Multiple Log File Monitor

The Multiple Log File Monitor watches for specific entries added to one or more log files in a single directory by looking for entries containing a text phrase or a regular expression.

Each time the Multiple Log File Monitor runs, it examines log entries added since the last time it ran. Optionally, you can set the monitor to check log entries from the beginning of the log file using the Search From Start setting.

Usage Guidelines

What to monitor

The Multiple Log File Monitor is useful for automatically scanning one or more log files in a single location for error information. With SiteScope doing this for you at set intervals, you can eliminate the need to scan the logs manually. In addition, you can be notified of warning conditions that you might have otherwise been unaware of until something more serious happened. Each time that it runs this monitor, SiteScope starts from the point in the file where it stopped reading last time it ran. This insures that you are only notified of new entries and speeds the rate at which the monitor runs.

About scheduling this monitor

You can schedule the Multiple Log File Monitors to run as often as every 15 seconds. However, depending on the number and size of the log files being monitored, the total number of monitors you have running, and Search From Start option selected for this monitor, the monitor may easily take 15 seconds or longer to check the file for the desired entries. This may slow SiteScope performance and cause other problems. The default update schedule is every 10 minutes which may be reasonable in most cases.

Completing the Multiple Log File Monitor Form

To display the Multiple Log File Monitor Form, either click the Edit link for an existing Multiple Log File Monitor in a monitor table, or click the add a Monitor link on a group's detail page and click the Add Multiple Log File Monitor link.

Complete the items on the Multiple Log File Monitor Form as follows. When the required items are complete, click the Add Monitor button.

Log File Directory

Enter the pathname to the directory containing the log files you want to monitor. All of the log files must be in the same directory. For reading log files on remote UNIX machines, the path must be relative to the to the home directory of UNIX user account being used to login to the remote machine. See the Preferences - Remote UNIX page for information on which UNIX user account is being used.

You can also monitor log files on a remote Windows NT/2000 server through NetBIOS by including the UNC path to the remote log file. For example,
\\remoteserver\sharedfolder\filename.log
This requires that the user account under which SiteScope is running has permission to access the remote directory using the UNC path. If a direct connection via the operating system is unsuccessful, SiteScope will try to match the \\remoteserver with servers currently defined remote NT connection profiles (displayed in the Remote NT Servers table). If an exact match is found \\remoteserver in the remote NT connection profiles, SiteScope will try to use this connection profile to access the remote log file. If no matching server name is found, the monitor reports that the remote log file can not be found.

Note: If you are using SSH as a connection method to remote NT servers, you will need to select the remote server using the Choose Server link above. It is not necessary to select a remote NT server if you are using NetBIOS to connect to remote NT servers.

Optionally, you can use a regular expression to insert date and time variables. For example, you can use a syntax of
s/ex$shortYear$$0month$$0day$.log/
to match date-coded IIS log file names.

Server

Select the server where the log files you want to monitor are located. Use the choose server link to access a list of remote UNIX servers that have been specified to SiteScope.

File Name Match

Enter the a regular expression to match the names of the log files you want to monitor. Fo reading log files on remote UNIX machines, the match expression must be a UNIX-style regular expression supported by the grep utility. For log files on a local or remote NT machine, the match expression should use the syntax as described in the section Using Regular Expressions.

Content Match

Enter the text to look for in the log entries. Regular expressions may also be used in this box to match text patterns. Unlike the content match feature of other SiteScope monitors, the Multiple Log File Monitor content match is run repeatedly against the most recent content of target log file until all matches are found. This means the monitor not only reports if the match was found but also how many times the matched pattern was found. To match text that includes more than one line of text, add an s search modifier to the end of the regular expression.

Search From Start

Select this setting to have SiteScope always check the entire log file contents each time that the monitor is run.

Note: You should only check this option for testing and to verify that the Content Match you have entered above are matching on the desired log file content. Depending on the size of the log files being monitored, having SiteScope check the content from the start of each file each time the monitor is run may impact the performance of the monitor and of SiteScope.

Update every

Select how often the monitor should read the application log file. The default interval is to run or update the monitor once every 10 minutes. Use the drop-down list to the right of the text box to specify another update interval in increments of seconds, minutes, hours, or days. The update interval must be 15 seconds or longer.

