Configuring after installation

Discontinued support

Support for all versions of the Binary Files, Named Pipe, and XML Files monitor types is discontinued from September 20, 2019 and these monitor types are removed from the product in the 2.7.40 version.

This topic provides information about configuring the Log Management KM.

In the Log Management monitoring solution, select the latest version, and select the Log Monitoring monitor profile. Configure the monitor types as per your requirements.

To configure monitor types and other monitoring capabilities:

Configuring remote monitoring of files on UNIX machines

Click to view a short video (5:50) of how to configure remote monitoring of files on UNIX machines by using PATROL for Log Management and PATROL for UNIX and Linux.

https://youtu.be/GcUJ1CsYAjQ

Configuration details

Field	Description
Monitoring environment label	Enter the name of the label for the log file that you want to monitor.
Monitoring file logical name	Enter the logical name of the instance that you want to monitor. A maximum of 80 characters are allowed in this field.
Log file (full path)	Enter the full path and the filename of the file that you want to monitor. Note: To monitor log files that have dynamic names, use wildcard characters, such as * and ? to define the file name. For example, if a log file is named backup_date.log, where date changes each day, enter the log file name as backup_*.log. A maximum of 900 characters are supported in this field.
Path contains environment variables	Select the check box if the full path contains environment variable and the path defined by the environment variable is resolved at run time.
File disposition	If you are monitoring log file whose name is created dynamically, to monitor the latest such file, select Latest. To monitor all such files, select All.
Data collection interval for local monitoring (min)	For local monitoring, set the data collection interval in minutes. For remote monitoring, the data is collected every 2 minutes only. For large systems, BMC recommends that you use the 10 or 30 minutes option.
Advanced Settings
Generate Alarm if file not modified (min)	Select this check box if you want the instance to generate an alarm if the monitored file is not modified periodically. Specify the time in minutes after which you want the KM to alarm if the file is not modified, in the minutes text box.
Backup file name	Specify the name of the backup file.
If no match on the next scan return to OK	Select this check box if the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.
Text Settings
Number of lines in log entry	Specify the number of lines that you want to display in the LOGMatchString text parameter when a match is found. For example, if you want to determine when a disk is full and where the disk is mounted, enter `Error: Disc Full` as the search string and `2` in this field. When a disk is full, the KM displays the following message in the LOGMatchString text parameter: `Id=id1` `031605: Error: Disc Full` `Id=;MatchedLines` `/hd001 mounted as /opt` `SUMMARY:id1=1;` To include these specified number of lines in the generated event, after saving the configuration, add the `/PMG/CONFIG/<instanceName>/appendLogEntryLinesToCustomEvent` configuration variable (Configuration Variable > Add Configuration Variable with Value set as `1`). Note: If either the search string or the nullify string occurs again within the number of lines selected to be displayed, the KM does not find the instances of the search strings for all the search identifiers.
Always read at beginning after file modification	Select this check box if you want to scan the entire text file on each scan, rather than scanning only the new content. Note: The text file is scanned only if the file changes.
File read position	Select the read position of a file after the PATROL Agent is re-initialized or when a new file matches the file path. Read from last offset - Log file reads from the last offset Read from end of file - Log file reads from the end of the file Read from beginning of file - Log file reads from the beginning of the file Use existing configuration - Log file is read from the last offset
Multiline search
Start delimiter	Specify the start limit to search a block of lines containing a match string.
End delimiter	Specify the end limit to search a block of lines containing a match string.
Remote Monitoring
Remote host name	Enter the host name for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.
Search criteria settings
Regex type	Select the regex type that you want to use to prepare the search criteria. Note: The ECMAScript option is not supported on the HP-UX platform.
Search criteria to nullify an Alarm/Warning state	Specify the string to nullify the alarm for the dual search feature. You can configure dual search for an instance so that the KM goes into the alarm state when any of the search criteria is found in the monitored file and nullifies the alarm when the nullify string is found in the monitored file. You must specify the first string in the Search String 1 > String text box of the Pattern search criteria section and the nullify string in this text box. For the nullified customized events, the default custom event message is used (as provided in the Custom Event Message text box in the Pattern search criteria section). If you specify `Alarm up` in the String1 text box and `Alarm down` in this text box, the KM goes into an alarm state when `Alarm up` is found in the monitored file and the alarm is nullified when `Alarm down` is found in the monitored file.
Pattern search criteria	Click Add to add the pattern search criteria.
Search identifier name	Enter a unique label in the text box and configure a search string to define what type of messages the KM would search for.
