Skip to main content

Overview

XIMP aggregates log streams from all registered infrastructure nodes and services into a centralized, searchable index. Log Analytics lets you query events across your entire environment with full-text search, structured field filtering, and anomaly detection — from a single interface.
Prerequisites

Searching Logs

Open Log Explorer

Navigate to Monitoring → Logs → Log Explorer.

Search and filter

Use the query bar at the top to filter log entries:
FilterSyntax Example
By hosthost:compute-node-01
By serviceservice:nova-compute
By severitylevel:ERROR
Full-text"connection refused"
Combinedhost:xd1 level:ERROR service:nova*
Use the Add Filter panel on the left to build queries visually. The query bar updates automatically as filters are applied.

Adjust the time range

Use the time picker to scope your search. For incident investigation, set an exact range spanning the incident window to avoid scrolling through unrelated events.

Log-Based Alert Rules

Create alerts that fire whenever a log entry matching a query appears.

Open Log Explorer

Navigate to Monitoring → Logs → Log Explorer and build the query that should trigger an alert.

Create alert from query

Click Create Alert in the Log Explorer toolbar.
FieldDescription
NameDescriptive alert name
QueryThe log search query (pre-filled from Log Explorer)
Conditionat least N occurrences within M minutes
SeverityCritical, Warning, or Info
ChannelsNotification channels to alert
Log-based alerts have a minimum evaluation interval of 1 minute. For near-real-time security event detection, use the Security and IDS module which processes events with sub-minute latency.

Save and verify

Click Save. The rule activates and evaluates the log query on each collection cycle.
Alert rule appears in Monitoring → Alerting → Alert Rules with type Log.

Useful Query Patterns

level:ERROR
Set time range to “Last 1h” in the time picker.
service:keystone "authentication failed"
Use this for security auditing and failed login detection.
"Out of memory" OR "oom-kill" OR "kernel: Killed process"
Identifies instances where the kernel killed processes due to memory pressure.
"I/O error" OR "EXT4-fs error" OR "blk_update_request" level:ERROR
Surfaces disk-level errors that may indicate failing storage devices.
"Connection refused" OR "ECONNREFUSED" level:ERROR
Identifies services that are failing to connect to their dependencies.

Next Steps

Metrics & Alerts

Combine log-based alerts with metric thresholds for comprehensive coverage

XIMP Admin — Log Collection

Configure log source paths and syslog forwarding (administrator)

Network Monitoring

Analyze network traffic alongside log events for incident correlation

Troubleshooting

Diagnose missing or delayed log ingestion