EMS Log File Monitor

The EMS Log File Monitor watches for specific entries added to a log file of a Enterprise Management System (EMS) applicaiton by looking for entries containing a regular expression. Each time the monitor runs, it examines log entries added since the last time it ran.

Usage Guidelines

What to monitor

The EMS Log File Monitor is useful for automatically extracting data from log files and sending the data to Topaz. In addition, you can be notified of warning conditions that you might have otherwise been unaware of until something more serious happened. Each time that it runs this monitor, SiteScope starts from the point in the file where it stopped reading last time it ran. This insures that you are only notified of new entries and speeds the rate at which the monitor runs.

When using a regular expression to match against a specific line in the log it is possible to use regular expression back references in order to select the data we wish to forward to Topaz. See the section on regular expression for more details on back references.

What is sent to Topaz

The EMS Log File monitor sends to Topaz data that is extracted from any row that matched against the regular expression.

Use the configuration file in order to control the data that is sent to topaz. Refer to the EMS Configuration file format documentation for more details on the file structure and syntax.

Note: when referring to data arriving from the EMS Log File monitor in the config file, use the number of the back reference returned prefixed by ‘$group’

For example, for the expression:

/([0-9]{2})(HELLO) (world) /

You can refer in the config file as:

$group1 = ([0-9]{2})

$group2 = (HELLO)

$group3 = (world)

Completing the EMS Log File Monitor Form

To display the EMS Log File Monitor Form, either click the Edit link for an existing EMS Log File Monitor in a monitor table, or click the add a Monitor link on a group's detail page and click the Add EMS Log File Monitor link.

Server

Select the server where the log files you want to monitor are located. Use the choose server link to access a list of remote UNIX servers that have been specified to SiteScope.

Log File Pathname

Enter the pathname to the log file you want to extract data from. For reading log files on remote UNIX machines, the path must be relative to the home directory of UNIX user account being used to login to the remote machine. See the Preferences - Remote UNIX page for information on which UNIX user account is being used.

You can also monitor log files on a remote Windows NT/2000 server through NetBIOS by including the UNC path to the remote log file. For example,

\\remoteserver\sharedfolder\filename.log

This requires that the user account under which SiteScope is running has permission to access the remote directory using the UNC path. If a direct connection via the operating system is unsuccessful, SiteScope will try to match the \\remoteserver with servers currently defined as remote NT connection profiles (displayed in the Remote NT Servers table). If an exact match is found for \\remoteserver in the remote NT connection profiles, SiteScope will try to use this connection profile to access the remote log file. If no matching server name is found, the monitor reports that the remote log file can not be found.

Note: If you are using SSH as a connection method to remote NT servers, you will need to select the remote server using the Choose Server link above. It is not necessary to select a remote NT server if you are using NetBIOS to connect to remote NT servers.

Optionally, you can use a regular expression to insert date and time variables. For example, you can use a syntax of

s/ex$shortYear$$0month$$0day$.log/

to match date-coded IIS log file names.

Run Alert

Select the method for running alerts for this monitor.

Select "for each event matched" to have the monitor trigger alerts for each and every matching entry found.
Note: When the EMS Log File Monitor is run with this alert method selected, the monitor will never be displayed as an error or warning status in the SiteScope interface, regardless of the results of the content match or even if the target log file is not found. The monitor will trigger alerts if one or more matching entries are found and the Error if or Warning if thresholds are defined accordingly in the Advanced Options section. For example, setting Error if to the default of matchCount > 0.
Select "once, after all events have been checked" to have the monitor count up the number of matches and trigger alerts one time based on the Error if and Warning if thresholds defined for the monitor in the Advanced Options section.
Note: By default, selecting this option will cause SiteScope to send one alert message if one or more matches are found, but the alert will not include any details of the matching entries. To have SiteScope include the matching entries, you must associate the monitor with an alert definition that has the property, <matchDetails> in the alert template. This special template property is used to populate the alert with the details of all the matching entries. You use this for e-mail alerts or other alert types that work with template properties. E-mail alert templates are stored in the SiteScope\templates.mail directory. See the chapter on Custom Alert Templates in the SiteScope Reference Guide for more information about modifying alert templates.