Search string 1 and 2	In the String text box, enter the search string in one of the following formats: A combination of XML elements and values that you want to find in the monitored file. For configuring XML search strings, see Rules for entering XML search strings. Search pattern(s) - Each search pattern must be a valid regular expression. If you do not want to match the entered string, select the NOT check box. Examples: You want to search for the word 'error' in a file, enter error in the Search string 1 text box. You want to search for the words 'error' and 'fatal' in one line a file, enter error in the Search string 1 text box and fatal in the Search string 2 text box. You want to search for 'error', but 'warning' should not be present in the same line. In this case, enter error in the Search string 1 text box and warning in the Search string 2 text box. Select the NOT check box for the Search string 2 field.
Number search	Expand the Number search section to specify the search range in the log file. Use this section to define a range of numbers found in your log files. Locate those lines by specifying the numbers in the First number and Second number fields. You can use the Operator fields to select an operator that creates a wider range of the numbers that you specify. For example, all the numbers greater than 500 and less than 599. In this case, enter 500 in the First number field, select > in the first Operator field, enter 599 in the Second number field, and select < in the second Operator field. Tokens are the numbers that the KM assigns to words, characters, or punctuation marks in a log line. When a space is encountered in a line, next token number is assigned to the word, character, or any symbol that appears after the space. For example, in the following log line - 541 - Error - This field cannot be blank. Here is the token assignment for this log line: Use the Begin token and End token fields to capture the words that you want to monitor in the log lines.
Custom Event handling configuration	Expand the Custom Event handling configuration section to specify how to handle custom events.
Override Global Event handling configuration	Select this check box to custom-define the settings for each search criterion. You can custom-define a search criterion with the settings that are different from the default settings.
Threshold #1 and Threshold #2	In a data collection interval, enter the minimum number of times the search string matches are found. When the threshold is reached, events are generated with the state configured in the threshold state fields. If you do not configure thresholds, events are not generated even though strings are matched in a data collection interval. Specify a different state and a different number of matches in Threshold #1 and Threshold #2. Ensure that value in Threshold #2 is greater than Threshold #1. To search for a minimum number of text strings across a number of collection intervals, enter values in the x:y format. Example 1: Threshold #1: 3 Threshold #2: 5 If a string matches 3 times in a data collection interval, threshold #1 is reached, an event is generated and the KM generates an alarm, warning, or OK message based on the value set in Threshold #1 state. Similarly, if the string matches 5 times, an event is generated and the KM generates the configured state message. Example 2: Threshold #1: 3:5 Threshold #2: 5:5 If a string matches 3 times in last 5 data collection intervals, an event is generated and the KM generates and alarm, warning, or OK message based on the value set in Threshold #1 state. Similarly, if the string matches 5 times in last 5 data collection intervals, an event is generated and the KM generates the configured state message.
Threshold #1 state and Threshold #2 state	Select the state of the KM when a threshold is reached.
Custom Event message	Enter the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
Custom Event origin	Enter the customized origin for events. If you do not specify the origin, the KM uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.
Ignore duplicate Events for next (min)	Specify the time threshold for which duplicate events are ignored. Note: You can also modify the default search criterion settings after you configure the instance.
Global Event handling configuration for all search criteria
Threshold # 1 and Threshold #2	In a data collection interval, enter the minimum number of times the search string matches are found. When the threshold is reached, events are generated with the state configured in the threshold state fields. If you do not configure thresholds, events are not generated even though strings are matched in a data collection interval. Specify a different state and a different number of matches in Threshold #1 and Threshold #2. Ensure that value in Threshold #2 is greater than Threshold #1. To search for a minimum number of text strings across a number of collection intervals, enter values in the x:y format. Example 1: Threshold #1: 3 Threshold #2: 5 If a string matches 3 times in a data collection interval, threshold #1 is reached, an event is generated and the KM generates an alarm, warning, or OK message based on the value set in Threshold #1 state. Similarly, if the string matches 5 times, an event is generated and the KM generates the configured state message. Example 2: Threshold #1: 3:5 Threshold #2: 5:5 If a string matches 3 times in last 5 data collection intervals, an event is generated and the KM generates and alarm, warning, or OK message based on the value set in Threshold #1 state. Similarly, if the string matches 5 times in last 5 data collection intervals, an event is generated and the KM generates the configured state message.
Threshold #1 state and Threshold #2 state	Select the state of the KM when a threshold is reached.
Custom Event message	Enter the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
Custom Event origin	Enter the customized origin for events. If you do not specify the origin, the KM uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.
Ignore duplicate Events for next (min)	Specify the time threshold for which duplicate events are ignored. Note: You can also modify the default search criterion settings after you configure the instance.

Field

Description

Monitor Settings

Label for new file to be added

Specify the name of the label for the log file that you want to start monitoring.

Logical name

Specify the logical name of the instance that you want to monitor. Maximum 80 characters are supported in this field.

File name

Specify the full path and the filename for the file that you want to monitor.

