Skip to main content
Sumo Logic

Collect Logs for Artifactory 7

To collect logs for Artifactory 7, you will need to set up and Installed Collector and a Local File Source.

This procedure documents how to collect logs from JFrog Artifactory into Sumo Logic.

Log Types

For each JFrog service, you will find its active log files in the $JFROG_HOME/<product>/var/log directory. For consistency, each log file is prefixed by its service name and a dash, <service-name>-service.log. For example, artifactory-service.log and router-request.log. 

  • artifactory-service.log
  • artifactory-access.log
  • artifactory-request.log
  • artifactory-traffic.*.log

For more information about Artifactory logs, see JFrog's Artifactory Log Files, Access Logs.

Configure a collector

Configure an Installed Collector.

Configure sources

In this step, you configure four local file sources, one for each log source listed in the table below. When you create a file source for a log type:

  • Use the value from the File Path column below as the File Path for the source.  

  • The value you specify for the source's Source Category must end with the suffix shown below in the Source Category column. For example, you could set the Source Category for the Artifactory Server log source to befoo/artifactory/console, but not artifactory/console/foo

The following suffixes are required. For example, you could use _sourceCategory=<Foo>/artifactory/console, but the suffix artifactory/console must be used.

Log source File Path Source Category
Artifactory Server and other microservices $JFROG_HOME/<product>/var/log/artifactory-service.log artifactory/console
Access $JFROG_HOME/artifactory/var/artifactory/log/artifactory-access.log. artifactory/access
Request $JFROG_HOME/<product>/var/log/artifactory-request.log artifactory/request
Traffic $JFROG_HOME/<product>/var/log/artifactory-traffic.*.log artifactory/traffic

For complete instructions see Local File Source.

  1. Configure a Local File source.
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. Source Category. (Required)  
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Logs are in UTC by default
    3. Timestamp Format. Auto Detect
    4. Encoding Type. UTF-8
    5. Multi-line Parsing. Detect Messages Spanning Multiple Lines, Infer Boundaries
  4. Click Save.

Sample Log Messages

Traffic

20201322001341|d29f485ce89ehh3i|0|DOWNLOAD|167.208.229.190
|libs-release:org/springframework/spring-tx/maven-metadata.xml.sha1|117127

Request

20201222001254|g104521a2b42cc3l|176.164.175.181|nitin|GET|/milestone/org/freemarker
/freemarker/maven-metadata.xml|404|761|86|1|curl/7.54.0

Access

2020-13-22 00:13:33,014 [ACCEPTED DEPLOY] 
jcenter-cache:com/cloudera/cdh/cdh-root/5.4.4-SNAPSHOT/maven-metadata.xml for client : 
admin/149.5.95.40.

Query Sample

Requests by Repo

_sourceCategory = Labs/artifactory/* 
| where _sourceCategory matches "*artifactory/request"
| parse "*|*|*|*|*|*|*|*|*|*|*" as datetime, traceid, ip, user, method, path, status_code, response_size, request_size, response_time, user_agent
| where !(path matches "/ui*" ) and !(path matches "/webapp*")
| parse regex field=path "/(?<repo>[^\/]+).*" nodrop
| parse regex field=path "(?<with_api>/api/(?:(?:npm|ruby|deb|docker|vcs|bower|pypi)/|))(?<repo>[^\/]+)"
| count as count by repo
| sort by count

Denied Login Attempts

_sourceCategory = Labs/artifactory/* "login" DENIED
| where _sourceCategory matches "*artifactory/access"
| parse " [*] *" as event_type, user_info 
| parse regex field=user_info "\s*for\s*\w+\s*:\s*(?<user>[^\/]+)\s*\/\s*(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\."| where event_type = "DENIED LOGIN"
| count as Attempts by ip, user
| sort by Attempts

Most Active Locations

_sourceCategory = Labs/artifactory/*
| where _sourceCategory matches "*artifactory/traffic"
| parse regex "(?<year>\d{4})(?<month>\d{2})(?<day>\d{2})(?<hour>\d{2})(?<minute>\d{2})(?<second>\d{2})\|(?<traceid>\w+)\|\d*\|(?<direction>[^|]*)\|\s*(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[^|]*)\|(?<repo>[^:]*):(?<fullfilepath>[^|]*)\|(?<size>\d*)" nodrop
| where !isNull(ip) and ip != ""
| count as actions by ip
| lookup country_name, region, city from geo://location on ip = ip
| fields country_name, region, city, actions
| sort by actions | limit 10