Configuring after installation

Discontinued support

Support for all versions of the Binary Files, Named Pipe, and XML Files monitor types is discontinued from September 20, 2019 and these monitor types are removed from the product in the 2.7.40 version.

This topic provides information about configuring the Log Management KM.

In the Log Management monitoring solution, select the latest version, and select the Log Monitoring monitor profile. Configure the monitor types as per your requirements. 

To configure monitor types and other monitoring capabilities:

Configuring remote monitoring of files on UNIX machines

Click to view a short video (5:50) of how to configure remote monitoring of files on UNIX machines by using PATROL for Log Management and PATROL for UNIX and Linux.

 https://youtu.be/GcUJ1CsYAjQ

Configuration details

    Field
    Description
    Monitoring environment label Enter the name of the label for the log file that you want to monitor.
    Monitoring file logical name

    Enter the logical name of the instance that you want to monitor. A maximum of 80 characters are allowed in this field.

    Log file (full path)

    Enter the full path and the filename of the file that you want to monitor.

    Note: To monitor log files that have dynamic names, use wildcard characters, such as * and ? to define the file name. For example, if a log file is named backup_date.log, where date changes each day, enter the log file name as backup_*.log.  

    A maximum of 900 characters are supported in this field.

    Path contains environment variables

    Select the check box if the full path contains environment variable and the path defined by the environment variable is resolved at run time.

    File disposition If you are monitoring log file whose name is created dynamically, to monitor the latest such file, select Latest. To monitor all such files, select All.
    Data collection interval for local monitoring (min) For local monitoring, set the data collection interval in minutes. For remote monitoring, the data is collected every 2 minutes only. For large systems, BMC recommends that you use the 10 or 30 minutes option.

    Advanced Settings

    Generate Alarm if file not modified (min)

    Select this check box if you want the instance to generate an alarm if the monitored file is not modified periodically. Specify the time in minutes after which you want the KM to alarm if the file is not modified, in the minutes text box.

    Backup file name Specify the name of the backup file.
    If no match on the next scan return to OK

    Select this check box if the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.

    Text Settings
    Number of lines in log entry Specify the number of lines that you want to display in the LOGMatchString text parameter when a match is found. For example, if you want to determine when a disk is full and where the disk is mounted, enter Error: Disc Full as the search string and 2 in this field. When a disk is full, the KM displays the following message in the LOGMatchString text parameter: 

    Id=id1 
    031605: Error: Disc Full 
    Id=;MatchedLines 
    /hd001 mounted as /opt 
    SUMMARY:id1=1;

    To include these specified number of lines in the generated event, after saving the configuration, add the /PMG/CONFIG/<instanceName>/appendLogEntryLinesToCustomEvent configuration variable (Configuration Variable > Add Configuration Variable with Value set as 1).

    Note: If either the search string or the nullify string occurs again within the number of lines selected to be displayed, the KM does not find the instances of the search strings for all the search identifiers.
    Always read at beginning after file modification

    Select this check box if you want to scan the entire text file on each scan, rather than scanning only the new content.

    Note: The text file is scanned only if the file changes.

    File read position

    Select the read position of a file after the PATROL Agent is re-initialized or when a new file matches the file path.

    • Read from last offset - Log file reads from the last offset
    • Read from end of file - Log file reads from the end of the file
    • Read from beginning of file - Log file reads from the beginning of the file
    • Use existing configuration - Log file is read from the last offset
    Multiline search
    Start delimiter Specify the start limit to search a block of lines containing a match string.
    End delimiter Specify the end limit to search a block of lines containing a match string.
    Remote Monitoring
    Remote host name Enter the host name for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.
    Search criteria settings
    Regex type

    Select the regex type that you want to use to prepare the search criteria.

    Note: The ECMAScript option is not supported on the HP-UX platform.

    Search criteria to nullify an Alarm/Warning state

    Specify the string to nullify the alarm for the dual search feature. You can configure dual search for an instance so that the KM goes into the alarm state when any of the search criteria is found in the monitored file and nullifies the alarm when the nullify string is found in the monitored file.

    You must specify the first string in the Search String 1 > String text box of the Pattern search criteria section and the nullify string in this text box. For the nullified customized events, the default custom event message is used (as provided in the Custom Event Message text box in the Pattern search criteria section).

    If you specify Alarm up in the String1 text box and Alarm down in this text box, the KM goes into an alarm state when Alarm up is found in the monitored file and the alarm is nullified when Alarm down is found in the monitored file.