Note: To monitor log files that have dynamic names, use the * and ?regular expressions to define the file name. For example, if a log file is named backup_date.log, where date changes each day, enter the log file name as backup_*.log.

Regular expressions are not accepted for named pipes. Maximum 900 characters are supported in this field.

Path contains environment variables

Select this check box to enter a path defined by an environment variable that is resolved at run time. If you select this check box, environment variables in the binary file path are resolved. Otherwise, the binary file is treated as a pure file name.

Advanced Settings

File disposition

Select ALL option if you are monitoring a dynamically named file and you want to monitor all of the files using the dynamic name specified in the File/Pipe Name field, rather than just the latest file.

Scan priority

The KM has three predefined collection intervals which can be set by configuring the Scan Priority field. This field displays the priority level at which you want the instance to be scanned.

The priority-collection interval mapping:

Scan Priority	Predefined Data Collection interval
Normal	2 minutes
Medium	10 minutes
Low	30 minutes

Normal is associated with the LogMainColl and LogRemoteMainColl collectors. Select this option to scan the file every 2 minutes.
Medium is associated with the LogMainCollP2 collector. Select this option to scan the file every 10 minutes.
Low is associated with the LogMainCollP3 collector. Select this option to scan the file every 30 minutes.

If you want to change how often the file is scanned, change the polling time of these collectors. The default scan interval is 2 minutes.

Note: You cannot select a value other than Normal for remote log instances. Attempting to do so will result in an error message.

Setting a custom collection interval:

You can set a none-default value also known as, custom collection interval, for each of the above priority values.

Navigate to your Log Management KM policy and select the Polling Intervals tab.
Click Add Polling Interval.
1. In the Monitoring solution field, select Log Management.
2. Select the version.
3. Select the Monitor Parameter as per your requirements. For more information, refer Scan priority, collection interval, and collection timeout table.
4. Set the polling interval of the monitor parameter with the custom collection interval.
5. Save the policy.

Scan priority, collection interval, and collection timeout table

Priority	Monitor Parameter	Predefined Data Collection interval	Collection timeout
Normal	LogMainColl	2 minutes	8 minutes
Medium	LogMainColl2	10 minutes	13 minutes
Low	LogMainColl3	30 minutes	33 minutes

Note: If you are using Log Management KM prior to version 2.7.30, ensure that the predefined data collection interval value does not exceed the collection timeout value.

Generate ALARM if file not modified

Select this check box if you want the instance to generate an alarm if the monitored file is not modified periodically. Specify the time in minutes after which you want the KM to alarm if the file is not modified, in the minutes text box.

If no match on next scan return to OK

Select this checkbox iIf the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.

Binary File Settings

Filter program

Specify a filter program.

Always read at beginning

Select this check box if you want to scan the entire text file on each scan, rather than scanning only the new content.

Note: The text file will only be scanned if the file changes.

Multiline Search

Expand the Multiline Search frame to configure the start and end delimiters.

Field	Description
Start delimiter	Specify the start limit to search a block of lines containing a match string.
End delimiter	Specify the end limit to search a block of lines containing a match string.

Remote Monitoring

Expand the Remote Monitoring frame to add a remote host for monitoring.

Remote hostname: Specify the hostname for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.

Search Criteria Settings

Pattern Search Criteria: Click to configure a Pattern Search Criteria for the configured file.

Field	Description
Search Criterion
Search Identifier Name	Specify a unique label in the Search Identifier Name text box and configure a search string to define what type of messages the KM should search for.
Search String 1
NOT	(Optional) Select this checkbox if you want the KM to alarm if a string is not present in the file. Note: This option displays all the lines in the file that do not match the search string.
String	In the String text box, enter one of the following: First search string that you want to search in the text instance Regular expression for the first search string that you want to search in the text instance (4096-byte limit) Search pattern (s). Each search pattern should be a valid regular expression and should be enclosed in parentheses ({}). For example, {Job started} {Job stopped} {Job aborted}. Note The KM searches for each search pattern in the log file in the order in which you have specified the search patterns. These patterns are searched for the number of polling intervals that you specify in the Add Polling Intervals option. If all the search patterns are not found in the specified polling intervals, the KM generates an alarm. Note: BMC does not recommend performing the following actions: Entering multiple search patterns in the String1 text box, and selecting the Always Read At Beginning check box in simultaneously. Entering a single search pattern in the String1 text box. The KM might not generate any alarm in this case. For example, {`Job Started`}.
Search String 2
NOT	Select this check box if you want to identify log files in which the string is not found. For example, if we enter ERROR and FATAL as the search strings, the KM searches for the word ERROR AND FATAL at the same line.
String	Enter the second search string or regular expression.
Number Search
First number	Specify a number to specify a starting position of a search range in the matched file.
Op	Select the operator from the operator list. < <= = >= > !=
Second number	Specify a number to specify an ending position of a search range in the matched file line.
Op	Select the operator from the operator list. < <= = >= > !=
Begin token	Specify a valid beginning token value.
End token	Specify a valid ending token value.

