Logyard Drain Examples

Detailed instructions on how to use drains with third party log analysis software or services:

• Papertrail
• Loggly
• Splunk

Note

Do not forward both application and system logs to the same destination.

Papertrail

1. Create an account for Papertrail
2. In the Dashboard screen, click Add Systems.

3. In the Setup Systems screen under Other log methods, click Alternatives.

4. Choose option C: My system's hostname changes and give it a suitable name.

5. Note down the port number. You need this later on.

Application Logging

Enable application logging (via udp) by executing the following client command:

stackato drain add drain-name udp://logs.papertrailapp.com:port#

System Logging

Enable system logging (via udp) by executing the following kato command:

kato log drain add drain-name udp://logs.papertrailapp.com:port#

Loggly

1. Create an account for Loggly
2. Under Incoming Data tab, click Add Input.

3. In the Add Input screen:

• Choose Syslog UDP or TCP
• Choose Combination Log Type
• [Optional] For JSON Logging, Choose UDP or TCP with Stripe and enable JSON Logging. (for system logs)

4. If we want to accept logs from any Stackato nodes or applications modify Allowed Devices section:

• Click Add device

• Add IP Address 0.0.0.0/0 when prompted

5. Turn off discovery since we allowed all devices. Also, note down the port number.

Application Logging

Enable application logging by executing the following client command:

stackato drain add drain-name udp://logs.loggly.com:port#

OR

stackato drain add drain-name tcp://logs.loggly.com:port#

System Logging

Enable system logging by executing the following kato command:

kato log drain add drain-name udp://logs.loggly.com:port#

OR

kato log drain add drain-name tcp://logs.loggly.com:port#

Loggly supports JSON format with minor configuration changes shown above.

Enable system JSON logging by executing the following kato command:

kato log drain add --format json drain-name tcp://logs.loggly.com:port#

Splunk

1. Setup Splunk Server.
2. In the welcome screen, click Add data

3. Under Choose a Data Source, click “From a TCP port”. (or UDP)

4. In the Add new Source screen:

• Select a TCP/UDP port greater than 9999
• Give it a suitable Source name.
• Set sourcetype to Manual
• Leave Source Type empty

Application Logging

Enable application logging by executing the following client command:

stackato drain add drain-name udp://splunk-server-address:port#

OR

stackato drain add drain-name tcp://splunk-server-address:port#

System Logging

Enable system logging by executing the following kato command:

kato log drain add drain-name udp://splunk-server-address:port#

OR

kato log drain add drain-name tcp://splunk-server-address:port#

Splunk supports JSON format without further configuration.

Enable system JSON logging by executing the following kato command:

kato log drain add --format json drain-name tcp://splunk-server-address:port#

Hello World Custom Drain

The command below starts a drain target server on a node, piping to a local file:

nc -lk 0.0.0.0 10000 > log-output.txt

As long as that nc command runs, this will funnel logs from all drains targeting it into the file log-output.txt

Application Logging

Enable application logging by executing the following client command:

stackato drain add drain-name udp://server-address:port#

OR

stackato drain add drain-name tcp://server-address:port#

System Logging

Enable system logging by executing the following kato command:

kato log drain add drain-name udp://server-address:port#

OR

kato log drain add drain-name tcp://server-address:port#