Log File Monitor

The Log File Monitor watches for specific entries added to a log file by looking for entries containing a text phrase or a regular expression.

The "Run Alerts" setting control how alerts are triggered by this monitor. If "for each log entry matched" is chosen, then the monitor triggers alerts for every matching log entry found. In this way, the monitor acts much like an event forwarder. If "once, after all log entries have been checked" is chosen, then the monitor counts up the number of matches and triggers alerts based on the Error if and Warning if thresholds defined for the monitor.

Each time the Log File Monitor runs, it examines log entries added since the last time it ran. Optionally, you can set the monitor to check log entries from the beginning of the log file using the Check from Beginning setting.

Usage Guidelines

What to monitor

The Log File Monitor is useful for automatically scanning log files for error information. With SiteScope doing this for you at set intervals, you can eliminate the need to scan the logs manually. In addition, you can be notified of warning conditions that you might have otherwise been unaware of until something more serious happened. Each time that it runs this monitor, SiteScope starts from the point in the file where it stopped reading last time it ran. This insures that you are only notified of new entries and speeds the rate at which the monitor runs.

About scheduling this monitor

You can schedule your Log File Monitors to run as often as every 15 seconds. However, depending on the size of the log file, the total number of monitors you have running, and Check from Beginning option selected, the monitor may take 15 seconds or longer to check the file for the desired entries. The default update schedule is every 10 minutes which may be reasonable in most cases.

Completing the Log File Monitor Form

To display the Log File Monitor Form, either click the Edit link for an existing Log File Monitor in a monitor table, or click the add a Monitor link on a group's detail page and click the Add Log File Monitor link.

Complete the items on the Log File Monitor Form as follows. When the required items are complete, click the Add Monitor button.

Server

Select the server where the log files you want to monitor are located. Use the choose server link to access a list of remote UNIX servers that have been specified to SiteScope.

Log File Pathname

Enter the pathname to the log file you want to monitor. For reading log files on remote UNIX machines, the path must be relative to the home directory of UNIX user account being used to login to the remote machine. See the Preferences - Remote UNIX page for information on which UNIX user account is being used.

You can also monitor log files on a remote Windows NT/2000 server through NetBIOS by including the UNC path to the remote log file. For example,
\\remoteserver\sharedfolder\filename.log
This requires that the user account under which SiteScope is running has permission to access the remote directory using the UNC path. If a direct connection via the operating system is unsuccessful, SiteScope will try to match the \\remoteserver with servers currently defined as remote NT connection profiles (displayed in the Remote NT Servers table). If an exact match is found for \\remoteserver in the remote NT connection profiles, SiteScope will try to use this connection profile to access the remote log file. If no matching server name is found, the monitor reports that the remote log file can not be found.

Note: If you are using SSH as a connection method to remote NT servers, you will need to select the remote server using the Choose Server link above. It is not necessary to select a remote NT server if you are using NetBIOS to connect to remote NT servers.

Optionally, you can use a regular expression to insert date and time variables. For example, you can use a syntax of
s/ex$shortYear$$0month$$0day$.log/
to match date-coded IIS log file names.

Check from Beginning

Select file checking option for this monitor instance. This setting controls what SiteScope will look for and how much of the target file will be checked each time that the monitor is run. The following table describes the options for this setting:

Checking Option

Description

Never

Check only newly added records, starting at the time that the monitor was created (not when the file was created). This is the default behavior.

First Time Only

Check the whole file once when the monitor is first created, then only for new records on each subsequent monitor run. Use this option to check a file that already had entries before the monitor was created or started.

Always

Always check the contents of the whole file.

Note: Use of this option may have undesired impact on SiteScope performance. Monitoring large log files with this option may use large amounts of memory and CPU time on the SiteScope server which can lead to other performance problems.

Run Alert

Select the method for running alerts for this monitor.

Select "for each event matched" to have the monitor trigger alerts for each and every matching entry found.
Note: When the Log File Monitor is run with this alert method selected, the monitor will never be displayed as an error or warning status in the SiteScope interface, regardless of the results of the content match or even if the target log file is not found. The monitor will trigger alerts if one or more matching entries are found and the Error if or Warning if thresholds are defined accordingly in the Advanced Options section. For example, setting Error if to the default of matchCount > 0.
Select "once, after all events have been checked" to have the monitor count up the number of matches and trigger alerts one time based on the Error if and Warning if thresholds defined for the monitor in the Advanced Options section.
Note: By default, selecting this option will cause SiteScope to send one alert message if one or more matches are found, but the alert will not include any details of the matching entries. To have SiteScope include the matching entries, you must associate the monitor with an alert definition that has the property, <matchDetails> in the alert template. This special template property is used to populate the alert with the details of all the matching entries. You use this for e-mail alerts or other alert types that work with template properties. E-mail alert templates are stored in the SiteScope\templates.mail directory. See the chapter on Custom Alert Templates in the SiteScope Reference Guide for more information about modifying alert templates.