    Pattern search criteria Click Add to add the pattern search criteria.
    Search identifier name Enter a unique label in the text box and configure a search string to define what type of messages the KM would search for.
    Search string 1 and 2

    In the String text box, enter the search string in one of the following formats:

    • A combination of XML elements and values that you want to find in the monitored file. For configuring XML search strings, see Rules for entering XML search strings.
    • Search pattern(s) - Each search pattern must be a valid regular expression. 

    If you do not want to match the entered string, select the NOT check box.

    Examples:

    • You want to search for the word 'error' in a file, enter error in the Search string 1 text box.
    • You want to search for the words 'error' and 'fatal' in one line a file, enter error in the Search string 1 text box and fatal in the Search string 2 text box.
    • You want to search for 'error', but 'warning' should not be present in the same line. In this case, enter error in the Search string 1 text box and warning in the Search string 2 text box. Select the NOT check box for the Search string 2 field.
    Number search

    Expand the Number search section to specify the search range in the log file.

    Use this section to define a range of numbers found in your log files. Locate those lines by specifying the numbers in the First number and Second number fields. You can use the Operator fields to select an operator that creates a wider range of the numbers that you specify. For example, all the numbers greater than 500 and less than 599. In this case, enter 500 in the First number field, select > in the first Operator field, enter 599 in the Second number field, and select < in the second Operator field.

    Tokens are the numbers that the KM assigns to words, characters, or punctuation marks in a log line. When a space is encountered in a line, next token number is assigned to the word, character, or any symbol that appears after the space. For example, in the following log line - 541 - Error - This field cannot be blank. Here is the token assignment for this log line:

    Use the Begin token and End token fields to capture the words that you want to monitor in the log lines.

    Custom Event handling configuration Expand the Custom Event handling configuration section to specify how to handle custom events.
    Override Global Event handling configuration

    Select this check box to custom-define the settings for each search criterion.

    You can custom-define a search criterion with the settings that are different from the default settings.

    Threshold #1 and Threshold #2

    In a data collection interval, enter the minimum number of times the search string matches are found. When the threshold is reached, events are generated with the state configured in the threshold state fields. If you do not configure thresholds, events are not generated even though strings are matched in a data collection interval.

    Specify a different state and a different number of matches in Threshold #1 and Threshold #2. Ensure that value in Threshold #2 is greater than Threshold #1. To search for a minimum number of text strings across a number of collection intervals, enter values in the x:y format.

    Example 1:

    Threshold #1: 3

    Threshold #2: 5

    If a string matches 3 times in a data collection interval, threshold #1 is reached, an event is generated and the KM generates an alarm, warning, or OK message based on the value set in Threshold #1 state. Similarly, if the string matches 5 times, an event is generated and the KM generates the configured state message.

    Example 2:

    Threshold #1: 3:5

    Threshold #2: 5:5

    If a string matches 3 times in last 5 data collection intervals, an event is generated and the KM generates and alarm, warning, or OK message based on the value set in Threshold #1 state. Similarly, if the string matches 5 times in last 5 data collection intervals, an event is generated and the KM generates the configured state message.

    Threshold #1 state and Threshold #2 state Select the state of the KM when a threshold is reached.
    Custom Event message Enter the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
    Custom Event origin

    Enter the customized origin for events. If you do not specify the origin, the KM uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName.

    You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Ignore duplicate Events for next (min)

    Specify the time threshold for which duplicate events are ignored.

    Note: You can also modify the default search criterion settings after you configure the instance.

    Global Event handling configuration for all search criteria
    Threshold # 1 and Threshold #2

    In a data collection interval, enter the minimum number of times the search string matches are found. When the threshold is reached, events are generated with the state configured in the threshold state fields. If you do not configure thresholds, events are not generated even though strings are matched in a data collection interval.

    Specify a different state and a different number of matches in Threshold #1 and Threshold #2. Ensure that value in Threshold #2 is greater than Threshold #1. To search for a minimum number of text strings across a number of collection intervals, enter values in the x:y format.

    Example 1:

    Threshold #1: 3

    Threshold #2: 5

    If a string matches 3 times in a data collection interval, threshold #1 is reached, an event is generated and the KM generates an alarm, warning, or OK message based on the value set in Threshold #1 state. Similarly, if the string matches 5 times, an event is generated and the KM generates the configured state message.

