Receive over TCP/UDP

You can create a data collector to configure a TCP/UDP socket.

Note

The HOST field is not displayed on the Search tab for data collected over a TCP/UDP connection (by default).

However, if the data pattern used for collecting data includes the HOST field, then it is displayed and available for search.

This topic contains the following information:

Related topics

Where to find more information

Managing-data-collectors

Creating-data-collectors

Known-and-corrected-issues

To receive data over a TCP or UDP connection

  1. Navigate to Administration > Data Collectors > Add Data Collector Plus icon.jpg.
  2. In the Name box, provide a unique name to identify this data collector.
  3. From the Type list, select Receive over TCP/UDP.

  4. Provide the following information, as appropriate:

    Field

    Description

    Target/Collection Host

    Collection Host (Agent)

    Failed to execute the [excerpt-include] macro. Cause: [Error number 2 in 0: No wiki with id [confluencePage:page] could be found]. Click on this message for details.

    Note: For this type of data collector, the target host and collection host are expected to have different values.

    Collector Inputs (Note that data becomes available for searching only after a client sends data to the specified host (on the corresponding port)).

    Protocol

    Select UDP or TCP as appropriate.

    By default, UDP is selected.

    Bind address

    Provide the IP address to which you want to bind for creating a connection.

    Port

    Provide the port to connect to the UDP/TCP protocol.

    By default, this value is set to 514.

     

    Note: This data collector does not work with the default port on a Linux computer. This is because only admin users can access ports with values less than 1024. Users other than admin must ensure that the port value is greater than 1024.

    Data Pattern

    Pattern

    Select the appropriate data pattern to use for indexing the selected data file.

    For this type of data collector, the product does not support filtering of relevant data patterns. Also, because this data collector receives events asynchronously, you cannot select a data pattern and then preview the way it will appear on the Search page. Therefore, by default the data pattern is set to Free Text without Timestamp.

    After the data is indexed and starts showing on the Search page, copy a few lines of the data entries and use them to customize an existing data pattern (by cloning it), or add a new data pattern.

    Notes:

    • All the records processed using the Free Text without Timestamp option are assumed to be a single line of data with a line terminator at the end of the event. Records are distinguished on the basis of the new line separator. If you want to distinguish records in a custom way, then you can specify a custom string or regular expression in the Event Delimiter box that decides where the new line starts in the data. This string or regular expression must correspond to some text in your data which appears at the beginning of a line.
    • Before specifying the data pattern, under the Advanced Options section, ensure that the correct file encoding is set.

    Date Format

    Manually scan through the list available and select a date format.

    If you do not find a relevant date format, you can also create a new date format by selecting the Create new Date Format option.

    Notes:

    • Before specifying the date format, under the Advanced Options section, ensure that the correct file encoding is set.
    • If you select both – a pattern and a date format, then the date format specified takes precedence over the date format from the pattern that you selected. So the timestamp is indexed as per the specified date format, and the rest of the data is indexed as per the pattern.
    • If you select only a date format, then the date format is used for indexing the timestamp, while the rest of the data is displayed in a raw format in your search results.

    Date Locale

    You can use this setting to enable reading the date and time string based on the language selected. Note that this setting only applies to those portions of the date and time string that consist letters (digits are not considered).

    By default, this value is set to English.

    You can manually select a language to override the default locale. For a list of languages supported, see Language-information.

    Event Delimiter

    All the records processed using the Free Text without Timestamp data pattern are assumed to be a single line of data with a line terminator at the end of the event.

    Records are distinguished on the basis of the new line separator.

    If you want to distinguish records in a custom way, then you can specify a custom string or regular expression in the Event Delimiter box that decides where the new line starts in the data. This string or regular expression must correspond to some text in your data which appears at the beginning of a line.

    See examples

    The following regular expression distinguishes records when the line starts with "INFO" or "ERROR" or "WARN".

    ^(INFO|WARN|ERROR)

    The following regular expression distinguishes records when the line starts with “com.bmc.ola”.

    ^(com\.bmc\.ola)

    Start/Stop Collection

    (Optional) Select this check box if you want to start the data collection immediately.

    The [expand] macro is a standalone macro and it cannot be used inline. Click on this message for details.

    Tags
    Inherit Host Level Tags From Target Host
    (Optional) Select this check box to inherit your tag selections associated with the target host that you selected earlier. This option is not applicable if you did not select a target host. Note: After selecting this check box, you can further manually select additional user groups. When you manually select additional user groups, both the inherited permissions as well as the manually assigned permissions are applied. To remove the inherited permissions, clear this check box.
    Select Tag name and corresponding value
    (Optional) Select a tag name and specify the corresponding value by which you want to categorize the data collected. Later while searching data, you can use these tags to narrow down your search results.Example: If your are collecting data from hosts located at Houston, you can select a tag name for "Location" and in the value specify "Houston". While searching the data, you can use the tag, Location="Houston" to filter data and see results associated with the Houston location.To be able to see tag names, you need to first add them by navigating to Administration > System Settings.To specify tag names and corresponding values, in the left box select a tag name and then type the corresponding tag value in the right box. While you type the value, you might see type-ahead suggestions based on values specified in the past. If you want to use one of the suggestions, click the suggestion. Click Add Plus icon.jpgto add the tag name and corresponding value to the list of added tags that follow. Click Remove Tag Delete icon.jpgto remove a tag.The tags saved while creating the data collector are displayed on the Search tab, under the Filters panel, and in the Tags section.Note: At a time, you can specify only one value for a tag name. To specify multiple values for the same tag name, each time you need to select the tag name, specify the corresponding value, and click Add.For more information about tags, see Understanding-fields.

