Logentries Docs

Find comprehensive guides and documentation to help you start and continue to work with Logentries.


Search results for "{{ search.query }}"

No results found for "{{search.query}}". 
View All Results

Frequently Asked Questions

Restart Agents on Windows and Unix.


Both Unix and Windows have built in ways to restart services within the environment.

In Windows, you can hit the Win-R key combination and type “services.msc”. This will bring up the services panel in Windows. If you browse to Logentries Agent Service and right click you will be given an option to Restart.

For Debian Squeeze and Ubuntu:

service logentries force-reload
For Debian Lenny run the init script explicitly:

/etc/init.d/logentries force-reload

When I reinstall the Windows Agent, the log entries are still showing up under the old host/account.


Once the Windows Agent is installed, the host key and account key are stored within the registry. To remove this information, use REGEDIT to browse to HKLM\Software and delete the Logentries key. This will remove any traces of previous registrations within the system.

How do I get my log data out of a secure environment without using the DataHub?


The Logentries Agent applications can forward securely using port 443 or 20000 depending upon the Operation System which they are installed. Other logging methods such as Rsyslog can be set up for sending encrypted data with certificate validation. Click here for more details on Rsyslog Encryption. Alternatively an Rsyslog Proxy could be configured outside of a secure network that receives data from within the secure network and forwards the data onto Logentries.

Deleting a Log, Log Set or account.


To delete a Log Set, the action must occur in the Logentries UI instead of the system where the agent is installed. When logging into the Logentries web UI navigate to the Log Set that you want to remove and click the (x) on the far right of the Log Set name entry. This will remove all historical data as well as all of the logs as well as have the Log Set. Alternatively run sudo le rm PATH_TO_FILE and restart the service.

To delete a specific log, in the web UI, navigate to that specific log inside of your Log Set and click on the (x) to the far right of your log’s name you wish to delete. This will remove that log and all of its data permanently.

To delete your account, please contact customerservice@rapid7.com and one of our representatives will be in touch to help.

After creating a Tag I can’t see it match past data? Can I apply a Tag retrospectively?


Tags and Alerts do not work retrospectively. Once applied, any incoming log entries which match the tag’s pattern will have the tag label applied to them.

Character limit for a single log entry


Currently log entries are limited to 8192 characters, if your log entry runs over this amount then it will be truncated where the excess log will be a new entry in the UI.

Can I send historical log entries to Logentries?


No. Your log entries are timestamped by Logentries the moment they reach our servers so sending historic log events from existing file would not have accurate timestamps. From the point of following a log file (sudo le follow <path_to_file>, the agent begins sending events from files being followed to the Logentries servers as LE is designed to be a real time system. You could write a script to write the old log file to a new log file the agent is following to send those logs to logentries –however the timestamps would not be accurate.

Do I have to have logs in a particular format for Logentries to work?


No, but it helps to have log data ‘Structured’ in order to get more useful search query results. Namely when Using Key Value Pairings (KVPs).
See Structuring Your Log Data on some helpful suggestions, questions to ask yourself about logging and strategies you can implement to get the most out of your log data.

Sending log events from Routers to Logentries

If your specific model of router supports plain TCP UDP forwarding using rsyslog / syslog you can create a Plain TCP / UDP log to receive this data.
For more information you can see: Input Plain TCP / UDP, Syslog forwarding, or Cisco router log forwarding.


I have just setup my Logentries integration but I cannot see logs or system information being populated into the Logentries UI.


Please check to make sure that a firewall or proxy is not blocking flow of traffic. See Firewall Settings page for IP Addresses and ports.

Agent Type
Windows Agent – The Windows Agent currently uses ports 10000 and 20000, for TCP and TLS respectively.
Unix Agent – The Unix Agent currently uses ports 80 and 443, for HTTP and HTTPS respectively.
Note: The current Linux Agent communicates over port 80 and 443. This will be changing soon to fall in line with the Windows Agent, to allow for better communication and information processing with Logentries.

When I run “le follow” I get an error telling me my “Host Key or Log Set Key could not be found.” Likewise, when I run “le whoami” or any other information displaying commands, I do not see what I expect. When I log into the Logentries web UI, I see updated log and system information.

Please make sure that you are using the sudo command with the le command to run as root. During setup, the Logentries agent is installed and executed as root.

Remember to restart the agent after adding subsequent files to be followed using:
sudo service logentries restart

Setting up an EC2 instance with Logentries


You can install the agent on your EC2 Instance and configure normally or manually using Token-Based Logging.
You can configure Rsyslog on your EC2 Instance to forward log files to Logentries.
In short, you essentially can set up Logentries on EC2 instance in the same manner as if you were setting it up on a standard machine.

DataHub Hardware Requirements


It depends on how you wish to use and configure DataHub for your purposes. DataHub is designed to work on minimal system configurations, but because DataHub is so flexible, it really depends on how you intend to use DataHub. It can be set to use regex and is CPU dependent, so if you are using DataHub to scrub large amounts of data or are sending vast amounts of data in your log events, you may require higher CPU capabilities.

Sending system statistics to Logentries


You must create a Token-Based Log first to hold your metrics-stats, that is, if you don’t already have a token-based statistics log already created. Click here to see how this is done. After creating your token-based log, copy this log’s token. Go to your system’s /etc/le/config file and edit the line with ‘metrics-token =’ and paste your token after the ‘=’ sign without any quotes. Save the config file.
Then you must restart the agent by running sudo service logentries restart. Now you will see your token based system stats log populated with data from your system.

I downgraded, upgraded, (or otherwise changed) my account plan and now I cannot see all the logs that I had saved before


Current plan parameters are always located at Pricing Page. If you happened to downgrade your plan any logs that are aged beyond the maximum retention policy will be automatically expunged when the plan change occurs. Sales can be contacted at sales@logentries.com.

Accessing the most recent billing statement (invoice).


Inside of your Accounts page, there is a Statements tab. You are able to download the receipt for the corresponding month.

Can I have multiple accounts and pay for them together?


Yes, we can set it up for you on the backend. Subscribe one plan to a paid plan and manually switch the others. Contact the support team who can put you in touch with our sales professionals who will help you with this.

Access Control Lists (ACLs) Is there a way to separate out my logs to give access only to some users?


Access Control Lists (ACLs) – an initial implementation has been released which uses teams to restrict access. These teams can be restricted from certain tasks such as deleting log sets, editing DataHub routes, editing teams, deleting users and inviting users to the accounts. More functionality will be added when Logentries develops this feature.

Does Logentries support “Single Sign On”?


Logentries supports single-signon through our Partner plans like Heroku, Azure, AppHarbor, Engine Yard, etc.

Large log events are being dropped, why?


We have an ingestion limit of 64k per log event.

Where is my log data stored?

The Logentries' data centre is in Ireland. If you choose to use the S3 Archiving feature, then your data will be backed up to whatever region you create your bucket in.

Frequently Asked Questions