Skip to main content

Configuration

This article will guide you through configuring the Logship agent.

The agent can collect data from sources such as Windows performance counters, ETW providers, and journalctl logs, among others. The configuration is done through a JSON file called "appsettings.json", which is watched for updates.

You can find an example configuration in the agent source on Github.

Output


endpoint

  • Description: The HTTP endpoint to which data will be shipped. You may also use "console" to summarize collected data in the console, rather than uploading.
  • Type: string
  • Required: Yes

interval

  • Description: The interval at which data will be pushed to the endpoint.
  • Type: string
  • Required: No

maximumBufferSize

  • Description: The maximum size of the agent buffer in number of events. Events will be dropped if reached.
  • Type: int
  • Required: No
{
"endpoint": "console",
"interval": "00:00:02",
"maximumBufferSize": 15000
}

Inputs


The input configuration section of the Logship agent JSON file is an array that specifies the various sources from which log and performance data is collected. Each input type is represented as an object within the array and must include a required "type" field that specifies the type of input to collect. Additional fields that are specific to the input type can be included in the object to fine-tune its behavior.

type

  • Description: The input type.
  • Type: string
  • Required: Yes

[...] Extended Data

  • Object properties can differ between input types
[ {
"type": "HealthService"
},{
"type": "Windows.PerformanceCounters",
"interval": "00:00:05",
"counters": [
"\\Process(*)\\*logship*"
]
}, ...other inputs...]

In this example, the "Windows.PerformanceCounters" input type includes an "interval" field that determines how frequently the counters are monitored, as well as a "counters" field that specifies which performance counters to collect.

Available inputs

TypeDescriptionNotes
HealthServiceCollects data from a health service.
Windows.PerformanceCountersCollects data from Windows performance counters.Windows
Windows.EtwCollects data from Windows ETW providers.Windows
JournalCtlCollects data from journalctl logs.Linux

HealthService Input

FieldRequiredDescription
typeYesThe input type. Must be "HealthService".
intervalYesThe frequency at which to collect data from the health service.
{
"type": "HealthService",
"interval": "00:00:05.000"
}

This input type collects data from a health service and includes an "interval" field that determines how frequently the data is collected.

Windows.PerformanceCounters Input

FieldRequiredDescription
typeYesThe input type. Must be "Windows.PerformanceCounters".
intervalYesThe frequency at which to collect performance counter data.
countersYesAn array of strings specifying the performance counters to collect.
{
"type": "Windows.PerformanceCounters",
"interval": "00:00:05",
"counters": [
"\\Process(*)\\*logship*"
]
}

This input type collects data from Windows performance counters and includes an "interval" field that determines how frequently the counters are monitored. The "counters" field is an array that specifies which performance counters to collect.

Windows.Etw Input

FieldRequiredDescription
typeYesThe input type. Must be "Windows.Etw".
cleanupOldSessionsNoA boolean indicating whether to clean up old ETW sessions before starting a new one.
reuseExistingSessionNoA boolean indicating whether to reuse an existing ETW session with the same configuration.
providersYesAn array of objects specifying the ETW providers to collect data from. Each object must include a "ProviderGuid" field with the GUID of the provider to collect data from.
{
"type": "Windows.Etw",
"cleanupOldSessions": true,
"reuseExistingSession": false,
"providers": [
{
"ProviderGuid": "AE4BD3BE-F36F-45B6-8D21-BDD6FB832853"
},
{
"ProviderGuid": "4d1b58e1-1220-542a-815b-41707a19672d"
},
{
"ProviderGuid": "7f006a22-73fb-4c17-b1eb-0a3070f9f187"
},
{
"ProviderGuid": "E6F378E8-21CE-49A9-8D98-1BAAF053AB51"
},
{
"ProviderGuid": "EA289C62-8C36-4904-9726-15ECD282AED5"
}
]
}

This input type collects data from Windows ETW providers and includes fields such as "cleanupOldSessions" and "reuseExistingSession" that determine how the ETW session is managed. The "providers" field is an array that specifies which ETW providers to collect data from.

JournalCtl Input

FieldRequiredDescription
typeYesThe input type. Must be "JournalCtl".
flagsNoAn integer specifying which journalctl flags to use when collecting logs.
columnsNoAn array of strings specifying which columns to include in the output.
{
"type": "JournalCtl",
"flags": 0,
"columns": ["USERID"]
}

This input type collects data from journalctl logs and includes a "flags" field that specifies which journalctl flags to use when collecting logs, and a "columns" field that specifies which columns to include in the output.