Search Criteria Event Handling Configuration: Expand the frame to add a search criteria for handling events.

Field	Description
Override default setting	Select this checkbox to custom-define the settings for each search criterion. You can custom-define a search criterion with settings that are different from the default settings. To do so, select the Override default setting check box and custom-define the settings for each search criterion.
Threshold # 1	Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.
Threshold # 1 state	Select the state that you want the KM to exhibit when a threshold is reached. None Ok Warn Alarm Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.
Threshold #2	Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.
Threshold # 2 state	Select the state that you want the KM to exhibit when a threshold is reached. None Ok Warn Alarm
Custom event message	Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
Custom event origin	Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.
Ignore duplicate events for next (mins)	Specify the time threshold for which the duplicate events will be ignored. Note: You can also modify the default search criterion settings after you configure the instance.

Default Settings For Search Criteria

Threshold # 1

Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.

To search for a minimum number of text strings across a number of polling cycles, enter values in the x : y format; x represents the minimum number of text string matches, and y represents the total number of polling cycles.

Threshold # 1 state

Select the state that you want the KM to exhibit when a threshold is reached.

- None
- Ok
- Warn
- Alarm

Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

Threshold #2

Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.

Threshold # 2 state

Select the state that you want the KM to exhibit when a threshold is reached.

- None
- Ok
- Warn
- Alarm

Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

Custom event message

Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.

Custom event origin

Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

Modifying this field affects the generated custom event origin causing the event to not be associated with the LOG instance level in the Central Monitoring Administration console.

Ignore duplicate events for next (mins)

Specify the time threshold for which the duplicate events will be ignored. You can also modify the default search criterion settings after you configure the instance.

OK Click to save the configuration.

Close Click this button to exit without saving any changes.

Note

The Log Monitoring Monitor Type is available for selection only after you upgrade to 2.7.20.01 and later versions of the KM. For an older version, refer to the Global Settings Monitor Type.

On the Add Monitor Types dialog, with the Monitoring Profile set to Log Monitoring, and the Monitor Type set to Log Monitoring, provide the following details:

Field	Description
Default Monitoring
Monitor PATROL log files	The KM supports monitoring of PATROL Agent log files with predefined search criteria. To enable this monitoring, select the Monitor PATROL log files check box. When this option is enabled, the KM creates two monitoring instances, PAgentLog_Alarm and PAgentLog_Warn to monitor the PATROL Agent log files with the predefined search criteria. PAgentLog_Alarm - This instance is configured to raise the alarm if one or more of the following strings are detected: “found inconsistencies” “PatrolAgent-W-EINTERNAL: PatrolAgent is running low on memory” “PatrolAgent: "not superuser" “Please check parameter history for corruption“ “runqSchedPolicy is now set to 9“ “Detected during operation readRec.fseek” PAgentLog_Alarm PAgentLog_Warn - This instance is configured to raise a warning if one or more of the following strings are detected: “remaining for PATROL license to expire” “Not authorized connect agent” “Please check parameter history for corruption” “PatrolAgent-E-EFORK: Couldn't fork a new process” The PAgentLog_Alarm and PAgentLog_Warn monitoring instances have a constant predefined search criteria that cannot be edited.
user permanent instance name when monitoring the latest file
Use permanent instance name when monitoring the latest file	Select this check box to have a single permanent instance while monitoring the latest log file.
Debug Settings
Enable reader debug	Select this check box if you want the KM to collect debug information for the pmgreader process in the log file. The diagnostic output is written to the monitored system in the following location: on UNIX: $PATROL_HOME/../pmg/port_ int/readerLog.txt on Windows:%PATROL_HOME%\port_ int\readerLog.txt where port is the port used by the agent and int is an integer (1, 2, or 3) that corresponds to the LOG KM collector's scan priority. Note: Selecting this check box enables debug information collection for all supported file types - text, binary, script, XML, and named pipe.
Enable KM debug	Select this check box if you want the KM to collect debug information of the entire LOG KM data on the <hostname> System Output window. Note: Selecting this check box enables debug information collection for all supported file types - text, binary, script, XML, and named pipe. In about 15 minutes (two or three polling cycles) the diagnostic output is saved in the PATROL log file located at PATROL_HOME/log directory. For local monitoring, the output will be saved at *pmg-Main-PATROL Agent host name-PATROL Agent port.kmlog* file. For remote monitoring, the output will be saved at *pmg-Monitored remote host-PATROL Agent host name-PATROL Agent port.kmlog* file.
Monitoring User
User Name	Enter the user name. This user name is the OS user for monitoring, who can access and read the monitored files and folder. However, the monitoring user must be an existing user. If this field is left blank, the PATROL default account is used for monitoring.
Password	Enter a password.
Confirm Password	Enter the same password again.

