You can forward your logs to New Relic using our infrastructure agent. This makes all of your logging data available in one location, providing deeper visibility both into application and platform performance data.
Enable log forwarding using the infrastructure agent
To enable log forwarding through the infrastructure agent:
- Start by checking the what you need.
- Install the infrastructure agent, version 1.11.4 or higher.
- Configure your log sources and other parameters in the
- Generate some traffic and wait a few minutes, then check your account for data.
- Explore your log data in the Logs UI.
What you need
The log forwarding feature is compatible with the following operating systems:
Amazon Linux 2
Version 7 or higher
Version 9 ("Stretch") or higher
Red Hat Enterprise Linux (RHEL)
Version 7 or higher
SUSE Linux Enterprise Server (SLES)
Versions 16.04.x and 18.04.x (LTS versions)
Windows Server 2012, 2016, and 2019, and their service packs.
To use the log forwarder of the infrastructure agent, make sure you meet the following requirements:
Infrastructure agent version 1.11.4 or higher
- Windows: Install the Microsoft Visual C++ Redistributable: x64 or x86.
The log forwarding feature is not yet supported on containerized agents.
Install the infrastructure agent
To use the links above, you must be logged to your New Relic account.
If you don't have a New Relic account yet, or prefer to follow the procedure manually, see our tutorial.
Test log forwarding
To quickly check that the log forwarding feature works, follow these steps:
Navigate to the logging forwarder configuration folder:
C:\Program Files\New Relic\newrelic-infra\logging.d\
Create a configuration file (for example,
logs.yml) with this content:
# Remember to only use spaces for indentation logs: - name: "test_log" file: /var/log/test.log
# Remember to only use spaces for indentation logs: - name: "test_log" file: 'C:\ProgramData\New Relic\newrelic-infra\newrelic-infra.log'
Run the following command to append a test log message to your log file:
echo "This is a test message." >> /PATH/TO/YOUR/LOG/FILE
echo "This is a test message." >> /var/log/test.log
- Search New Relic Logs for
If you're running the infrastructure agent in privileged or non-privileged modes, make sure that the user executing
nri-agent has read permissions for the data sources.
Configure the infrastructure agent
Configuration files describe which log sources are forwarded. You can add as many config files as you want, and set as many sources as you need per config file.
To add a new configuration file for the log forwarding feature:
Navigate to the logging forwarder configuration folder:
C:\Program Files\New Relic\newrelic-infra\logging.d\
The agent automatically processes new configuration files without having to restart it.
Log forwarding parameters
The log forwarder config supports the following parameters (for examples, see the sample configuration).
Name of the log or logs.
List of custom attributes, as key-value pairs, that can be used to send additional data with the logs which you can then query. For example, you can enable built-in parsing rules by setting the
... - name: tcp-simple-test tcp: uri: tcp://0.0.0.0:1234 format: none separator: \t attributes: # You can add custom attributes to any source of logs tcpFormat: none logtype: nginx # See https://docs.newrelic.com/docs/logs/log-management/ui-data/new-relic-logs-parsing-built-rules-custom-parsing someOtherAttribute: associatedValue
Path to the log file or files. The agent tracks changes on the log files in a way similar to
tail -f shell.
file can point to a specific log file or multiple ones by using wildcards applied to names and extensions; for example,
logs: - name: file-with-attributes file: /var/log/test.log # Path to a single file or pattern pattern: Error # Regular expression to filter log entries
Wildcards can also be used in place of directories in a file path, which can be used to tail files located in different directories.
logs: - name: docker-logs file: /var/lib/docker/containers/*/*.log # Path to multiple folders and files pattern: redis # Regular expression to filter log entries
Use of wildcards may significantly increase the number of file descriptors the Fluent Bit process keeps open, which can interfere with log collection if the host's file descriptor limit is reached.
We recommend increasing the file descriptor limit on Linux hosts running Fluent Bit by adding the following to the host's
root soft nofile 65536
root hard nofile 65536
*soft nofile 65536
*hard nofile 65536
Once you add the changes above, reboot the host to ensure your changes are applied.
systemd (Linux only)
Service name. Once the
systemd input is activated, log messages are collected from the
journald daemon in Linux environments.
logs: - name: systemd-example systemd: cupsd
This input type requires the agent to run in root mode.
syslog (Linux only)
Syslog data source.
uri:Syslog socket. Format varies depending on the protocol:
- TCP/UDP network sockets:
- Unix domain sockets:
unix_[tcp/udp]:// + /socket/path
- TCP/UDP network sockets:
parser:Syslog parser. Default is
rfc5424if your messages include fractional seconds. Note:
rfc3164currently does not work on SuSE.
0644for domain sockets; this limits entries to processes running as root. You can use
0666to listen for non-root processes, at your own risk.
