MENU
      Contents x
      File
      • 12 Jun 2025
      • 4 Minutes to read
      • Print
      • Dark
      Contents

      File

      • Updated on 12 Jun 2025
      • 4 Minutes to read
      • Print
      • Dark
      Article summary

      Overview

      This Adapter allows you to ingest logs from a file, either as a one time operation or by following its output (like tail -f).

      Configuration

      All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

      • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
      • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
      • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
      • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

      Adapter type file:

      • file_path: simple file pattern like ./files_*.txt

      • no_follow: if true, the file content will be sent, but additions to the file will not be reported

      • inactivity_threshold: the number of seconds after which an unmodified file becomes ignored

      • backfill: if true, a single pass at all the matching files will be made to ingest them, useful for historical ingestion

      • serialize_files: if true, files will be ingested one at a time, useful for very large number of files that could blow up memory

      CLI Deployment

      Adapter downloads can be found here.

      chmod +x /path/to/lc_adapter

/path/to/lc_adapter file client_options.identity.installation_key=$INSTALLATION_KEY \
client_options.identity.oid=$OID \
client_options.platform=text \
client_options.sensor_seed_key=$SENSOR_NAME \
client_options.hostname=$SENSOR_NAME \
file_path=/path/to/file
      Bash

      Infrastructure as Code Deployment

      # File Adapter Specific Docs: https://docs.limacharlie.io/docs/adapter-types-file

sensor_type: "file"
file:
  write_timeout_sec: 10 # (optional) Timeout in seconds for writing data. e.g., 10 or null.
  file_path: "/var/log/my_application/current_app.log" # (required) Path to the file or directory to monitor. Glob patterns are supported (e.g., /var/log/app/*.log).
  no_follow: false # (optional) If true, read the file(s) once and exit. If false (default), tail the file(s) for new lines.
  inactivity_threshold: 3600 # (optional) In seconds. If 'no_follow' is false, time to wait after no new lines before closing file. Default 0 (never).
  reactivation_threshold: 5 # (optional) In seconds. If 'no_follow' is false, time to wait after file closure to check if it became active again. Default 0 (never).
  backfill: true # (optional) If true (default), read file(s) from the beginning. If false, only process new lines from the point the adapter starts.
  serialize_files: false # (optional) If 'file_path' is a glob and this is true, process files one at a time. Default false (process concurrently).
  poll: false # (optional) If true, use polling to detect file changes instead of filesystem events (inotify/fsnotify). Useful for some network shares. Default false.
  multi_line_json: false # (optional) If true, allows a single JSON event to span multiple lines in the file. Default false.
  client_options:
    identity:
      oid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # (required) Organization ID from LimaCharlie.
      installation_key: "YOUR_LC_INSTALLATION_KEY_FILE" # (required) Installation key associated with the OID.
    hostname: "appserver-lon-01.example.com" # (required) Hostname where the file is being read.
    platform: "linux" # (required) Platform of the host. e.g., "linux", "windows", "darwin".
    architecture: "x86_64" # (optional) Architecture of the host.
    mapping:
      # Define parsing_re if the file contains unstructured text lines.
      # If the file contains JSON objects (one per line), set parsing_re to null.
      # Example for a common text log format: timestamp [level] component: message
      parsing_re: "^(?P<timestamp>\\w{3}\\s+\\d{1,2}\\s+\\d{2}:\\d{2}:\\d{2})\\s+\\[(?P<log_level>\\w+)\\]\\s+(?P<component_name>\\S+):\\s+(?P<log_message>.*)$"
      # (optional) Path to uniquely ID the original event. Can use file path + line number or a field from parsed data.
      sensor_key_path: "routing.original_file_path" # Example, or a field like "parsed_data.unique_event_id"
      # (optional) If client_options.hostname is NOT static.
      sensor_hostname_path: null
      # (optional) Example: "APP_LOG_DATABASE_INFO", "APP_LOG_AUTH_ERROR".
      event_type_path: "FILE_LOG_{{ .component_name | token | upper | default \"GENERIC\" }}_{{ .log_level | token | upper }}"
      # (optional) JSON path to the event's occurrence time, assuming 'timestamp' is captured by parsing_re.
      event_time_path: "timestamp"
      # (optional) JSON path for a field to populate LimaCharlie's investigation_id.
      investigation_id_path: "correlation_id_from_log" # If such a field exists in your logs.
      # (optional) Use +/- syntax for transforms.
      transform:
        "+monitored_file_path": "{{ .config.file_path }}" # Add the configured file_path to the event
        "+ingestion_source_type": "LocalFileAdapter"
        # "-component_name": null # Example: if component_name is only used for event_type_path
        # (optional) A list of field paths to drop.
      drop_fields:
      - "raw_unparsed_line" # If parsing_re is used and successful
      sid_replication_path: null # (optional) Not typically relevant for generic file logs.
    # mappings: null
    indexing:
      enabled: true
      # Example: index by a parsed component name and org prefix
      default_index: "app-logs-{{ .component_name | lower | default \"data\" }}-{{ .identity.oid | substr 0 8 }}"
    is_compressed: false # (optional) The adapter reads uncompressed files. If your log files are gzipped, they generally need to be uncompressed first or handled by a different process before this adapter reads them. (Some adapters might support .gz directly, check specific adapter notes if applicable)
    sensor_seed_key: "SEED_KEY_FILE_ADAPTER_001" # (required)
    dest_url: "https://input.limacharlie.io" # (optional) The destination URL. Usually defaults correctly.
      YAML

      Was this article helpful?
      What's Next