Field

Description

Label for new file to be added Specify the name of the label for the log file that you want to start monitoring.

Logical name

Specify the logical name of the instance that you want to monitor. Maximum 80 characters are supported in this field.

Pipe name

Specify the full path and the filename for the file that you want to monitor.

Note: To monitor log files that have dynamic names, use the * and ?regular expressions to define the file name. For example, if a log file is named backup_date.log, where date changes each day, enter the log file name as backup_*.log.

Regular expressions are not accepted for named pipes. Maximum 900 characters are supported in this field.

Path contains environment variables

Select this check box to enter a path defined by an environment variable that is resolved at run time. If you select this check box, environment variables in the named pipe path are resolved. Otherwise, the named pipe is treated as a pure file name.

Advanced Settings

File disposition Select ALL option if you are monitoring a dynamically named file and you want to monitor all of the files using the dynamic name specified in the File/Pipe Name field, rather than just the latest file.

Scan priority

The KM has three predefined collection intervals which can be set by configuring the Scan Priority field. This field displays the priority level at which you want the instance to be scanned.

The priority-collection interval mapping:

Scan Priority	Predefined Data Collection interval
Normal	2 minutes
Medium	10 minutes
Low	30 minutes

Normal is associated with the LogMainColl and LogRemoteMainColl collectors. Select this option to scan the file every 2 minutes.
Medium is associated with the LogMainCollP2 collector. Select this option to scan the file every 10 minutes.
Low is associated with the LogMainCollP3 collector. Select this option to scan the file every 30 minutes.

If you want to change how often the file is scanned, change the polling time of these collectors. The default scan interval is 2 minutes.

Note: You cannot select a value other than Normal for remote log instances. Attempting to do so will result in an error message.

Setting a custom collection interval:

You can set a none-default value also known as, custom collection interval, for each of the above priority values.

Navigate to your Log Management KM policy and select the Polling Intervals tab.
Click Add Polling Interval.
1. In the Monitoring solution field, select Log Management.
2. Select the version.
3. Select the Monitor Parameter as per your requirements. For more information, refer Scan priority, collection interval, and collection timeout table.
4. Set the polling interval of the monitor parameter with the custom collection interval.
5. Save the policy.

Scan priority, collection interval, and collection timeout table

Priority	Monitor Parameter	Predefined Data Collection interval	Collection timeout
Normal	LogMainColl	2 minutes	8 minutes
Medium	LogMainColl2	10 minutes	13 minutes
Low	LogMainColl3	30 minutes	33 minutes

Note: If you are using Log Management KM prior to version 2.7.30, ensure that the predefined data collection interval value does not exceed the collection timeout value.

Generate alarm if file not modified

Select this check box if you want the instance to generate an alarm if the monitored file is not modified periodically. Specify the time in minutes after which you want the KM to alarm if the file is not modified, in the minutes text box.

If no match on the next scan return to OK

Select this checkbox iIf the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.

Multiline Search

Expand the Multiline Search frame to configure the start and end delimiters.

Field	Description
Start delimiter	Specify the start limit to search a block of lines containing a match string.
End delimiter	Specify the end limit to search a block of lines containing a match string.

Remote Monitoring

Expand the Remote Monitoring frame to add a remote host for monitoring.

Remote hostname: Specify the hostname for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.

Search Criteria Settings

Pattern Search Criteria: Click to configure a Pattern Search Criteria for the configured file.

Field	Description
Search Criterion
Search Identifier Name	Specify a unique label in the Search Identifier Name text box and configure a search string to define what type of messages the KM should search for.
Search String 1
NOT	(Optional) Select this checkbox if you want the KM to alarm if a string is not present in the file. Note: This option displays all the lines in the file that do not match the search string.
String	In the String text box, enter one of the following: First search string that you want to search in the text instance Regular expression for the first search string that you want to search in the text instance (4096-byte limit) Search pattern (s). Each search pattern should be a valid regular expression and should be enclosed in parentheses ({}). For example, {Job started} {Job stopped} {Job aborted}. Note The KM searches for each search pattern in the log file in the order in which you have specified the search patterns. These patterns are searched for the number of polling intervals that you specify in the Add Polling Intervals option. If all the search patterns are not found in the specified polling intervals, the KM generates an alarm. Note: BMC does not recommend performing the following actions: Entering multiple search patterns in the String1 text box, and selecting the Always Read At Beginning check box in simultaneously. Entering a single search pattern in the String1 text box. The KM might not generate any alarm in this case. For example, {`Job Started`}.
Search String 2
NOT	Select this check box if you want to identify log files in which the string is not found. For example, if we enter ERROR and FATAL as the search strings, the KM searches for the word ERROR AND FATAL at the same line.
String	Enter the second search string or regular expression.
Number Search
First number	Specify a number to specify a starting position of a search range in the matched file.
Op	Select the operator from the operator list. < <= = >= > !=
Second number	Specify a number to specify an ending position of a search range in the matched file line.
Op	Select the operator from the operator list. < <= = >= > !=
Begin token	Specify a valid beginning token value.
End token	Specify a valid ending token value.

