Log Monitor Test

This test monitors multiple log files for different error patterns.

This test is disabled by default. To enable the test, go to the enable / disable tests page using the menu sequence : Agents -> Tests -> Enable/Disable, pick the desired Component type, set Performance as the Test type, choose the test from the DISABLED TESTS list, and click on the << button to move the test to the ENABLED TESTS list. Finally, click the Update button.

Target of the test : Any host system

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every ALERTFILE and SEARCHPATTERN combination.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

port

The port at which the server listens

Alert file

Specify the path to the log file to be monitored. For eg., /user/john/new_john.log. Multiple log file paths can be provided as a comma-separated list - eg., /user/john/critical_egurkha.log,/tmp/log/major.log.

Also, instead of a specific log file path, the path to the directory containing log files can be provided - eg., /user/logs. This ensures that eG Enterprise monitors the most recent log files in the specified directory. Specific log file name patterns can also be specified. For example, to monitor the latest log files with names containing the strings 'dblogs' and 'applogs', the parameter specification can be, /tmp/db/*dblogs*,/tmp/app/*applogs*. Here, '*' indicates leading/trailing characters (as the case may be). In this case, the eG agent first enumerates all the log files in the specified path that match the given pattern, and then picks only the latest log file from the result set for monitoring.

Your alertfile specification can also be of the following format: Name@logfilepath_or_pattern. Here, Name represents the display name of the path being configured. Accordingly, the parameter specification for the 'dblogs' and 'applogs' example discussed above can be: dblogs@/tmp/db/*dblogs*,applogs@/tmp/app/*applogs*. In this case, the display names 'dblogs' and 'applogs' will alone be displayed as descriptors of this test.

Every time this test is executed, the eG agent verifies the following:

  • Whether any changes have occurred in the size and/or timestamp of the log files that were monitoring during the last measurement period;

  • Whether any new log files (that match the alertfile specification) have been newly added since the last measurement period;

If a few lines have been added to a log file that was monitored previously, then the eG agent monitors the additions to that log file, and then proceeds to monitor newer log files (if any). If an older log file has been overwritten, then, the eG agent monitors this log file completely, and then proceeds to monitor the newer log files (if any).

Search pattern

Enter the specific patterns of messages to be monitored. The pattern should be in the following format: <PatternName>:<Pattern>, where <PatternName> is the pattern name that will be displayed in the monitor interface and <Pattern> is an expression of the form - *expr* or expr or *expr or expr*, etc. A leading '*' signifies any number of leading characters, while a trailing '*' signifies any number of trailing characters.

For example, say you specify ORA:ORA-* in the SEARCHPATTERN text box. This indicates that "ORA" is the pattern name to be displayed in the monitor interface. "ORA-*" indicates that the test will monitor only those lines in the log file which start with the term "ORA-". Similarly, if your pattern specification reads: offline:*offline, then it means that the pattern name is offline and that the test will monitor those lines in the log file which end with the term offline.

A single pattern may also be of the form e1+e2, where + signifies an OR condition. That is, the <PatternName> is matched if either e1 is true or e2 is true.

Multiple search patterns can be specified as a comma-separated list. For example: ORA:ORA-*,offline:*offline*,online:*online

If the alertfile specification is of the format Name@logfilepath, then the descriptor for this test in the eG monitor interface will be of the format: Name:PatternName. On the other hand, if the alertfile specification consists only of a comma-separated list of log file paths, then the descriptors will be of the format: LogFilePath:PatternName.

Also, if a comma-separated list of alert files is provided in the alertfile text box in the format Name@logfilepath, and you want to monitor one/more specific patterns of logs in each alert file, then your specification would be of the format:

Name@<PatternName>:<Pattern>

For instance, say, your alertfile specification is as follows: dblogs@/tmp/db/*dblogs*,applogs@/tmp/app/*applogs*. Now, assume that you want to monitor the following entries in the specified alert files:

Alert file Pattern
dblogs *error*
dblogs Ora*
applogs *warning
applogs *ora-info*

The searchpattern specification in this case will hence be as follows:

dblogs@error:*error*,dblogs@ora:ora*,applogs@warning:*warning, applogs@info:*ora-info*

If you want all the messages in a log file to be monitored, then your specification would be: <PatternName>:*

Lines

Specify two numbers in the format x:y. This means that when a line in the log file matches a particular pattern, then x lines before the matched line and y lines after the matched line will be reported in the detail diagnosis output (in addition to the matched line). The default value here is 0:0. Multiple entries can be provided as a comma-separated list.

If you give 1:1 as the value for LINES, then this value will be applied to all the patterns specified in the SEARCHPATTERN field. If you give 0:0,1:1,2:1 as the value for LINES and if the corresponding value in the SEARCHPATTERN field is like ORA:ORA-*,offline:*offline*,online:*online then:

0:0 will be applied to ORA:ORA-* pattern

1:1 will be applied to offline:*offline* pattern

2:1 will be applied to online:*online pattern

Exclude pattern

Provide a comma-separated list of patterns to be excluded from monitoring in the EXCLUDEPATTERN text box. For example *critical*,*exception*. By default, this parameter is set to 'none'.