Title

Enter a title text for this monitor. This text is displayed in the group detail page, in report titles, and other places in the SiteScope interface. If you do not enter a title text, SiteScope will create a title based on the host, server, or URL being monitored.

Advanced Options

The Advanced Options section presents a number of ways to customize monitor behavior and display. Use this section to customize error and warning thresholds, disable the monitor, set monitor-to-monitor dependencies, customize display options, and enter other monitor specific settings required for special infrastructure environments. The options for this monitor type are described below. Complete the entries as needed and click the Add or Update button to save the settings.

Rules File Pathname

Optional: In rare cases, it may be necessary to create a custom rules file to specify the log entries to match and the alerts to send. An example rules file is located in <SiteScope install path>/SiteScope/Classes/CustomMonitor/test.rules. Make a copy of this file and rename. There is no required naming convention. Open the file with the editor of your choice, and using the comments as a guideline, edit the file to meet your needs. When you are finished, type the full path name to your rules file in this box.

No Error on File Not Found

Check this box if you want this monitor to remain in GOOD status, if the file is not found.

Disable

Check this box to temporarily disable this monitor and any associated alerts. To enable the monitor again, clear the box.

Verify Error

Check this box if you want SiteScope to automatically run this monitor again if it detects an error. When an error is detected, the monitor will immediately be scheduled to run again once.

Note: In order to change the run frequency of this monitor when an error is detected, use the Update every (on errors) option below.

Note: The status returned by the Verify Error run of the monitor will replace the status of the originally scheduled run that detected an error. This may cause the loss of important performance data if the data from the verify run is different than the initial error status.

Warning: Use of this option across many monitor instances may result in significant monitoring delays in the case that multiple monitors are rescheduled to verify errors at the same time.

Update Every (on error)

You use this option to set a new monitoring interval for monitors that have registered an error condition. For example, you may want SiteScope to monitor this item every 10 minutes normally, but as often as every 2 minutes if an error has been detected. Note that this increased scheduling will also affect the number of alerts generated by this monitor.

Schedule

By default, SiteScope monitors are enabled every day of the week. You may, however, schedule your monitors to run only on certain days or on a fixed schedule. Click the Edit schedule link to create or edit a monitor schedule. For more information about working with monitor schedules, see the section on Schedule Preferences for Monitoring.

Monitor Description

Enter additional information about this monitor. The Monitor Description can include HTML tags such as the <BR> <HR>, and <B> tags to control display format and style. The description will appear on the Monitor Detail page.

Report Description

Enter an optional description for this monitor that will make it easier to understand what the monitor does. For example, network traffic or main server response time. This description will be displayed on with each bar chart and graph in Management Reports and appended to the tool-tip displayed when you pass the mouse cursor over the status icon for this monitor on the monitor detail page.

Depends On

To make the running of this monitor dependent on the status of another monitor or monitor group, use the drop-down list to select the monitor on which this monitor is dependent. Select None to remove any dependency.

Depends Condition

If you choose to make the running of this monitor dependent on the status of another monitor, select the status condition that the other monitor or monitor group should have in order for the current monitor to run normally. The current monitor will be run normally as long as the monitor on which it depends reports the condition selected in this option.

List Order

By default, new monitors are listed last on the Monitor Detail page. You may use this drop-down list to choose a different placement for this monitor.

Error if

Set an error threshold for this monitor. The thresholds are used when the "Run Alerts: once, ..." option is chosen. By default, an error is signaled whenever there is one or more matching events. Select a comparison value from the list, and use the comparison operator list to specify an error threshold such as: >= (greater than or equal to), != (not equal to), or < (less than).

The possible comparison values are:

matches - the number of matches found.
lines - the number of lines processed.
lines/min - the number of lines per minute processed during this monitoring period.
matches/min - the number of matches per minute that occurred during this monitoring period.

Warning if

Set the Warning threshold for this monitor. The default is to generate a warning if SiteScope is unable to read the log file. The symbols in the comparison value drop-down list are the same as those for Error if.

Good if

The default is to mark the monitor as good if the log file can be read and there are no matches.