    Example 2:

    Threshold #1: 3:5

    Threshold #2: 5:5

    If a string matches 3 times in last 5 data collection intervals, an event is generated and the KM generates and alarm, warning, or OK message based on the value set in Threshold #1 state. Similarly, if the string matches 5 times in last 5 data collection intervals, an event is generated and the KM generates the configured state message.

    Threshold #1 state and Threshold #2 state

    Select the state of the KM when a threshold is reached.

    Custom Event message

    Enter the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.

    Custom Event origin

    Enter the customized origin for events. If you do not specify the origin, the KM uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName.

    You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Ignore duplicate Events for next (min)

    Specify the time threshold for which duplicate events are ignored.

    Note: You can also modify the default search criterion settings after you configure the instance.

    Field

    Description

    Monitor Settings
    Label for new file to be added

    Specify the name of the label for the log file that you want to start monitoring.

    Logical name

    Specify the logical name of the instance that you want to monitor. Maximum 80 characters are supported in this field.

    File name

    Specify the full path and the filename for the file that you want to monitor.

    Note: To monitor log files that have dynamic names, use the * and ?regular expressions to define the file name. For example, if a log file is named backup_date.log, where date changes each day, enter the log file name as backup_*.log.

    Regular expressions are not accepted for named pipes. Maximum 900 characters are supported in this field.

    Path contains environment variables

    Select this check box to enter a path defined by an environment variable that is resolved at run time. If you select this check box, environment variables in the binary file path are resolved. Otherwise, the binary file is treated as a pure file name.

    Advanced Settings

    File disposition

    Select ALL option if you are monitoring a dynamically named file and you want to monitor all of the files using the dynamic name specified in the File/Pipe Name field, rather than just the latest file.

    Scan priority

    The KM has three predefined collection intervals which can be set by configuring the Scan Priority field. This field displays the priority level at which you want the instance to be scanned.

    The priority-collection interval mapping:

    Scan Priority

    Predefined Data Collection interval

    Normal

    2 minutes                        

    Medium

    10 minutes

    Low

    30 minutes

    • Normal is associated with the LogMainColl and LogRemoteMainColl collectors. Select this option to scan the file every 2 minutes.
    • Medium is associated with the LogMainCollP2 collector. Select this option to scan the file every 10 minutes.
    • Low is associated with the LogMainCollP3 collector. Select this option to scan the file every 30 minutes.

    If you want to change how often the file is scanned, change the polling time of these collectors. The default scan interval is 2 minutes.

    Note: You cannot select a value other than Normal for remote log instances. Attempting to do so will result in an error message.

    Setting a custom collection interval:

    You can set a none-default value also known as, custom collection interval, for each of the above priority values.

    1. Navigate to your Log Management KM policy and select the Polling Intervals tab.
    2. Click Add Polling Interval.
      1. In the Monitoring solution field, select Log Management.
      2. Select the version.
      3. Select the Monitor Parameter as per your requirements. For more information, refer Scan priority, collection interval, and collection timeout table.
      4. Set the polling interval of the monitor parameter with the custom collection interval.

      5. Save the policy.

    Scan priority, collection interval, and collection timeout table

    Priority

    Monitor Parameter

    Predefined Data Collection
    interval

    Collection timeout

    Normal

    LogMainColl

    2 minutes

    8 minutes

    Medium

    LogMainColl2

    10 minutes

    13 minutes

    Low

    LogMainColl3

    30 minutes

    33 minutes

    Note: If you are using Log Management KM prior to version 2.7.30, ensure that the predefined data collection interval value does not exceed the collection timeout value.

    Generate ALARM if file not modified

    Select this check box if you want the instance to generate an alarm if the monitored file is not modified periodically. Specify the time in minutes after which you want the KM to alarm if the file is not modified, in the minutes text box.

    If no match on next scan return to OK

    Select this checkbox iIf the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.

    Binary File Settings
    Filter program

    Specify a filter program.

    Always read at beginning

    Select this check box if you want to scan the entire text file on each scan, rather than scanning only the new content.

    Note: The text file will only be scanned if the file changes.

    Multiline Search

    Expand the Multiline Search frame to configure the start and end delimiters.

    Field Description
    Start delimiter Specify the start limit to search a block of lines containing a match string.
    End delimiter Specify the end limit to search a block of lines containing a match string.

    Remote Monitoring

    Expand the Remote Monitoring frame to add a remote host for monitoring.

    Remote hostname: Specify the hostname for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.