Search Criteria Event Handling Configuration: Expand the frame to add a search criteria for handling events.

Field	Description
Override default setting	Select this checkbox to custom-define the settings for each search criterion. You can custom-define a search criterion with settings that are different from the default settings. To do so, select the Override default setting check box and custom-define the settings for each search criterion.
Threshold # 1	Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.
Threshold # 1 state	Select the state that you want the KM to exhibit when a threshold is reached. None Ok Warn Alarm Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.
Threshold #2	Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.
Threshold # 2 state	Select the state that you want the KM to exhibit when a threshold is reached. None Ok Warn Alarm
Custom event message	Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
Custom event origin	Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.
Ignore duplicate events for next (mins)	Specify the time threshold for which the duplicate events will be ignored. Note: You can also modify the default search criterion settings after you configure the instance.

Default Settings For Search Criteria

Threshold # 1

Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.

To search for a minimum number of text strings across a number of polling cycles, enter values in the x : y format; x represents the minimum number of text string matches, and y represents the total number of polling cycles.

Threshold # 1 state

Select the state that you want the KM to exhibit when a threshold is reached.

- None
- Ok
- Warn
- Alarm

Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

Threshold #2

Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.

Threshold # 2 state

Select the state that you want the KM to exhibit when a threshold is reached.

- None
- Ok
- Warn
- Alarm

Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

Custom event message

Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.

Custom event origin

Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

Modifying this field affects the generated custom event origin causing the event to not be associated with the LOG instance level in the Central Monitoring Administration console.

Ignore duplicate events for next (mins)

Specify the time threshold for which the duplicate events will be ignored. You can also modify the default search criterion settings after you configure the instance.

OK Click to save the configuration.

Close Click this button to exit without saving any changes.