Exclude Files

Provide a comma-separated list of file formats to be excluded from monitoring in the ExcludeFiles text box. By default, this parameter is set to '*.gz,*.tar,*.zip' indicating that the files of the mentioned formats will be excluded from monitoring by the test. However, you can add more file formats to the default list in the following format: '*.gz,*.tar,*.zip, *cab, *7z, *rar'.

Unique match

By default, the UNIQUEMATCH parameter is set to FALSE, indicating that, by default, the test checks every line in the log file for the existence of each of the configured SEARCHPATTERN. By setting this parameter to TRUE, you can instruct the test to ignore a line and move to the next as soon as a match for one of the configured patterns is found in that line. For example, assume that Pattern1:*fatal*,Pattern2:*error* is the SEARCHPATTERN that has been configured. If UNIQUEMATCH is set to FALSE, then the test will read every line in the log file completely to check for the existence of messages embedding the strings 'fatal' and 'error'. If both the patterns are detected in the same line, then the number of matches will be incremented by 2. On the other hand, if UNIQUEMATCH is set to TRUE, then the test will read a line only until a match for one of the configured patterns is found and not both. This means that even if the strings 'fatal' and 'error' follow one another in the same line, the test will consider only the first match and not the next. The match count in this case will therefore be incremented by only 1.

Rotating file

This flag governs the display of descriptors for this test in the eG monitoring console.

If this flag is set to true and the ALERTFILE text box contains the full path to a specific (log/text) file, then, the descriptors of this test will be displayed in the following format: Directory_containing_monitored_file:<SearchPattern>. For instance, if the ALERTFILE parameter is set to c:\eGurkha\logs\syslog.txt, and ROTATINGFILE is set to true, then, your descriptor will be of the following format: c:\eGurkha\logs:<SearchPattern>. On the other hand, if the ROTATINGFILE flag had been set to false, then the descriptors will be of the following format: <FileName>:<SearchPattern> - i.e., syslog.txt:<SearchPattern> in the case of the example above.

If this flag is set to true and the ALERTFILE parameter is set to the directory containing log files, then, the descriptors of this test will be displayed in the format: Configured_directory_path:<SearchPattern>. For instance, if the ALERTFILE parameter is set to c:\eGurkha\logs, and ROTATINGFILE is set to true, then, your descriptor will be: c:\eGurkha\logs:<SearchPattern>. On the other hand, if the ROTATINGFILE parameter had been set to false, then the descriptors will be of the following format: Configured_directory:<SearchPattern> - i.e., logs:<SearchPattern> in the case of the example above.

If this flag is set to true and the ALERTFILE parameter is set to a specific file pattern, then, the descriptors of this test will be of the following format: <FilePattern>:<SearchPattern>. For instance, if the ALERTFILE parameter is set to c:\eGurkha\logs\*sys*, and ROTATINGFILE is set to true, then, your descriptor will be: *sys*:<SearchPattern>. In this case, the descriptor format will not change even if the ROTATINGFILE flag status is changed.

Overwritten File

By default, this flag is set to false. Set this flag to true if log files do not 'roll over' in your environment, but get overwritten instead. In such environments typically, new error/warning messages that are captured will be written into the log file that pre-exists and will replace the original contents of that log file; unlike when 'roll over' is enabled, no new log files are created for new entries in this case. If the OVERWRITTENFILE flag is set to true, then the test will scan the new entries in the log file for matching patterns. However, if the flag is set to false, then the test will ignore the new entries.

Rollover File

By default, this flag is set to false. Set this flag to true if you want the test to support the 'roll over' capability of the specified ALERTFILE. A roll over typically occurs when the timestamp of a file changes or when the log file size crosses a pre-determined threshold. When a log file rolls over, the errors/warnings that pre-exist in that file will be automatically copied to a new file, and all errors/warnings that are captured subsequently will be logged in the original/old file. For instance, say, errors and warnings were originally logged to a file named error_log. When a roll over occurs, the content of the file error_log will be copied to a file named error_log.1, and all new errors/warnings will be logged in error_log. In such a scenario, since the ROLLOVERFILE flag is set to false by default, the test by default scans only error_log.1 for new log entries and ignores error_log. On the other hand, if the flag is set to true, then the test will scan both error_log and error_log.1 for new entries.

If you want this test to support the 'roll over' capability described above, the following conditions need to be fulfilled:

  • The ALERTFILE parameter has to be configured only with the name and/or path of one/more alert files. File patterns or directory specifications should not be specified in the ALERTFILE text box.

  • The roll over file name should be of the format: “<ALERTFILE>.1”, and this file must be in the same directory as the ALERTFILE.

