Skip to main content

Overview

XIMP collects logs from all registered nodes via file-based collection and syslog forwarding. Centralized log data flows into the log index for full-text search and alert-based detection. This page covers configuring log sources and troubleshooting ingestion issues.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.
Prerequisites
  • Administrator credentials with the admin role
  • XIMP agents deployed on target nodes (see Agent Configuration)

Configuring Log Sources

View configured log sources

Navigate to Monitoring → Administration → Log Sources. Each log source defines a file path pattern, the node scope it applies to, and the expected format.

Add a log source

Click Add Log Source and provide:
FieldDescription
Path PatternGlob pattern for the log file (e.g., /var/log/nova/*.log)
Node SelectorApplies this source to nodes matching the label (e.g., role=compute)
Formatjson, plain, or multiline (for stack traces)
Service LabelTag applied to all ingested events for filtering

Verify ingestion

After saving, navigate to Monitoring → Logs → Log Explorer and filter by the new service label. Entries should appear within the configured scrape interval.
Log events appear in Log Explorer with correct service label and timestamp.

Syslog Forwarding

Services that write to syslog rather than log files can forward directly to XIMP’s syslog receiver.

Configure rsyslog forwarding

Add a forwarding rule to /etc/rsyslog.d/99-ximp.conf on the source node:
/etc/rsyslog.d/99-ximp.conf
# Forward all facility/severity combinations to XIMP via TCP
*.* @@ximp.xloud.internal:5140
Use TCP forwarding (@@) for reliable delivery. UDP forwarding (@) may drop messages under high log volume and is not recommended for production.

Reload rsyslog

Reload rsyslog
systemctl reload rsyslog

Verify ingestion

Navigate to Monitoring → Logs → Log Explorer and filter by service:syslog and the source hostname. Entries should appear within 60 seconds.
Syslog events appear in Log Explorer with correct host and timestamp.

Log Format Parsers

Configure parsers for structured log formats to enable field-level filtering in Log Analytics:
FormatConfigurationNotes
jsonAutomaticFields extracted automatically from JSON keys
plainDefaultFull-text search only; no structured field extraction
multilineRequires patternStack traces and multi-line entries joined before indexing
For multiline logs (Java stack traces, Python tracebacks):
Multiline log source configuration
sources:
  - path: /var/log/app/*.log
    format: multiline
    multiline:
      start_pattern: "^[0-9]{4}-[0-9]{2}-[0-9]{2}"
      negate: false
      match: after
    labels:
      service: app-service

Next Steps

Agent Configuration

Deploy agents that run the log collection defined here

Retention Policies

Configure how long collected log data is retained

Log Analytics (User Guide)

How tenants query and create alerts from the logs you’ve configured

Troubleshooting

Diagnose log ingestion backlogs and missing log data