LogicMonitor + Catchpoint: Enter the New Era of Autonomous IT

Learn more
Platform
Solution
Industry
Role
There is no result.

LogSource Configuration

Last updated - 06 April, 2026

LogSource is an LM LogicModule that provides templates to enable logs and configure the sending of log data for ingestion by LM Logs. LogSource helps you configure details about what logs to get, where to get them, and which fields should be considered for parsing.

Note: The following describes general steps to add and configure a LogSource. For information about configuration parameters for a specific type of LogSource, see configuration information for each type. For more information about the LogSource concept, see LogSource Overview.

Requirements for LogSource Configuration

  • When using the LM Collector with a LogSource, the LM Collectors installed in your infrastructure must be version EA 31.200 or later.
    For information on how to upgrade a collector, see Managing Collectors.
  • To access the resource mapping prioritisation feature, you must have EA Collector 36.400 or later installed on your machine.
  • With Portal version 187 or later, LogSource supports only RE2-compatible regex patterns in the Filter, LogFieldTag, and ResourceMapping sections.
  • EA Collector 34.100 or later supports processing of LogSources using RE2J.
  • The Collector supports backward compatibility for existing LogSources that use Java-compatible regex patterns that are not RE2-compatible.

Adding the LogSource

Do the following to add a new LogSource:

  1. In the LogicMonitor navigation menu, select Modules.
  2. From My Module Toolbox, select add icon Add.
  3. In the Add window, select LogSource. The Add New LogSource window displays.

    Add new logsource page
  4. Continue by configuring the LogSource as described in the following steps.

Note: Depending on the type of LogSource selected in the next step, you will see different sections for entering information. For example Exclude filters, Include Filters, Log Fields, and so on. The tabs at the top provide quick access to the different sections.

Configuring the LogSource

Basic Information

Provide general information about the LogSource, and select a type for it depending on the origin of the log data.

In the Info section, do the following:

  1. Name (required)—Add a descriptive name, this will be displayed in the list of logsources.
  2. Description and Technical Notes—Optional information about the LogSource.
  3. Group—The group under which the LogSource should be present. Select a LogSource group or create a new one. If no group is specified, the LogSource will be placed in “@ungrouped”.
  4. Preview how the markdown displays in the module—Toggle this to see how the information in technical notes will appear.
  5. Type (required)— Select the type of resource that the LogSource is applied to and continue the configuration of the rest of the applicable sections as described in the following.

    info tab in add new logsource page

AppliesTo

Configure the resources that uses the LogSource. 

In the AppliesTo section, do the following:

  1. Enter the resources to which the LogSource is applied.
  2. Optionally, select Launch IDE for guidance through the resource selection.
  3. Select Done to save the configuration.

    AppliesTo option in Add new logsource page
  4. Optionally, select the Test AppliesTo icon to test the resource selection, and refine the criteria as needed.

Exclude and Include Filters

Optionally, you can add filters to exclude or include events. If you add filters, events must meet the filter criteria in order to be detected and alerted on. Available filtering options depend on the selected LogSource type. If no filter is provided all log events are included by default. If you add multiple filters they will be added (AND condition).

In the Exclude and Include Filters sections, do the following:

  1. Select Add Exlude Filter, or Add Include Filter.
  2. For Attribute, add the type of item to filter on, options depend on type of LogSource. Example: “Level” for a Windows Event Logging type of LogSource.
  3. Select a Comparison Operator, for example “Equal” or “RegexMatch”, depending on type of attribute.
  4. Add a Value, depends on attribute and comparison operator, for example “Warning”.
  5. Add an optional Comment.
  6. Select the Save icon to add the filter.

When defining the severity level to be included for incoming log messages, you can include multiple levels specified with a pipe separator. You can also use level numbers such as 1 for error, 2 for warning, and 3 for information.

Example: If you want to only include log messages for errors and warnings, you can set the filter with the attribute “Level”, comparison operator “In”, and value “1 | 2”.

include filter option for add new logsource page

As you are defining filters, you can select Test AppliesTo to perform test runs to ensure events are filtered and captured as you intended. You can also use the testing capability before any filters are defined in order to return all messages from a device, and use this information to refine parameter values. 

Log Fields

You can configure Log Fields to include additional metadata to be sent with the logs. You can also add LogicMonitor resource properties as log metadata.

In the Log Fields section, do the following:

  1. Select Add Log Fields.
  2. For Method, add the method for collecting the metadata, options depend on type of LogSource.
    For example, “Windows Event Attribute” for a Windows Event Logging type of LogSource.
  3. Enter a Key, for example “Source”.
  4. Add a Value, for example “Source Name”.
  5. Add an optional Comment.
  6. Select the Save icon to add the log field.