Use UTF8

If UTF-8 encoding is to be used for reading the specified log file, then, set the USEUTF8 flag to true. By default, this flag is set to false. If multiple log files are being monitored, then, for each file, you will have to indicate whether UTF-8 encoding is to be used for reading that file or not. For instance, assume that the ALERTFILE parameter is set to dblogs@/tmp/db/dblogs.log,applogs@/tmp/app/applogs.log. Now, to instruct the test to use UTF-8 encoding for reading the 'dblogs' log file and not to use the UTF-8 encoding while reading the 'applogs' log file, your USEUTF8 setting should be as follows: true,false. Note that the number of values provided against the USEUTF8 parameter should be equal to the number of log files being monitored. Also, note that if the ALERTFILE being monitored has BOM, then the test will automatically use UTF-8 encoding to read that file, even if the USEUTF8 flag is set to false.

Note:

If your ALERTFILE specification consists of file patterns that include wildcard characters (eg., /tmp/db/*dblogs*,/tmp/app/*applogs*), then the files that match such patterns will only support the ANSI format, and not the UTF format, even if the UTF-8 parameter is set to true for such patterns.

Use UTF16

If UTF-16 encoding is to be used for reading the specified log file, then, set the USEUTF16 flag to true. By default, this flag is set to false. If multiple log files are being monitored, then, for each file, you will have to indicate whether UTF-16 encoding is to be used for reading that file or not. For instance, assume that the ALERTFILE parameter is set to dblogs@/tmp/db/dblogs.log,applogs@/tmp/app/applogs.log. Now, to instruct the test to use UTF-16 encoding for reading the 'dblogs' log file and not to use the UTF-16 encoding while reading the 'applogs' log file, your USEUTF8 setting should be as follows: true,false. Note that the number of values provided against the USEUTF16 parameter should be equal to the number of log files being monitored.

Note:

If your ALERTFILE specification consists of file patterns that include wildcard characters (eg., /tmp/db/*dblogs*,/tmp/app/*applogs*), then the files that match such patterns will only support the ANSI format, and not the UTF format, even if the UTF-16 parameter is set to true for such patterns.

Case Sensitive

This flag is set to No by default. This indicates that the test functions in a 'case-insensitive' manner by default. This implies that, by default, the test ignores the case of your ALERTFILE and SEARCHPATTERN specifications. If this flag is set to Yes on the other hand, then the test will function in a 'case-sensitive' manner. In this case therefore, for the test to work, even the case of your ALERTFILE and SEARCHPATTERN specifications should match with the actuals.

Encode Format

By default, this is set to none, indicating that no encoding format applies by default. However, if the test has to use a specific encoding format for reading from the specified ALERTFILE , then you will have to provide a valid encoding format here - eg., UTF-8, UTF-16, etc. Where multiple log files are being monitored, you will have to provide a comma-separated list of encoding formats – one each for every log file monitored. Make sure that your encoding format specification follows the same sequence as your ALERTFILE specification. In other words, the first encoding format should apply to the first alert file, and so on. For instance, say that your alertfile specification is as follows: D:\logs\report.log,E:\logs\error.log, C:\logs\warn_log. Assume that while UTF-8 needs to be used for reading from report.log , UTF-16 is to be used for reading from warn_log . No encoding format need be applied to error.log. In this case, your ENCODEFORMAT specification will be: UTF-8,none,UTF-16.

Use SUDO

By default, the eG agent does not require any special permissions to parse and read messages from the log file to be monitored. This is why, the USE SUDO parameter is set to No by default. In some highly-secure Unix environments however, the eG agent install user may not have the permission to read the log file to be monitored. In such environments, you will have to follow the steps below to ensure that the test is able to read the log file and report metrics:

  • Edit the SUDOERS file on the target host and append an entry of the following format to it:

    <eG_agent_install_user> ALL=(ALL) NOPASSWD: <Log_file_with_path>

    For instance, if the eG agent install user is eguser, and the log file to be monitored is /usr/bin/logs/procs.log, then the entry in the SUDOERS file should be:

    eguser ALL=(ALL) NOPASSWD: /usr/bin/logs/procs.log

  • Finally, save the file.

  • Then, when configuring this test using the eG admin interface, set the USE SUDO parameter to Yes. Once this is done, then every time the test runs, it will check whether the eG agent install user has the necessary permissions to read the log file. If the user does not have the permissions, then the test runs the sudo command to change the permissions of the user, so that the eG agent is able to read from the log file.

Sudo Path

This parameter is relevant only when the USE SUDO parameter is set to ‘Yes’. By default, the SUDO PATH is set to none. This implies that the sudo command is in its default location – i.e., in the /usr/bin or /usr/sbin folder of the target host. In this case, once the USE SUDO flag is set to Yes , the eG agent automatically runs the sudo command from its default location to allow access to the configured log file. However, if the sudo command is available in a different location in your environment, you will have to explicitly specify the full path to the sudo command in the SUDO PATH text box to enable the eG agent to run the sudo command.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Number of messages

Indicates the number of messages that were added to the log when the test was last executed.

Number

The value of this measure is a clear indicator of the number of “new” messages that have come into the log of the monitored server. The detailed diagnosis of this measure, if enabled, provides the detailed descriptions of the errors of the configured patterns.