Unix/linux LogFile Monitor Template problem

Forum: Cross Platform
Viewing 4 posts - 1 through 4 (of 4 total)
  • #84881
    Profile photo of phil
    phil
    Member

    Hi,

    We are running R2 with CU4 (as an in place upgrade from SP1).  I have implemented the scx agent on a RHEL5 system.  The default behaviour is working well.  Health is being monitored, and secure log monitoring is working (alerts are being generated for failed ssh root passwords).

    I have used the Unix/Linux logfile template to create a test logfile monitor for the RHEL5 system to monitor the logfile /var/log/messages for the expression .*configuration.*

    Despite “configuration” appearing in most lines of the messages log, no alerts are being generated.

    The scx.log on the agent side indicates that the SCXLogFileProvider isn’t being called for /var/log/messages (whereas it is for /var/log/secure)
     
    Running workflow analyzer on the management server provides the following output:

    3/03/2011 10:34:56 AM   Submitting Trace Override for rule ‘LogFile Template: /var/log/messages Logfile, .*configuration.* Expression’
    3/03/2011 10:34:56 AM   Setting RealTime mode for  WorkflowTrace
    3/03/2011 10:34:58 AM   Trace Override has been submitted successfully.
    3/03/2011 10:35:10 AM   Examining C:\Program Files\System Center Operations Manager 2007\Tools\All.tmf for message formats,  2339 found.
    3/03/2011 10:35:10 AM   Searching for TMF files on path: (null)
    3/03/2011 10:40:34 AM DataTypeToAlertMapperCondition Initialize 
    <Configuration>
     <Priority>1</Priority>
     <Severity>2</Severity>
     <ManagedEntityId>{203C9F3F-34BC-B229-B5C8-16C648C97C15}</ManagedEntityId>
     <AlertName>Log File Alert: messages</AlertName>
     <AlertDescription>$Data/EventDescription$</AlertDescription>
     <AlertOwner/>
     <AlertMessageId/>
     <AlertParameters/>
    <Suppression>
     <SuppressionValue/>
     </Suppression>
     <WorkflowId>{8A1CB4A1-3864-3261-C654-68EFE2625722}</WorkflowId>
     <Custom1/>
     <Custom2/>
     <Custom3/>
     <Custom4/>
     <Custom5/>
     <Custom6/>
     <Custom7/>
     <Custom8/>
     <Custom9/>
     <Custom10/>
     <ManagementGroupName>BTS_RD_MGMTGRP</ManagementGroupName>
     </Configuration>
    3/03/2011 10:40:34 AM DataTypeToAlertMapperCondition Initialize Starting State: <null>
    3/03/2011 10:40:34 AM GenericNTEventMapper Initialize Configuration: <Configuration>
     <EventOriginId>{203C9F3F-34BC-B229-B5C8-16C648C97C15}</EventOriginId>
     <PublisherId>{8A1CB4A1-3864-3261-C654-68EFE2625722}</PublisherId>
     <PublisherName>WSManEventProvider</PublisherName>
     <Channel>WSManEventProvider</Channel>
     <LoggingComputer/>
     <EventNumber>0</EventNumber>
     <EventCategory>3</EventCategory>
     <EventLevel>0</EventLevel>
     <UserName/>
     <Description>Detected Entry: $Data///row$</Description>
     <Params/>
     </Configuration>
    3/03/2011 10:40:34 AM GenericNTEventMapper Initialize Starting State: <null>

    Any help would be greatly appreciated.

     

    #86387
    Profile photo of Bob Cornelissen
    Bob Cornelissen
    Participant

    Hi, I see nobody replied to this question. Have you gotten an answer on another forum on the same?
    In any case – perhaps it is the regular expression. While making the monitor there is a test field where you can put a sentence from the log file and see if it creates a match with the expression you created. (you could test this with a new one and not create it in the end).
    Next the messages file is a secure file as far as I know and only root or root-like can access this. So this should be run with the privileged runas account.
    Hope it helps.

    #225027
    Profile photo of Dwayne
    Dwayne
    Participant

    The regex in SCOM doesn’t quite work as you may expect. I’m willing to help here if you never got a solution to this, even if its years late.

    i.e. where you think you may want a * you may actually want a .+

    So for instance I wanted to filter out a known issue from the logs for these this item. (If you need to know how to do this too I can share)

    Detected Entry: Oct 20 14:04:24 unix1 kernel: convert[8688]: segfault at 86450008 ip 0000003c1d276272 sp 00007f960c035a10 error 4 in libc-2.12.so[3c1d200000+18b000]

    the filter I can use is simply a word, a number of characters and another word so it is represented as such:

    convert.+segfault

    as can be seen the “.” actually means any character so I’m not sure if your looking for simply any string containing “configuration” or “.configuration.”

    As another side note never use two unix log monitors against the same log file it simply won’t work as the windows ones would you need one to do one log monitor to do it all. This means using exclusions, and as SCOM doesnt support look around as part of its regex you will need to do some xml editing of the management pack to make that work

    #230516
    Profile photo of JohnKlok
    JohnKlok
    Participant

    Hello ,

    I have used the Unix/Linux logfile template to create a test logfile monitor for the RHEL5 system to monitor the logfile /var/log/messages for the expression. and you can use other tool for business
    Advance Product Designer Tool provides your customers with the freedom to work around their design flawlessly on any device. Be it a tablet, a mobile, an ipad or a desktop, our custom product designer extension for Magento ecommerce store is fully responsive and will help your customers to design their product in few clicks. Advance Product Designer is here to enable your customers design creative masterpieces from any device, at anytime!

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.