Management and Security powered by Landesk

Set up a log file monitoring rule

  1. Click Tools > Configuration > Alerting.
  2. Under Alert rulesets, select the ruleset you want to edit, then click Edit on the toolbar.
  3. In the left column of the Alert ruleset window that opens, click Alerts. Under the Monitor folder in the list of alerts, click Log file monitoring.
  4. Click Tasks > New in the right column.
  5. In the Log file monitoring dialog box, type a name and description for the log file monitoring rule.
  6. To change the frequency at which the item is monitored, change the Polling interval settings.
  7. Click Log file configuration to specify which log files are monitored, what you are monitoring for, and how you will be alerted.
    Regular expressions are used to define what content in the log file should be monitored. When the monitoring service finds a match for the regular expression in the log file, it follows the alert rules to notify you of the occurrence.
  8. Click Manage. In the Regular expression management dialog box, add a descriptive name and a regular expression, then click Add. Repeat for each regular expression you want to use for monitoring log files. When you have added them all, click OK.
    You can add as many regular expressions as you want in this dialog box. Note that you need to create a new rule for each expression that you want to search for, and each rule is applied to only one log file. In other words, each rule includes one regular expression and one log file.
  9. Select a regular expression in the Regular expression drop-down list.
  10. Enter the path and complete filename of the log file you want to monitor in the Log file path box. This must be a specific filename, and only that filename will be monitored (for example, c:\logs\error.txt)
  11. If you want to include backup files for the log file, enter the path and complete filename of the backup file in the Backup log file path box (this step is optional). This also needs to be a complete path and filename for a specific file.
  12. Type an Instance descriptive name. This identifies the log file monitoring rule in the alert notifications you receive.
  13. Select the severity level you want to apply to this alerting rule.
  14. If you want to monitor only new entries in the log file (beginning at the time the monitoring rule is deployed to the device), click Monitor changes to log files. (This option is typically used for log files so the agent doesn’t keep scanning the same existing text.)
    If you want to monitor all existing and all new entries in the log file, click Monitor entire log file. (This option is typically used to monitor other less dynamic files, such as configuration files.)
  15. Click OK to add the rule to the list of logfile monitoring rules.
  16. Repeat steps 4-15 to add other logfile monitoring rules.
    After you have created the logfile monitoring rules you want, you need to add them to the ruleset. You can add multiple monitoring rules and apply action and time rules to them, depending on how you want to be notified when log file changes trigger alerts.
  17. With the rules listed under Log file monitoring, click Rule > New in the right column.
    Three boxes or "wells" are displayed at the bottom of the page.
  18. Drag one or more rules into the Alerts box.
  19. Click Actions on the left column, then drag one or more action rules into the Actions box. The actions you add here will be applied to each rule that you added.
  20. Click Time on the left column, then drag a time rule into the Time box.
  21. Click OK to add the new rules to the ruleset.
    To view the new logfile monitoring rules in the ruleset, click Rules summary. Each rule is displayed on a separate line, and you can edit individual rules or clone a rule and make copies with different actions, time rules, or severity states. If you want the alerting rule to affect device health, double-click the rule in the Rules summary list and select the Health check box.
  22. After you have added the log file monitoring rules to the ruleset, click Publish to save the changes to the ruleset. The changes will be applied to individual devices the next time you deploy the ruleset, or the next time the device's inventory service runs.
  • Log file monitoring is supported only for managed Windows devices.
  • Any time you edit or delete a rule, you need to publish the alert ruleset that the rule appears in. The changes you make will not apply to devices until the ruleset has been published (or until you redeploy the ruleset with a scheduled task).
  • This feature maps log files into memory to use less memory during a search. Runtime memory is allocated for this as linear regular expression searches occur. Because Windows locks the file when it is mapped into memory, you may encounter issues with some applications.

Was this article useful?    

The topic was:



Not what I expected