    Search Criteria Settings

    Pattern Search Criteria: Click  to configure a Pattern Search Criteria for the configured file. 

    Field Description
    Search Criterion
    Search Identifier Name Specify a unique label in the Search Identifier Name text box and configure a search string to define what type of messages the KM should search for.
    Search String 1
    NOT

    (Optional) Select this checkbox if you want the KM to alarm if a string is not present in the file.

    Note: This option displays all the lines in the file that do not match the search string.

    String

    In the String text box, enter one of the following:

    • First search string that you want to search in the text instance
    • Regular expression for the first search string that you want to search in the text
      instance (4096-byte limit)

    • Search pattern (s). Each search pattern should be a valid regular expression and should be enclosed in parentheses ({}). For example, {Job started} {Job stopped} {Job aborted}.

    Note

    The KM searches for each search pattern in the log file in the order in which you have specified the search patterns. These patterns are searched for the number of polling intervals that you specify in the Add Polling Intervals option. If all the search patterns are not found in the specified polling intervals, the KM generates an alarm.

    Note:

    BMC does not recommend performing the following actions:

    • Entering multiple search patterns in the String1 text box, and selecting the Always Read At Beginning check box in simultaneously.
    • Entering a single search pattern in the String1 text box. The KM might not generate any alarm in this case. For example, {Job Started}.
    Search String 2
    NOT

    Select this check box if you want to identify log files in which the string is not found.

    For example, if we enter ERROR and FATAL as the search strings, the KM searches for the word ERROR AND FATAL at the same line.

    String Enter the second search string or regular expression.
    Number Search
    First number Specify a number to specify a starting position of a search range in the matched file.
    Op

    Select the operator from the operator list.

    • <
    • <=
    • =
    • >=
    • >
    • !=
    Second number Specify a number to specify an ending position of a search range in the matched file line.
    Op

    Select the operator from the operator list.

    • <
    • <=
    • =
    • >=
    • >
    • !=
    Begin token Specify a valid beginning token value.
    End token Specify a valid ending token value.

    Search Criteria Event Handling Configuration: Expand the frame to add a search criteria for handling events.

    Field Description
    Override default setting

    Select this checkbox to custom-define the settings for each search criterion.

    You can custom-define a search criterion with settings that are different from the default settings. To do so, select the Override default setting check box and custom-define the settings for each search criterion.

    Threshold # 1 Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.
    Threshold # 1 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Threshold #2 Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.
    Threshold # 2 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm
    Custom event message Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
    Custom event origin

    Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName.

    You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Ignore duplicate events for next (mins)

    Specify the time threshold for which the duplicate events will be ignored.

    Note:

    You can also modify the default search criterion settings after you configure the instance.

    Default Settings For Search Criteria
    Threshold # 1

    Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.

    To search for a minimum number of text strings across a number of polling cycles, enter values in the x : y format; x represents the minimum number of text string matches, and y represents the total number of polling cycles.

    Threshold # 1 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Threshold #2

    Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.

    Threshold # 2 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Custom event message

    Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.

    Custom event origin

    Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Modifying this field affects the generated custom event origin causing the event to not be associated with the LOG instance level in the Central Monitoring Administration console.

    Ignore duplicate events for next (mins)

    Specify the time threshold for which the duplicate events will be ignored. You can also modify the default search criterion settings after you configure the instance.

    OK Click to save the configuration.
    Close Click this button to exit without saving any changes.


    Note

    The Log Monitoring Monitor Type is available for selection only after you upgrade to 2.7.20.01 and later versions of the KM. For an older version, refer to the Global Settings Monitor Type.

    On the Add Monitor Types dialog, with the Monitoring Profile set to Log Monitoring, and the Monitor Type set to Log Monitoring, provide the following details:

    Field
    Description
    Default Monitoring
    Monitor PATROL log files

    The KM supports monitoring of PATROL Agent log files with predefined search criteria. To enable this monitoring, select the Monitor PATROL log files check box.

    When this option is enabled, the KM creates two monitoring instances, PAgentLog_Alarm and PAgentLog_Warn to monitor the PATROL Agent log files with the predefined search criteria.

