Configuring IBM Tivoli Monitoring Log File Agent for Instana

You can configure IBM Tivoli Monitoring Log File Agent to send log events to Instana.

After IBM Tivoli Monitoring Log File Agent is configured for Instana, IBM Tivoli Monitoring Log File Agent retains its settings and continues to send events to the Tivoli Enterprise Monitoring Server or through Event Integration Facility (EIF) or both. All format files that were used in IBM Tivoli Monitoring Log File Agent continue to work. However, the log events are sent to Instana.

Supported versions

Instana supports IBM Tivoli Monitoring Log File Agent 06.30.07 and later.

Prerequisites

The prerequisites for IBM Tivoli Monitoring Log File Agent are listed in Requirements and agent installation and configuration.

Activating IBM Tivoli Monitoring Log File Agent

To activate IBM Tivoli Monitoring Log File Agent, complete the following steps:

  1. Install and run the Instana agent on your host system where IBM Tivoli Monitoring Log File Agent is installed.

  2. Update the .conf file of the .conf / .fmt file pair on IBM Tivoli Monitoring Log File Agent:

    1. Specify the location of the Instana agent by adding the following line:
      InstanaAgentHost=localhost
      
    2. If the default port 42699 that Instana Host Agent REST API uses is changed, update the port by adding the following fine:
      InstanaAgentPort=<the port number>
      
      Adding the port number 1234 is shown in the following example:
      InstanaAgentPort=1234
      

Event processing

Instana uses Host Agent REST API to communicate with the Instana agent. Because IBM Tivoli Monitoring passes events to the Instana agent, the host where the Instana agent runs appears as the source of the events in Instana. The event source is set correctly only if the Instana agent and the IBM Tivoli Monitoring Log File Agent are installed on the same host.

IBM Tivoli Monitoring Log File Agent supports the event filtering and summarization feature. This feature operates exclusively on the connection to a Tivoli Enterprise Monitoring Server in IBM Tivoli Monitoring. It does not work over other connections, such as EIF or Instana.

Rendering of log events

The event text is rendered as a single string with fields listed as key value pairs separated by a semicolon.

Unlike IBM Tivoli Monitoring and Event Integration Facility (EIF), events are not broken into multiple discrete fields on Instana.

A sample event definition in the .fmt file is shown in the following example:

// Matches a generic syslog message like:
// Feb 23 09:45:22 meridiani reboot: [ID 662345 auth.crit] rebooted by root
REGEX REGenericSyslog FOLLOWS REBase
^([A-Z][a-z]{2}) ([ 0-9][0-9]) ([0-9]{2}:[0-9]{2}:[0-9]{2}) (.*?) (.*?): (.*)$
Month   $1 CustomSlot   10
Date    $2 CustomSlot   9
Time    $3 CustomSlot   8
host    $4 CustomSlot   7
Service $5 CustomSlot   6
msg     $6
END

A sample output of the resulting event is shown in the following example:

REGenericSyslog;Date='23';Month='Feb';msg='[ID 662345 auth.crit] rebooted by root';host='meridiani';Time='09:45:22';Service='reboot';