Content Match

Enter the text to look for in the log entries. Regular expressions may also be used in this box to match text patterns. Unlike the content match feature of other SiteScope monitors, the EMS Log File Monitor content match is run repeatedly against the most recent content of target log file until all matches are found. This means the monitor not only reports if the match was found but also how many times the matched pattern was found. To match text that includes more than one line of text, add an s search modifier to the end of the regular expression. Sitescope’s regular expression engine uses brackets in order to create back references. The back references can be used in order to extract data from the file and send it to Topaz. For more information on the concept of back references, see the Regular expressions documentation.

Update every

Select how often the monitor should read the application log file. The default interval is to run or update the monitor once every 10 minutes. Use the drop-down list to the right of the text box to specify another update interval in increments of seconds, minutes, hours, or days. The update interval must be 15 seconds or longer. You can schedule your Log File Monitors to run as often as every 15 seconds. However, depending on the size of the log file, the total number of monitors you have running the monitor may take 15 seconds or longer to check the file for the desired entries. The default update schedule is every 10 minutes which may be reasonable in most cases.

Title

Enter a title text for this monitor. This text is displayed in the group detail page, in report titles, and other places in the SiteScope interface. If you do not enter a title text, SiteScope will create a title based on the host, server, or URL being monitored.

Advanced Options

The Advanced Options section presents a number of ways to customize monitor behavior and display. Use this section to customize error and warning thresholds, disable the monitor, set monitor-to-monitor dependencies, customize display options, and enter other monitor specific settings required for special infrastructure environments. The options for this monitor type are described below. Complete the entries as needed and click the Add or Update button to save the settings.

Disable

Check this box to temporarily disable this monitor and any associated alerts. To enable the monitor again, clear the box.

EMS Configuration File Path

Enter the path to the EMS integration configuration file. For more information about format of the file see EMS Configuration file format documentation. The default location is: SiteScope\ems\Log\main.config.

Update Every (on error)

You use this option to set a new monitoring interval for monitors that have registered an error condition. For example, you may want SiteScope to monitor this item every 10 minutes normally, but as often as every 2 minutes if an error has been detected. Note that this increased scheduling will also affect the number of alerts generated by this monitor.

Schedule

By default, SiteScope monitors are enabled every day of the week. You may, however, schedule your monitors to run only on certain days or on a fixed schedule. Click the Edit schedule link to create or edit a monitor schedule. For more information about working with monitor schedules, see the section on Schedule Preferences for Monitoring.

Monitor Description

Enter additional information about this monitor. The Monitor Description can include HTML tags such as the <BR> <HR>, and <B> tags to control display format and style. The description will appear on the Monitor Detail page.

Report Description

Enter an optional description for this monitor that will make it easier to understand what the monitor does. For example, network traffic or main server response time. This description will be displayed on with each bar chart and graph in Management Reports and appended to the tool-tip displayed when you pass the mouse cursor over the status icon for this monitor on the monitor detail page.

Depends On

To make the running of this monitor dependent on the status of another monitor or monitor group, use the drop-down list to select the monitor on which this monitor is dependent. Select None to remove any dependency.

Depends Condition

If you choose to make the running of this monitor dependent on the status of another monitor, select the status condition that the other monitor or monitor group should have in order for the current monitor to run normally. The current monitor will be run normally as long as the monitor on which it depends reports the condition selected in this option.

List Order

By default, new monitors are listed last on the Monitor Detail page. You may use this drop-down list to choose a different placement for this monitor.

Error if

Set an error threshold for this monitor. The thresholds are used when the "Run Alerts: once, ..." option is chosen. By default, an error is signaled whenever there is one or more matching events. Select a comparison value from the list, and use the comparison operator list to specify an error threshold such as: >= (greater than or equal to), != (not equal to), or < (less than).

The possible comparison values are:

matches - the number of matches found.
lines - the number of lines processed.
lines/min - the number of lines per minute processed during this monitoring period.
matches/min - the number of matches per minute that occurred during this monitoring period.
· Value to value4 – values returned by the first four back references

Warning if

Set the Warning threshold for this monitor. The default is to generate a warning if SiteScope is unable to read the log file. The symbols in the comparison value drop-down list are the same as those for Error if.

Good if

The default is to mark the monitor as good if the log file can be read and there are no matches.