    • PAgentLog_Alarm - This instance is configured to raise the alarm if one or more of the following strings are detected:
      • “found inconsistencies”
      • “PatrolAgent-W-EINTERNAL: PatrolAgent is running low on memory”
      • “PatrolAgent: "not superuser"
      • “Please check parameter history for corruption“
      • “runqSchedPolicy is now set to 9“
      • “Detected during operation readRec.fseek”
      • PAgentLog_Alarm
    • PAgentLog_Warn - This instance is configured to raise a warning if one or more of the following strings are detected:

      • “remaining for PATROL license to expire”
      • “Not authorized connect agent”
      • “Please check parameter history for corruption”
      • “PatrolAgent-E-EFORK: Couldn't fork a new process”

    The PAgentLog_Alarm and PAgentLog_Warn monitoring instances have a constant predefined search criteria that cannot be edited.

    user permanent instance name when monitoring the latest file
    Use permanent instance name when monitoring the latest file Select this check box to have a single permanent instance while monitoring the latest log file.

    Debug Settings

    Enable reader debug

    Select this check box if you want the KM to collect debug information for the pmgreader process in the log file.

    The diagnostic output is written to the monitored system in the following location:

    • on UNIX: $PATROL_HOME/../pmg/port_ int*/readerLog.txt*
    • on Windows:%PATROL_HOME%\port_ int*\readerLog.txt*

    where port is the port used by the agent and int is an integer (1, 2, or 3) that corresponds to the LOG KM collector's scan priority.

    Note: Selecting this check box enables debug information collection for all supported file types - text, binary, script, XML, and named pipe.

    Enable KM debug

    Select this check box if you want the KM to collect debug information of the entire LOG KM data on the <hostname> System Output window.

    Note: Selecting this check box enables debug information collection for all supported file types - text, binary, script, XML, and named pipe.

    In about 15 minutes (two or three polling cycles) the diagnostic output is saved in the PATROL log file located at PATROL_HOME/log directory.

    For local monitoring, the output will be saved at pmg-Main-PATROL Agent host name-PATROL Agent port.kmlog file.

    For remote monitoring, the output will be saved at pmg-Monitored remote host-PATROL Agent host name-PATROL Agent port.kmlog file.

    Monitoring User

    User Name


    Enter the user name.

    This user name is the OS user for monitoring, who can access and read the monitored files and folder. However, the monitoring user must be an existing user. If this field is left blank, the PATROL default account is used for monitoring.

    Password Enter a password.
    Confirm Password Enter the same password again. 

    Field

    Description

    Label for new file to be added Specify the name of the label for the log file that you want to start monitoring.
    Logical name

    Specify the logical name of the instance that you want to monitor. Maximum 80 characters are supported in this field.

    Pipe name

    Specify the full path and the filename for the file that you want to monitor.

    Note: To monitor log files that have dynamic names, use the * and ?regular expressions to define the file name. For example, if a log file is named backup_date.log, where date changes each day, enter the log file name as backup_*.log.

    Regular expressions are not accepted for named pipes. Maximum 900 characters are supported in this field.

    Path contains environment variables

    Select this check box to enter a path defined by an environment variable that is resolved at run time. If you select this check box, environment variables in the named pipe path are resolved. Otherwise, the named pipe is treated as a pure file name.

    Advanced Settings

    File disposition Select ALL option if you are monitoring a dynamically named file and you want to monitor all of the files using the dynamic name specified in the File/Pipe Name field, rather than just the latest file.
    Scan priority

    The KM has three predefined collection intervals which can be set by configuring the Scan Priority field. This field displays the priority level at which you want the instance to be scanned.

    The priority-collection interval mapping:

    Scan Priority

    Predefined Data Collection interval

    Normal

    2 minutes                        

    Medium

    10 minutes

    Low

    30 minutes

    • Normal is associated with the LogMainColl and LogRemoteMainColl collectors. Select this option to scan the file every 2 minutes.
    • Medium is associated with the LogMainCollP2 collector. Select this option to scan the file every 10 minutes.
    • Low is associated with the LogMainCollP3 collector. Select this option to scan the file every 30 minutes.

    If you want to change how often the file is scanned, change the polling time of these collectors. The default scan interval is 2 minutes.

    Note: You cannot select a value other than Normal for remote log instances. Attempting to do so will result in an error message.

    Setting a custom collection interval:

    You can set a none-default value also known as, custom collection interval, for each of the above priority values.

    1. Navigate to your Log Management KM policy and select the Polling Intervals tab.
    2. Click Add Polling Interval.
      1. In the Monitoring solution field, select Log Management.
      2. Select the version.
      3. Select the Monitor Parameter as per your requirements. For more information, refer Scan priority, collection interval, and collection timeout table.
      4. Set the polling interval of the monitor parameter with the custom collection interval.

