I need to monitor some log text files for certain contents. Example of part of text file below.
In the first line there is the entry XQ=1671. Throughout the file are entries for XQ=. I need to alert for any entries over XQ=2000.
I have created a ‘rule’ that alerts when the entry XQ=2000 appears. I have tried to use multiple expressions in the same rule so it alerts when XQ=2000 and then has an OR group with XQ=2001 up to XQ=2010. Unfortunately using multiple expressions has never worked so I have to create 10 individual rules for XQ=2000 up to XQ=2009.
All working ok, however with them being rules I have to manually clear the alerts.
So, I tried to create the same thing using ‘monitors’. I have created a manual reset monitor. I have also created a timer reset monitor and an event reset monitor. The event reset was to alert when XQ=2000 and then the second event was when XQ=16 (a figure in the 1600’s is always in the log file at some point so thought this would be a good way to reset).
The problem is none of the monitor alerts will work.
Can you only use Rules to monitor the contents of a text file? Do I need to do anything different to get monitors working?
I basically followed this URL to get this working for rules https://support.microsoft.com/en-gb/kb/2691973
There should be no difference between using a rule or a monitor to monitor the contents of a log file.
That being said, I would suggest you try using OMS to gather your custom log file info. OMS has much more flexibility to alert on specific contents…and it can all be set up in a few minutes. OMS has a 500mb/day free tier so you can try it out without having to pay anything.
Thank you Wilson W. My company wants everything done in SCOM rather than use different products so OMS not an option, especially when SCOM should do what we want it to.
I’m a bit puzzled.
I have set up a Manual Reset, Simple Event Detection Monitor for a certain piece of text in a log file e.g. QS=1. I have also set up an Event based Generic Text Log alert Rule looking for the same piece of text in the same log file.
The RULE triggers and alerts in the SCOM console and sends an email as requested. The MONITOR never triggers. Any ideas why this may be?
Could it be something as simple as if a set of RULES are monitoring a log file then MONITORs can’t gain access to those same log files as they are open by the log file RULE?