Content Match

Enter the text to look for in the log entries. Regular expressions may also be used in this box to match text patterns. Unlike the content match feature of other SiteScope monitors, the Log File Monitor content match is run repeatedly against the most recent content of target log file until all matches are found. This means the monitor not only reports if the match was found but also how many times the matched pattern was found. To match text that includes more than one line of text, add an s search modifier to the end of the regular expression.

Update every

Select how often the monitor should read the application log file. The default interval is to run or update the monitor once every 10 minutes. Use the drop-down list to the right of the text box to specify another update interval in increments of seconds, minutes, hours, or days. The update interval must be 15 seconds or longer.

Title

Enter a title text for this monitor. This text is displayed in the group detail page, in report titles, and other places in the SiteScope interface. If you do not enter a title text, SiteScope will create a title based on the host, server, or URL being monitored.

Advanced Options

The Advanced Options section presents a number of ways to customize monitor behavior and display. Use this section to customize error and warning thresholds, disable the monitor, set monitor-to-monitor dependencies, customize display options, and enter other monitor specific settings required for special infrastructure environments. The options for this monitor type are described below. Complete the entries as needed and click the Add or Update button to save the settings.

Rules File Pathname

Optional: In rare cases, it may be necessary to create a custom rules file to specify the log entries to match and the alerts to send. An example rules file is located in <SiteScope install path>/SiteScope/classes/CustomMonitor/sample.rules. Make a copy of this file and rename. There is no required naming convention. Open the file with the editor of your choice, and using the comments as a guideline, edit the file to meet your needs. When you are finished, type the full path name to your rules file in this box.

No Error on File Not Found

Check this box if you want this monitor to remain in GOOD status, if the file is not found.

Disable

Check this box to temporarily disable this monitor and any associated alerts. To enable the monitor again, clear the box.

Verify Error

Check this box if you want SiteScope to automatically run this monitor again if it detects an error. When an error is detected, the monitor will immediately be scheduled to run again once.

Note: In order to change the run frequency of this monitor when an error is detected, use the Update every (on errors) option below.

Note: The status returned by the Verify Error run of the monitor will replace the status of the originally scheduled run that detected an error. This may cause the loss of important performance data if the data from the verify run is different than the initial error status.

Warning: Use of this option across many monitor instances may result in significant monitoring delays in the case that multiple monitors are rescheduled to verify errors at the same time.

Update Every (on error)

You use this option to set a new monitoring interval for monitors that have registered an error condition. For example, you may want SiteScope to monitor this item every 10 minutes normally, but as often as every 2 minutes if an error has been detected. Note that this increased scheduling will also affect the number of alerts generated by this monitor.

Schedule

By default, SiteScope monitors are enabled every day of the week. You may, however, schedule your monitors to run only on certain days or on a fixed schedule. Click the Edit schedule link to create or edit a monitor schedule. For more information about working with monitor schedules, see the section on Schedule Preferences for Monitoring.

Monitor Description

Enter additional information about this monitor. The Monitor Description can include HTML tags such as the <BR> <HR>, and <B> tags to control display format and style. The description will appear on the Monitor Detail page.

Report Description

Enter an optional description for this monitor that will make it easier to understand what the monitor does. For example, network traffic or main server response time. This description will be displayed on with each bar chart and graph in Management Reports and appended to the tool-tip displayed when you pass the mouse cursor over the status icon for this monitor on the monitor detail page.

Depends On

To make the running of this monitor dependent on the status of another monitor or monitor group, use the drop-down list to select the monitor on which this monitor is dependent. Select None to remove any dependency.

Depends Condition

If you choose to make the running of this monitor dependent on the status of another monitor, select the status condition that the other monitor or monitor group should have in order for the current monitor to run normally. The current monitor will be run normally as long as the monitor on which it depends reports the condition selected in this option.

List Order

By default, new monitors are listed last on the Monitor Detail page. You may use this drop-down list to choose a different placement for this monitor.

Error if

Set an error threshold for this monitor. The thresholds are used when the "Run Alerts: once, ..." option is chosen. By default, an error is signaled whenever there is one or more matching events. Select a comparison value from the list, and use the comparison operator list to specify an error threshold such as: >= (greater than or equal to), != (not equal to), or < (less than).

The possible comparison values are:

matches - the number of matches found.
lines - the number of lines processed.
lines/min - the number of lines per minute processed during this monitoring period.
matches/min - the number of matches per minute that occurred during this monitoring period.

Warning if

Set the Warning threshold for this monitor. The default is to generate a warning if SiteScope is unable to read the log file. The symbols in the comparison value drop-down list are the same as those for Error if.

Good if

The default is to mark the monitor as good if the log file can be read and there are no matches.