When running the agent in privileged mode, ports and sockets must be available or owned by
0666 file permissions, so that other processes can write logs to the sockets.
logs: # TCP network socket - name: syslog-tcp-test syslog: uri: tcp://0.0.0.0:5140 # Use the tcp://LISTEN_ADDRESS:PORT format parser: rfc5424 # Default syslog parser is rfc3164 # UDP network socket - name: syslog-udp-test syslog: uri: udp://0.0.0.0:6140 # Use the udp://LISTEN_ADDRESS:PORT format max_line_kb: 35 # Unix TCP domain socket - name: syslog-unix-tcp-test syslog: uri: unix_tcp:///var/unix-tcp-socket-test unix_permissions: 0666 # Default is 0644. Change at your own risk # Unix UDP domain socket - name: syslog-unix-udp-test syslog: uri: unix_udp:///var/unix-udp-socket-test parser: rfc5424
Logs retrieved over TCP connections.
uri:TCP/IP socket to listen for incoming data. The URI format is
format:format of the data. It can be
format: noneis used, you can define a separator string for splitting records (default:
logs: - name: tcp-simple-test tcp: uri: tcp://0.0.0.0:1234 # Use the tcp://LISTEN_ADDRESS:PORT format format: none # Raw text - this is default for 'tcp' separator: \t # String for separating raw text entries max_line_kb: 32 - name: tcp-json-test tcp: uri: tcp://0.0.0.0:2345 # Use the tcp://LISTEN_ADDRESS:PORT format format: json
Maximum size of log entries/lines in KB. If log entries exceed the limit, they are skipped. Default is
Collect events from Windows log channels.
channel:name of the channel logs will be collected from.
collect-eventids:a list of Windows Event IDs to be collected and forwarded to New Relic. Event ID ranges are supported.
exclude-eventids:a list of Windows Event IDs to be excluded from collection. Event ID ranges are supported.
All events are collected from the specified channel by default. Configure the
exclude-eventids sections to avoid sending unwanted logs to your New Relic account.
Add event IDs or ranges to
exclude-eventids to forward or drop specific events.
exclude-eventids takes precedence over
collect-eventids if the same event ID is present in both sections.
logs: - name: windows-security winlog: channel: Security collect-eventids: - 4624 - 4265 - 4700-4800 exclude-eventids: - 4735
Regular expression for filtering records. Only supported for the tail, systemd, syslog and tcp (only with format none) sources.
This field works in a way similar to
grep -E in Unix systems. For example, for a given file being captured, you can filter for records containing either WARN or ERROR using:
- name: only-records-with-warn-and-error file: /var/log/logFile.log pattern: WARN|ERROR
No filtering is applied by default.
External Fluent Bit configuration and parser files. If defined, they are merged with the existing configuration and parser files generated by the Infrastructure agent.
The infrastructure agent processes the configuration files located in the
logging.d directory and will generate a run-time Fluent Bit configuration file that contains the appropriate
[OUTPUT] sections. Optionally, it will also declare an
@INCLUDE in case you provided an external Fluent Bit configuration file via the
fluentbit option. The run-time file does not define a
[SERVICE] section, leaving all default Fluent Bit configuration values. You can still override Fluent Bit's default settings by defining your own
[SERVICE] section in your external Fluent Bit configuration file and include it via the
config_file: path to an existing Fluent Bit configuration file. Note that any overlapping source results in duplicate messages in New Relic Logs.
parsers_file: path to an existing Fluent Bit parsers file. The following parser names are reserved:
Sample configuration file
Here is an example of a
logging.d/ configuration file in YAML format. For more configuration examples, see the infrastructure agent repository.