Field	Description
Monitoring environment label	Enter the name of the label for the log file that you want to monitor.
Monitoring file logical name	Enter the logical name of the instance that you want to monitor. A maximum of 80 characters are allowed in this field.
Script file (full path)	Enter the full path and the filename of the script that you want to monitor. A maximum of 900 characters are supported in this field. To successfully run and monitor a script file output, ensure that the script can run without any runtime dependency. For example, the script file `\temp\cpumonitor.bat` can run without any runtime dependency. Therefore, it is monitored by the KM. However, if the script file requires a command to run or has any other runtime dependency, the KM does not monitor it. For example, if the `\temp\cputmonitor.py` script is executed by running the following command: `python \temp\cputmonitor.py` Such a script output is not monitored by the KM.
Arguments	Enter script arguments. Separate multiple arguments with a space.
Path contains environment variables	Select the check box if the full path contains environment variable and the path defined by the environment variable is resolved at run time.
Data collection interval for local monitoring (min)	For local monitoring, set the data collection interval in minutes. For remote monitoring, the data is collected every 2 minutes only. For large systems, BMC recommends that you use the 10 or 30 minutes option.
Advanced settings
If no match on next scan return to OK	Select the check box if the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.
Text settings
Number of lines in log entry	Specify the number of lines that you want to be displayed when a match is found. For example, if you want to determine when a disk is full and where the disk is mounted, enter `Error: Disc Full` as the search string and `2` in this field. When a disk is full, the product displays the following message in the LOGMatchString text parameter: `Id=id1` `031605: Error: Disc Full` `Id=;MatchedLines` `/hd001 mounted as /opt` `SUMMARY:id1=1;` Note: If either the search string or the nullify string occurs again within the number of lines selected to be displayed, the KM does not find the instances of the search strings for all the search identifiers.
Search criteria to nullify an Alarm/Warning state	Specify the string to nullify the alarm for the dual search feature. You can configure dual search for an instance so that the KM goes into the alarm state when any of the search criteria is found in the monitored file and nullifies the alarm when the nullify string is found in the monitored file. You must specify the first string in the Search String 1 > String text box of the Pattern search criteria section and the nullify string in this text box. For the nullified customized events, the default custom event message is used (as provided in the Custom Event Message text box in the Pattern search criteria section). If you specify `Alarm up` in the String1 text box and `Alarm down` in this text box, the KM goes into an alarm state when `Alarm up` is found in the monitored file and the alarm is nullified when `Alarm down` is found in the monitored file.
Multiline Search
Start delimiter	Specify the start limit to search a block of lines containing a match string.
Stop delimiter	Specify the end limit to search a block of lines containing a match string.
Remote monitoring
Remote host name	Enter the host name for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.
Search criteria strings
Regex type	Select the regex type that you want to use to prepare the search criteria. Note: The ECMAScript option is not supported on the HP-UX platform.
Pattern search criteria	Click Add to add the pattern search criteria.
Search identifier name	Enter a unique label in the text box and configure a search string to define what type of messages the KM would search for.
Search string 1 and 2	In the String text box, enter the search string in one of the following formats: A combination of XML elements and values that you want to find in the monitored file. For configuring XML search strings, see Rules for entering XML search strings. Search pattern(s) - Each search pattern must be a valid regular expression. Enclose each pattern in parentheses ({}). If you do not want to match the entered string, select the NOT check box.
Number search	Expand the Number search section to specify the search range in the log file. Use this section to define a range of numbers found in your log files. Locate those lines by specifying the numbers in the First number and Second number fields. You can use the Operator fields to select an operator that creates a wider range of the numbers that you specify. For example, all the numbers greater than 500 and less than 599. In this case, enter 500 in the First number field, select > in the first Operator field, enter 599 in the Second number field, and select < in the second Operator field. Tokens are the numbers that the KM assigns to words, characters, or punctuation marks in a log line. When a space is encountered in a line, next token number is assigned to the word, character, or any symbol that appears after the space. For example, in the following log line - 541 - Error - This field cannot be blank. Here is the token assignment for this log line: Use the Begin token and End token fields to capture the words that you want to monitor in the log lines.
Custom Event handling configuration	Expand the Custom Event handling configuration section to specify how to handle custom events.
Override Global Event handling configuration	Select this check box to custom-define the settings for each search criterion. You can custom-define a search criterion with the settings that are different from the default settings.
Threshold #1 and Threshold #2	Enter the minimum number of text search string matches in a data collection interval required to produce a specified state. You can specify a different state and a different number of matches in Threshold #1 and Threshold #2. Ensure that value in Threshold #2 is greater than Threshold #1. To search for a minimum number of text strings across a number of collection intervals, enter values in the x:y format.
Threshold #1 State and Threshold #2 State	Select the state of the KM when a threshold is reached.
Custom Event message	Enter the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
Custom Event origin	Enter the customized origin for events. If you do not specify the origin, the KM uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.
Ignore duplicate Events for next (min)	Specify the time threshold for which duplicate events are ignored. Note: You can also modify the default search criterion settings after you configure the instance.
Global Event handling configuration for all search criteria's
Threshold # 1 and Threshold #2	Enter the minimum number of text search string matches in a data collection interval required to produce a specified state. You can specify a different state and a different number of matches in Threshold #1 and Threshold #2. Ensure that value in Threshold #2 is greater than Threshold #1. To search for a minimum number of text strings across a number of collection intervals, enter values in the x:y format.
Threshold # 1 state and Threshold #2 state	Select the state of the KM when a threshold is reached.
Custom Event message	Enter the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
Custom Event origin	Enter the customized origin for events. If you do not specify the origin, the KM uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.
Ignore duplicate Events for next (min)	Specify the time threshold for which duplicate events are ignored. Note: You can also modify the default search criterion settings after you configure the instance.

Field

Description

Label for new file to be added Specify the name of the label for the log file that you want to start monitoring.

Logical name

Specify the logical name of the instance that you want to monitor. Maximum 80 characters are supported in this field.

File name

Specify the full path and the filename for the file that you want to monitor.

Note: To monitor log files that have dynamic names, use the * and ?regular expressions to define the file name. For example, if a log file is named backup_date.log, where date changes each day, enter the log file name as backup_*.log.

Regular expressions are not accepted for named pipes. Maximum 900 characters are supported in this field.

Path contains environment variables

Select this check box to enter a path defined by an environment variable that is resolved at run time. If you select this check box, environment variables in the XML file path are resolved. Otherwise, the XML file is treated as a pure file name.

Advanced Settings

File disposition Select ALL option if you are monitoring a dynamically named file and you want to monitor all of the files using the dynamic name specified in the File/Pipe Name field, rather than just the latest file.

Scan priority

The KM has three predefined collection intervals which can be set by configuring the Scan Priority field. This field displays the priority level at which you want the instance to be scanned.