Example: Log Fields configured for metadata.

log fields list

Resource Mappings

This is required for some LogSource types and provides information about which resource the logs should map to. It defines the resource properties used to map logs to the monitored resources from which the Collector collects data.
For more information see agent.conf Collector Settings.

You can identify and map resources using either an OR operator or an AND operator.

AND Operator Behavior in Resource Mappings

When using the AND operator for resource mapping, LogicMonitor evaluates all specified conditions together and identifies a resource only when all conditions are satisfied. This approach enforces stricter matching criteria.
In multi-tenant environments, to use AND operator, consider the following:

  • The AND operator requires all attributes to align to identify a resource.
  • This method improves precision when combining multiple identifying properties.
  • If conditions do not resolve to a single resource, the mapping does not associate the log with an ambiguous resource.

OR Operator Behavior in Resource Mappings

When using the OR operator for resource mapping, LogicMonitor evaluates multiple conditions independently and selects a matching resource when any condition is satisfied.
In multi-tenant environments, consider the following:

  • The OR operator enables flexible matching across multiple attributes
  • Evaluation stops after the first matching condition is satisfied, and subsequent conditions are not evaluated.
  • If multiple resources satisfy the condition, the mapping does not associate the log with an ambiguous resource.
  • The effectiveness of this approach depends on the uniqueness of the selected attributes.

When Syslog and SNMP trap ingestion is enabled in agent.conf (lmlogs.syslog.enabled=true and lmlogs.snmptrap.enabled=true), LogicMonitor applies a default resource mapping sequence using the OR operator.

Default mappings display on the LogSource creation page for Syslog and SNMP trap LogSources.

AND and OR operators in Resource Mappings

Key Considerations for Resource Mapping

To add resource mapping for environments that provide services for multiple LogicMonitor accounts, consider the following:

  • Combine identifiers such as IP address with tenant-specific properties to improve uniqueness.
  • Use multiple attributes to strengthen identification across tenants.
  • Select attributes that are consistently available across ingestion methods.
  • Ensure that attribute combinations reliably identify the same resource across ingestion events.
  • When conditions do not resolve to a single resource, logs are not mapped to any resource and are considered resourceless.

To configure resource mappings, do the following:

  1. Select Add Resource Mappings.
  2. In the Method field, select a mapping method (for example, “IP”). 
  3. In the Key field, enter a mapping key (for example “system.hostname”).
  4. In the Value field, enter a value based on the selected method.
  5. (Optional) In the Comment field, enter a description.
  6. Select Save
    The resource mapping displays in the table.
  7. Select either Match any condition (OR) or Match all conditions (AND).

Note: If OR is enabled, you can use the Drag to Reorder column to reorder the sequence of the resource mappings based on your preference to identify the resources for resource identification.

Add Resource Mapping section

Example: Resource mapping in the following is equivalent of this collector configuration:

  • lmlogs.syslog.hostname.format=IP
  • lmlogs.syslog.property.name=system.hostname
Resource mapping example

Enabling the LogSource

When all the sections are configured, select Save to enable the LogSource (or update an existing one). 

Enabling Preferred Collectors

Note: This step is only needed if logs are sent to a different collector than the one monitoring the resource. If logs are sent to the same monitoring, you don’t need to configure a preferred logs collector.

The following describes how to define a Logs Collector Group and Preferred Logs Collector for each resource or resource group.

Warning: LogSource configurations supercedes collector configurations. For example, say you are sending logs to a Collector A resource using the traditional log collection method. Then you configure a new LogSource that applies to that resource. In this case the LogSource configuration is applied, which could cause potential resource mapping conflicts.

Enabling on a Resource

Logsource resource on resources page
  1. Navigate to Resources and select the desired resource.
  2. For each resource, select the Manage Properties icon to open the Manage Resource view.
  3. Toggle Enable LM Logs to on.
  4. Select the desired Collector Group (optional) and the preferred Log Collector (required) from the drop-down, type in field to see available options. 
  5. Select Save.
  6. Repeat the procedure for each resource you for which want to enable logs collection.

Enabling on a Resource Group

Note: Preferred logs collector configurations are not saved at Resource Group level. This means that if new resources are added to the group after the initial configuration, you must reapply the preferred collector to the resource group, or manually configure this for the new resource itself.

  1. In LogicMonitor, navigate to Resources and select the desired static resource group.
  2. Select the Logs tab and then select Set Preferred Logs Collector.
    Log Source Configuration Enabling on Resource Group
  3. Select any of the following options:
    • Remove Log Collector for all Group members – Select to remove log collector from the resource group. By default, this option is selected.
    • Select Collector from the List – Select Collector Group (Optional) and Collector (Required) from the drop-down list.
  4. Select Apply Now to update the configuration.

Type-specific Configuration Parameters

For information about configuration parameters for a specific type of LogSource, see the following:

14-day access to the full LogicMonitor platform