# Remember to only use spaces for indentation logs: # Example of 'file' source - name: file-with-attributes file: /var/log/test.log # Path to a single file or pattern attributes: # You can use custom attributes to enrich your data logtype: nginx team: The A Team pattern: Error # Regular expression to filter log entries # Example of 'systemd' source (Linux only) - name: systemd-example systemd: cupsd # Examples of 'syslog' source, one per protocol # TCP network socket - name: syslog-tcp-test syslog: uri: tcp://0.0.0.0:5140 # Use the tcp://LISTEN_ADDRESS:PORT format parser: rfc5424 # Default syslog parser is rfc3164 # UDP network socket - name: syslog-udp-test syslog: uri: udp://0.0.0.0:6140 # Use the udp://LISTEN_ADDRESS:PORT format max_line_kb: 35 # Paths for Unix sockets are defined by combining protocol and path: # unix_udp:// + /path/socket - for example, unix_udp:///tmp/socket # Unix TCP domain socket - name: syslog-unix-tcp-test syslog: uri: unix_tcp:///var/unix-tcp-socket-test unix_permissions: 0666 # Default is 0644. Change at your own risk # Unix UDP domain socket - name: syslog-unix-udp-test syslog: uri: unix_udp:///var/unix-udp-socket-test parser: rfc5424 # Examples of 'tcp' source for formats 'none' and 'json' - name: tcp-simple-test tcp: uri: tcp://0.0.0.0:1234 # Use the tcp://LISTEN_ADDRESS:PORT format format: none # Raw text - this is default for 'tcp' separator: \t # String for separating raw text entries attributes: # You can add custom attributes to any source of logs tcpFormat: none someOtherAttribute: associatedValue max_line_kb: 32 - name: tcp-json-test tcp: uri: tcp://0.0.0.0:2345 # Use the tcp://LISTEN_ADDRESS:PORT format format: json attributes: tcpFormat: json yetAnotherAttribute: 12345 # Example of Fluent Bit configuration import - name: fluentbit-import fluentbit: config_file: /path/to/fluentbit.config parsers_file: /path/to/fluentbit/parsers.conf
View your log data
If everything is configured correctly and data is being collected, you should see data in both of these places:
New Relic tools for running NRQL queries; for example, you can execute a query like this:
SELECT * FROM Log
Troubleshoot log forwarding
No data appears when tailing a file
The log forwarding feature requires that the agent has permission to read the data sources. When running the infrastructure agent in privileged or non-privileged modes, make sure that the log files you want to forward (and any intermediary directory in its path) are readable by the user running
- Example: checking file access under Linux
Let's check whether the file
/var/log/restrictedLogs/logFile.logcan be monitored by the
nri-agentuser. In Linux, you can do a quick check with the
sudo -u nri-agent namei -ml /var/log/restrictedLogs/logFile.log f: /var/log/restrictedLogs/logFile.log drwxr-xr-x root root / drwxr-xr-x root root var drwxrwxr-x root syslog log drwxr--r-- root root restrictedLogs logFile.log - No such file or directory
The above command failed since the file is not visible to the
nri-agentuser. By inspecting the previous output, we can detect that the
restrictedLogsdirectory is missing the execution flag for "others".
We can fix this by executing:
sudo chmod 755 /var/log/restrictedLogs
And then check for file access again:
# sudo -u nri-agent namei -ml /var/log/restrictedLogs/logFile.log f: /var/log/restrictedLogs/logFile.log drwxr-xr-x root root / drwxr-xr-x root root var drwxrwxr-x root syslog log drwxr-xr-x root root restrictedLogs -rw-r----- vagrant vagrant logFile.log
The file is now visible to the
nri-agentuser. You must ensure that the file is also readable by the
nri-agentuser. To check this, you can use:
# sudo -u nri-agent head /var/log/restrictedLogs/logFile.log head: cannot open '/var/log/restrictedLogs/logFile.log' for reading: Permission denied
In the above example, the file is missing the read rights for the "others" group (that is, users other than
vagrantuser group). A possible fix would be to grant read permissions to "others", but the application might change these permissions upon restart.
To avoid this, a better approach would be to add the
nri-agentuser to the
If no data appears after you enable log management, follow standard troubleshooting procedures.
No data appears when capturing via a Syslog socket
The log forwarding feature requires that the agent has permission to read the data sources. When running the Infrastructure agent in privileged or non-privileged modes:
- If you're using Unix domain socket files, make sure that the
nri-agentuser can access these files (please refer to the previous section) and that they have read and write permissions (
666) so that other users than
nri-agentcan write to them.
- If you're using IP sockets, ensure that the port that you are using is not a system reserved one (like port
80, for example).
If no data appears after you enable log management, follow standard log management troubleshooting procedures.
Send the agent's logs to New Relic
To forward the infrastructure agent logs to New Relic:
- Enable agent logging in troubleshooting mode by adding
On Windows and systems that don't use
verbose:3causes the agent to write the logs on the disk. Revert to
verbose:0to prevent this.
- (Recommended): Enable agent logging in JSON format to
Restart the agent so that the new settings can be loaded.
The above configuration sets up the agent in troubleshooting mode, but the Log Forwarder (based on Fluent Bit) will continue in a non-verbose mode. Sometimes you can have issues with the Log Forwarder itself, for instance, problems when accessing a specific channel when shipping Windows log events or when accessing a particular log file. If that's the case, you can also enable the verbose mode for the Log Forwarder by setting
verbose to a value different from
0 and by adding the following configuration option:
verbose: 3 and
trace: ["log.fw"], you need to ensure that you don't define any
[OUTPUT] section pointing to
stdout in an external Fluent Bit configuration file, in case you opted to use the
Runtime error on Windows
One of the following error messages may appear when enabling log forwarding on Windows:
The code execution cannot proceed because VCRUNTIME140.dll was not found.
error="exit status 3221225781" process=log-forwarder
This is caused by a missing DLL.
Now that you've enabled Logs, here are some potential next steps:
- Explore your data using the Logs UI.
- Configure your agent to see contextual log data, such as distributed tracing, stack traces, application logs, and more.
- Query your data and create custom dashboards or alerts.