The priority-collection interval mapping:

Scan Priority	Predefined Data Collection interval
Normal	2 minutes
Medium	10 minutes
Low	30 minutes

Normal is associated with the LogMainColl and LogRemoteMainColl collectors. Select this option to scan the file every 2 minutes.
Medium is associated with the LogMainCollP2 collector. Select this option to scan the file every 10 minutes.
Low is associated with the LogMainCollP3 collector. Select this option to scan the file every 30 minutes.

If you want to change how often the file is scanned, change the polling time of these collectors. The default scan interval is 2 minutes.

Note: You cannot select a value other than Normal for remote log instances. Attempting to do so will result in an error message.

Setting a custom collection interval:

You can set a none-default value also known as, custom collection interval, for each of the above priority values.

Navigate to your Log Management KM policy and select the Polling Intervals tab.
Click Add Polling Interval.
1. In the Monitoring solution field, select Log Management.
2. Select the version.
3. Select the Monitor Parameter as per your requirements. For more information, refer Scan priority, collection interval, and collection timeout table.
4. Set the polling interval of the monitor parameter with the custom collection interval.
5. Save the policy.

Scan priority, collection interval, and collection timeout table

Priority	Monitor Parameter	Predefined Data Collection interval	Collection timeout
Normal	LogMainColl	2 minutes	8 minutes
Medium	LogMainColl2	10 minutes	13 minutes
Low	LogMainColl3	30 minutes	33 minutes

Note: If you are using Log Management KM prior to version 2.7.30, ensure that the predefined data collection interval value does not exceed the collection timeout value.

Generate alarm if file not modified

Select this check box if you want the instance to generate an alarm if the monitored file is not modified periodically. Specify the time in minutes after which you want the KM to alarm if the file is not modified, in the minutes text box.

If no match on the next scan return to OK

Select this checkbox iIf the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.

XML Settings

Expand the frame to configure the XML settings.

Field	Description
Once closing root-tag is found, Delete instance after (minutes)	Specify the time in minutes after which you want the KM to delete the instance once the closing root-tag is found.
Always read at beginning	Select this checkbox if you want to scan the entire XML file on each scan, rather than scanning only the new content.

Multiline Search

Expand the Multiline Search frame to configure the start and end delimiters.

Field	Description
Start delimiter	Specify the start limit to search a block of lines containing a match string.
End delimiter	Specify the end limit to search a block of lines containing a match string.

Remote Monitoring

Expand the Remote Monitoring frame to add a remote host for monitoring.

Remote hostname: Specify the hostname for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.

Search Criteria Settings

Pattern Search Criteria: Click to configure a Pattern Search Criteria for the configured file.

Field

Description

Search Criterion

Search Identifier Name

Specify a unique label in the Search Identifier Name text box and configure a search string to define what type of messages the KM should search for.

String

In the String text box, enter the search string in one of the following formats:

A combination of XML elements and values that you want to find in the monitored file. For configuring XML search strings, see Rules for entering XML search strings.
Search pattern (s). Each search pattern should be a valid regular expression. Enclose each pattern in parentheses ({}).

Search Criteria Event Handling Configuration: Expand the frame to add a search criteria for handling events.

Field	Description
Override default setting	Select this checkbox to custom-define the settings for each search criterion. You can custom-define a search criterion with settings that are different from the default settings. To do so, select the Override default setting check box and custom-define the settings for each search criterion.
Threshold # 1	Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.
Threshold # 1 state	Select the state that you want the KM to exhibit when a threshold is reached. None Ok Warn Alarm Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.
Threshold #2	Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.
Threshold # 2 state	Select the state that you want the KM to exhibit when a threshold is reached. None Ok Warn Alarm
Custom event message	Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
Custom event origin	Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.
Ignore duplicate events for next (mins)	Specify the time threshold for which the duplicate events will be ignored. Note: You can also modify the default search criterion settings after you configure the instance.

Default Settings For Search Criteria

Threshold # 1

Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.

To search for a minimum number of text strings across a number of polling cycles, enter values in the x : y format; x represents the minimum number of text string matches, and y represents the total number of polling cycles.

Threshold # 1 state

Select the state that you want the KM to exhibit when a threshold is reached.

- None
- Ok
- Warn
- Alarm

Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

Threshold #2

Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.

Threshold # 2 state

Select the state that you want the KM to exhibit when a threshold is reached.

- None
- Ok
- Warn
- Alarm

Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

Custom event message

Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.

Custom event origin

Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

Modifying this field affects the generated custom event origin causing the event to not be associated with the LOG instance level in the Central Monitoring Administration console.

Ignore duplicate events for next (mins)

Specify the time threshold for which the duplicate events will be ignored. You can also modify the default search criterion settings after you configure the instance.

OK Click to save the configuration.

Close Click this button to exit without saving any changes.

Configuring after installation

Configuring remote monitoring of files on UNIX machines

Configuration details

Comments