app configurations
- threadpool_size:
default value: 30 size to set the twisted threadpool. Logsnarf does most uploads and some other table operations in threads.
App sections
Fields in an app section are
Other
- default_domain:
used by additional verifiers, to insert a domain on non-qualified hostnames in ‘host’, ‘src.host’, or ‘dst.host’ fields