Monitoring the contents of log files

Log file monitoring is an option available in the performance monitoring rules. This monitoring agent scans log files on managed Windows devices for specific strings or expressions, and generates alerts when they are found. This is useful if you want to be alerted when a particular condition exists that can be traced through a log file.

You can monitor a text file generated by any application, including .htm and .xml files (however, Unicode files can’t be monitored). After you specify which file to monitor and define rules using regular expressions, the file will be monitored as long as the logfile monitoring rule is contained in a ruleset that is in effect on that device.

The first time text in the log file matches a regular expression, an alert is generated. The alert is generated only once for that file even if there are multiple matches. Later, if the file changes so there is no longer a matching condition, then the agent begins scanning for that regular expression again and will generate an alert on the next occurrence of the match.

You can also scan log backup files that are created when a log file becomes too large and older entries in the file are appended to a different file (a “rolling” log file). However, "wrapped” log files, which remove older entries within a single log file to make room for new entries, are not supported.

For this monitoring option, you must specify the location and exact name of the file on the managed device, and you specify the search criteria with a regular expression. When a string in the file matches the expression, an alert action is generated if you have defined a Log file monitoring alert type in the appropriate alerting ruleset.

You can include log file monitoring in any alerting ruleset you have defined. The following procedure describes the five general steps for setting up log file monitoring:

1. Create a log file monitoring rule in an alert ruleset
2. Specify which log file to monitor on the managed devices
3. Define the monitoring rules for that file, using regular expressions
4. Select a severity level for the rule and name the instance so it will be identified in alerts
5. Apply action and time rules and save the rule in the alert ruleset

To set up a log file monitoring rule

1. Click Tools > Configuration > Alerting.
2. Under Alert rulesets, select the ruleset you want to edit, then click Edit on the toolbar.
3. In the left column of the Alert ruleset window that opens, click Alerts. Under the Monitor folder in the list of alerts, click Log file monitoring.
4. Click Tasks > New in the right column.
5. In the Log file monitoring dialog box, type a name and description for the log file monitoring rule.
6. To change the frequency at which the item is monitored, change the Polling interval settings.
7. Click Log file configuration to specify which log files are monitored, what you are monitoring for, and how you will be alerted.
   Regular expressions are used to define what content in the log file should be monitored. When the monitoring service finds a match for the regular expression in the log file, it follows the alert rules to notify you of the occurrence.
   
8. Click Manage. In the Regular expression management dialog box, add a descriptive name and a regular expression, then click Add. Repeat for each regular expression you want to use for monitoring log files. When you have added them all, click OK.
   You can add as many regular expressions as you want in this dialog box. Note that you need to create a new rule for each expression that you want to search for, and each rule is applied to only one log file. In other words, each rule includes one regular expression and one log file.
   
9. Select a regular expression in the Regular expression drop-down list.
10. Enter the path and complete filename of the log file you want to monitor in the Log file path box. This must be a specific filename, and only that filename will be monitored (for example, c:\logs\error.txt)
11. If you want to include backup files for the log file, enter the path and complete filename of the backup file in the Backup log file path box (this step is optional). This also needs to be a complete path and filename for a specific file.
12. Type an Instance descriptive name. This identifies the log file monitoring rule in the alert notifications you receive.
13. Select the severity level you want to apply to this alerting rule.
14. If you want to monitor only new entries in the log file (beginning at the time the monitoring rule is deployed to the device), click Monitor changes to log files. (This option is typically used for log files so the agent doesn’t keep scanning the same existing text.)
    If you want to monitor all existing and all new entries in the log file, click Monitor entire log file. (This option is typically used to monitor other less dynamic files, such as configuration files.)
    
15. Click OK to add the rule to the list of logfile monitoring rules.
16. Repeat steps 4-15 to add other logfile monitoring rules.
    After you have created the logfile monitoring rules you want, you need to add them to the ruleset. You can add multiple monitoring rules and apply action and time rules to them, depending on how you want to be notified when log file changes trigger alerts.
    
17. With the rules listed under Log file monitoring, click Rule > New in the right column.
    Three boxes or "wells" are displayed at the bottom of the page.
    
18. Drag one or more rules into the Alerts box.
19. Click Actions on the left column, then drag one or more action rules into the Actions box. The actions you add here will be applied to each rule that you added.
20. Click Time on the left column, then drag a time rule into the Time box.
21. Click OK to add the new rules to the ruleset.
    To view the new logfile monitoring rules in the ruleset, click Rules summary. Each rule is displayed on a separate line, and you can edit individual rules or clone a rule and make copies with different actions, time rules, or severity states. If you want the alerting rule to affect device health, double-click the rule in the Rules summary list and select the Health check box.
    
22. After you have added the log file monitoring rules to the ruleset, click Publish to save the changes to the ruleset. The changes will be applied to individual devices the next time you deploy the ruleset, or the next time the device's inventory service runs.

Notes

• Log file monitoring is supported only for managed Windows devices.
• Any time you edit or delete a rule, you need to publish the alert ruleset that the rule appears in. The changes you make will not apply to devices until the ruleset has been published (or until you redeploy the ruleset with a scheduled task).
• For more information about modifying alert rulesets and defining alert actions, see Configuring alert rulesets.
• This feature maps log files into memory to use less memory during a search. Runtime memory is allocated for this as linear regular expression searches occur. Because Windows locks the file when it is mapped into memory, you may encounter issues with some applications.