    Group Access

    Inherit Host Level Access Groups From Target Host

    (Optional) Select this check box to inherit your group access configurations associated with the target host that you selected earlier. This option is not applicable if you did not select a target host.

    Note: After selecting this check box, you can further manually select additional user groups. When you manually select additional user groups, both the inherited permissions as well as the manually assigned permissions are applied. To remove the inherited permissions, clear this check box.

    Select All Groups

    (Optional) Select this option if you want to select all user groups. You can also manually select multiple user groups.

    Notes: You can access data retrieved by this data collector based on the following conditions.

    • If user groups are not selected and data access control is enabled: Only the creator of the data collector can access data retrieved by this data collector.
    • If user groups are not selected and if data access control is not enabled: All users can access data retrieved by this data collector. You can restrict access permissions by selecting the relevant user groups that must be given access permissions. To enable data access control, navigate to Administration > System Settings.

    For more information, see Managing-user-groups-in-IT-Data-Analytics.

  5. Click Create to save your changes.

Use case for sending log4j output directly into IT Data Analytics

If you are monitoring an application that uses log4j for logging data, you can directly collect and search this data by using IT Data Analytics. You can collect this data in a number of ways. However, one of the easiest ways of collecting this data is to configure log4j to send data directly into IT Data Analytics.

You can do this by adding the SyslogAppender in the log4j .properties file. After doing this, you can create the Receive over TCP/UDP data collector to receive this data on the TCP or UDP port. Doing this can help you easily search, analyze, and visualize your log4j data and get meaningful insights.

Best practice

Ensure that the collection host (where the Collection Station or Collection agent resides) is operating in the same timezone as the Log4j files you are trying to collect.

If there is no timestamp in the files, then ensure that the collection host is operating in the same timezone as the server hosting the files.

To send log4j data into IT Data Analytics

  1. Identify the .properties file that you want to send to IT Data Analytics.

  2. Edit the file, add details regarding the SyslogAppender, and configure appenders for the logger as follows (if it is not already present).

    The following code block provides a few example lines from one of the log4j .properties file.

    # Configured appenders for the logger
    log4j.rootLogger=SYSLOGFILE

    # The syslog appender to be configured for the syslog
    configuration to affect
    log4j.appender.SYSLOGFILE=org.apache.log4j.net.SyslogAppender

    # The  hostname to log the syslogger information
    log4j.appender.SYSLOGFILE.SyslogHost = CollectionHost.bmc.com

    # The facility name in the logger where the log file shall be logged
    log4j.appender.SYSLOGFILE.facility=local7

    # If true, the SyslogAppender will generate the header (timestamp
    and host information) in the message
    log4j.appender.SYSLOGFILE.Header=false

    # The log filename layout of the syslogger appender
    log4j.appender.SYSLOGFILE.layout=org.apache.log4j.PatternLayout

    # The syslogger configuration pattern
    log4j.appender.SYSLOGFILE.layout.ConversionPattern=
    %-5p %d{MMM/dd HH:mm:ss} %-20c{20} [%t] %m%n

  3. Replace the values of the following properties to be able to connect with IT Data Analytics and save the file.

    Property

    Description

    If you are using log4j versions prior to 1.x

    log4j.appender.SYSLOGFILE.SyslogHost

    Value must be set to the collection host name that you want to use for receiving the log4j data.
    This value can be set to the host name where the Collection Station or Collection Agent is installed.

    Note:     Log4j versions prior to 1.x can only send data over the UDP protocol.

    If you are using log4j versions after 1.x

    host

    Value must be set to the collection host name that you want to use for receiving the log4j data.
    This value can be set to the host name where the Collection Station or Collection Agent is installed.

    port

    Value must be set to the port that you want to use for receiving the log4j data.

    Default port: 514

    protocol

    Depending on the protocol that you want to use for receiving the log4j data, value must be set to TCP or UDP.

  4. (Optional) If you want to extract the timestamp and fields from your log4j data, then it is recommended that you create a data pattern. This data pattern needs to be used while creating the data collector. For more information, see Creating-data-patterns.
    You can optionally extract only the timestamp and extract rest of the data as free text. To capture the timestamp, you need to create a new date format at the time of creating the data collector.
  5. Create the Receive over TCP/UDP data collector and use the same details that you used while configuring the SyslogAppender in step 3.
    After completing the data collector creation, you can start seeing log4j data into IT Data Analytics.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*