Monitoring content of log files

Forum: Operations Manager4
Viewing 3 posts - 1 through 3 (of 3 total)
  • #229868
    Profile photo of cookson.stuart
    cookson.stuart
    Participant

    I need to monitor some log text files for certain contents.  Example of part of text file below.

    In the first line there is the entry XQ=1671.  Throughout the file are entries for XQ=.  I need to alert for any entries over XQ=2000.

    I have created a ‘rule’ that alerts when the entry XQ=2000 appears.  I have tried to use multiple expressions in the same rule so it alerts when XQ=2000 and then has an OR group with XQ=2001 up to XQ=2010.  Unfortunately using multiple expressions has never worked so I have to create 10 individual rules for XQ=2000 up to XQ=2009.

    All working ok, however with them being rules I have to manually clear the alerts.

    So, I tried to create the same thing using ‘monitors’.  I have created a manual reset monitor.  I have also created a timer reset monitor and an event reset monitor.  The event reset was to alert when XQ=2000 and then the second event was when XQ=16 (a figure in the 1600’s is always in the log file at some point so thought this would be a good way to reset).

    The problem is none of the monitor alerts will work.

    Can you only use Rules to monitor the contents of a text file?  Do I need to do anything different to get monitors working?

    I basically followed this URL to get this working for rules  https://support.microsoft.com/en-gb/kb/2691973

    Any help and advise would be appreciated

    Regards

    Thu 11/17 10:03:00.538     RpcManager:1435:Info   [7732] XQ=1671, XT=3486110, US=891, US-TCP=891, US-HTTP=0, US-REST=0, QS=0
    Thu 11/17 10:03:05.591    PracticeBag:  87:Warn   [8048] Authenticated session IP address 10.1.50.135 does not match new session IP address 10.1.183.212.
    Thu 11/17 10:03:27.696         DocMgr:35560:Info   [4584] importintofolder2: Duplicate E-mail detected (DocNum: 10977526 Version: 1)
    Thu 11/17 10:04:00.507       FileXfer:10443:Info   [7544] QD=25 TD=41328 DL=0, QU=7 TU=20945 UL=22, QM=0 TM=124 ML=0 QH=0 CH=0 QS=0 CM=0 QL=0 CU=0 UC=1302
    Thu 11/17 10:04:00.523    ChgEventMgr: 391:Info   [7084] CS=2925, CH=62677, CM=8893, CA=135, CD=444
    Thu 11/17 10:04:00.585     RpcManager:1435:Info   [7732] XQ=1483, XT=3487593, US=896, US-TCP=896, US-HTTP=0, US-REST=0, QS=0
    Thu 11/17 10:05:00.374       FileXfer:10443:Info   [7544] QD=15 TD=41343 DL=0, QU=9 TU=20954 UL=19, QM=0 TM=124 ML=0 QH=0 CH=0 QS=0 CM=0 QL=0 CU=0 UC=1310
    Thu 11/17 10:05:00.578    ChgEventMgr: 391:Info   [7084] CS=2630, CH=62699, CM=8903, CA=94, CD=389
    Thu 11/17 10:05:00.640     RpcManager:1435:Info   [7732] XQ=1500, XT=3489093, US=903, US-TCP=903, US-HTTP=0, US-REST=0, QS=0
    Thu 11/17 10:05:24.959         DocMgr:35560:Info   [9124] importintofolder2: Duplicate E-mail detected (DocNum: 10977563 Version: 1)
    Thu 11/17 10:05:25.867    PracticeBag:  87:Warn   [4584] Authenticated session IP address 10.232.1.172 does not match new session IP address 10.1.58.128.
    Thu 11/17 10:05:50.618         DocMgr:35560:Info   [4052] importintofolder2: Duplicate E-mail detected (DocNum: 10977571 Version: 1)
    Thu 11/17 10:06:00.376       FileXfer:10443:Info   [7544] QD=24 TD=41367 DL=0, QU=12 TU=20966 UL=16, QM=0 TM=124 ML=0 QH=0 CH=0 QS=0 CM=0 QL=0 CU=0 UC=1325
    Thu 11/17 10:06:00.626    ChgEventMgr: 391:Info   [7084] CS=2495, CH=62719, CM=8913, CA=237, CD=372
    Thu 11/17 10:06:00.696     RpcManager:1435:Info   [7732] XQ=1798, XT=3490891, US=908, US-TCP=908, US-HTTP=0, US-REST=0, QS=0
    Thu 11/17 10:06:06.124         DocMgr:35560:Info   [8048] importintofolder2: Duplicate E-mail detected (DocNum: 10977573 Version: 1)
    Thu 11/17 10:06:13.649         DocMgr:35560:Info   [9124] importintofolder2: Duplicate E-mail detected (DocNum: 10977576 Version: 1)
    Thu 11/17 10:06:23.903         Common: 897:Warn   [5164] Transaction rollback: importintofolder2: cause 206,  (user 14749 at 10.1.182.173)
    Thu 11/17 10:07:00.609       FileXfer:10443:Info   [7544] QD=28 TD=41395 DL=1, QU=12 TU=20978 UL=16, QM=0 TM=124 ML=0 QH=0 CH=0 QS=0 CM=0 QL=0 CU=0 UC=1331
    Thu 11/17 10:07:00.687    ChgEventMgr: 391:Info   [7084] CS=2271, CH=62741, CM=8914, CA=163, CD=387
    Thu 11/17 10:07:00.844     RpcManager:1435:Info   [7732] XQ=1603, XT=3492494, US=910, US-TCP=910, US-HTTP=0, US-REST=0, QS=0
    Thu 11/17 10:07:30.531         DocMgr:35560:Info   [9072] importintofolder2: Duplicate E-mail detected (DocNum: 10977603 Version: 1)
    Thu 11/17 10:07:36.208         DocMgr:35560:Info   [3796] importintofolder2: Duplicate E-mail detected (DocNum: 10972140 Version: 1)
    Thu 11/17 10:08:00.596       FileXfer:10443:Info   [7544] QD=33 TD=41428 DL=0, QU=10 TU=20988 UL=17, QM=0 TM=124 ML=0 QH=0 CH=0 QS=0 CM=0 QL=0 CU=0 UC=1334
    Thu 11/17 10:08:00.721    ChgEventMgr: 391:Info   [7084] CS=2134, CH=62759, CM=8915, CA=210, CD=347

    #229874
    Profile photo of Wilson W.
    Wilson W.
    Participant

    There should be no difference between using a rule or a monitor to monitor the contents of a log file.

    That being said, I would suggest you try using OMS to gather your custom log file info. OMS has much more flexibility to alert on specific contents…and it can all be set up in a few minutes. OMS has a 500mb/day free tier so you can try it out without having to pay anything.

    #229889
    Profile photo of cookson.stuart
    cookson.stuart
    Participant

    Thank you Wilson W.  My company wants everything done in SCOM rather than use different products so OMS not an option, especially when SCOM should do what we want it to.

    I’m a bit puzzled.

    I have set up a Manual Reset, Simple Event Detection Monitor for a certain piece of text in a log file e.g. QS=1.  I have also set up an Event based Generic Text Log alert Rule looking for the same piece of text in the same log file.

    The RULE triggers and alerts in the SCOM console and sends an email as requested.  The MONITOR never triggers.  Any ideas why this may be?

    Could it be something as simple as if a set of RULES are monitoring a log file then MONITORs can’t gain access to those same log files as they are open by the log file RULE?

    Thanks again

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.