Enriching logs

A log message is a wealth of information for an operator. It helps in troubleshooting an issue and finding the root cause.

Enrichment in logs helps you to add meaningful information to the log messages that will make search and analysis easier and more meaningful. Enriched logs are visualized better and bring out useful information and statistics. For example, you can enrich IPAddress, a field in logs, with geographical information like city, country code, longitude, and latitude that you can fetch from a GeoIP server. BMC Helix Log Analytics adds these additional details in real-time.

BMC Helix Log Analytics enables you to enrich logs from the following sources:

  • CSV files
  • DNS
  • GeoIP
  • LDAP

The following video (2:26) shows a high-level summary of the enrichment feature in BMC Helix Log Analytics.


 https://youtu.be/rA0uVwiXnXI

As an administrator, enrich logs by following the steps explained in the following table:


StepActionReference
Plan enrichment

Plan log enrichment based on the following information:

  • Data that you are getting in the logs
  • Type of enrichment required for the logs
  • Source to enrich the logs

For example, by using the IPAddress field in the logs, you might want to enrich the logs with the geographical information (like city, zip code, and so on) by connecting to your GeoIP server and get the relevant information.

To plan enrichment better, understand how enrichment is applied to logs based on the precedence, conditions, and enrichment sources configured in an enrichment policy.

How log enrichment works
Add enrichment sources

Based on the enrichment that you want to add to logs, add the source that will enrich the logs. You need the following information to add an enrichment source:

  • Details to connect to the source, like server name, credentials, and so on
  • Fields in the logs based on which you want to enrich
  • Fields in the enrichment source that would enrich the logs

For the user_id example, the source to enrich the field is the GeoIP server of your organization.

Adding enrichment sources
Add enrichment policy

An enrichment policy defines the condition that triggers enrichment and applies the enrichment source to logs.

For example, you enrich the IPAddress field with geographical details when server == 11.0.1.111.

Creating enrichment policies
Was this page helpful? Yes No Submitting... Thank you

Comments