      5. Save the policy.

    Scan priority, collection interval, and collection timeout table

    Priority

    Monitor Parameter

    Predefined Data Collection
    interval

    Collection timeout

    Normal

    LogMainColl

    2 minutes

    8 minutes

    Medium

    LogMainColl2

    10 minutes

    13 minutes

    Low

    LogMainColl3

    30 minutes

    33 minutes

    Note: If you are using Log Management KM prior to version 2.7.30, ensure that the predefined data collection interval value does not exceed the collection timeout value.

    Generate alarm if file not modified

    Select this check box if you want the instance to generate an alarm if the monitored file is not modified periodically. Specify the time in minutes after which you want the KM to alarm if the file is not modified, in the minutes text box.

    If no match on the next scan return to OK

    Select this checkbox iIf the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.

    Multiline Search


    Expand the Multiline Search frame to configure the start and end delimiters.

    Field Description
    Start delimiter Specify the start limit to search a block of lines containing a match string.
    End delimiter Specify the end limit to search a block of lines containing a match string.
    Remote Monitoring

    Expand the Remote Monitoring frame to add a remote host for monitoring.

    Remote hostname: Specify the hostname for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.

    Search Criteria Settings

    Pattern Search Criteria: Click  to configure a Pattern Search Criteria for the configured file. 

    Field Description
    Search Criterion
    Search Identifier Name Specify a unique label in the Search Identifier Name text box and configure a search string to define what type of messages the KM should search for.
    Search String 1
    NOT

    (Optional) Select this checkbox if you want the KM to alarm if a string is not present in the file.

    Note: This option displays all the lines in the file that do not match the search string.

    String

    In the String text box, enter one of the following:

    • First search string that you want to search in the text instance
    • Regular expression for the first search string that you want to search in the text
      instance (4096-byte limit)

    • Search pattern (s). Each search pattern should be a valid regular expression and should be enclosed in parentheses ({}). For example, {Job started} {Job stopped} {Job aborted}.

    Note

    The KM searches for each search pattern in the log file in the order in which you have specified the search patterns. These patterns are searched for the number of polling intervals that you specify in the Add Polling Intervals option. If all the search patterns are not found in the specified polling intervals, the KM generates an alarm.

    Note:

    BMC does not recommend performing the following actions:

    • Entering multiple search patterns in the String1 text box, and selecting the Always Read At Beginning check box in simultaneously.
    • Entering a single search pattern in the String1 text box. The KM might not generate any alarm in this case. For example, {Job Started}.
    Search String 2
    NOT

    Select this check box if you want to identify log files in which the string is not found.

    For example, if we enter ERROR and FATAL as the search strings, the KM searches for the word ERROR AND FATAL at the same line.

    String Enter the second search string or regular expression.
    Number Search
    First number Specify a number to specify a starting position of a search range in the matched file.
    Op

    Select the operator from the operator list.

    • <
    • <=
    • =
    • >=
    • >
    • !=
    Second number Specify a number to specify an ending position of a search range in the matched file line.
    Op

    Select the operator from the operator list.

    • <
    • <=
    • =
    • >=
    • >
    • !=
    Begin token Specify a valid beginning token value.
    End token Specify a valid ending token value.

    Search Criteria Event Handling Configuration: Expand the frame to add a search criteria for handling events.

    Field Description
    Override default setting

    Select this checkbox to custom-define the settings for each search criterion.

    You can custom-define a search criterion with settings that are different from the default settings. To do so, select the Override default setting check box and custom-define the settings for each search criterion.

    Threshold # 1 Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.
    Threshold # 1 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Threshold #2 Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.
    Threshold # 2 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm
    Custom event message Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
    Custom event origin

    Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName.

    You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Ignore duplicate events for next (mins)

    Specify the time threshold for which the duplicate events will be ignored.

    Note:

    You can also modify the default search criterion settings after you configure the instance.

    Default Settings For Search Criteria
    Threshold # 1

    Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.

    To search for a minimum number of text strings across a number of polling cycles, enter values in the x : y format; x represents the minimum number of text string matches, and y represents the total number of polling cycles.

    Threshold # 1 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Threshold #2

    Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.

    Threshold # 2 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Custom event message

    Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.

    Custom event origin

    Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Modifying this field affects the generated custom event origin causing the event to not be associated with the LOG instance level in the Central Monitoring Administration console.

    Ignore duplicate events for next (mins)

    Specify the time threshold for which the duplicate events will be ignored. You can also modify the default search criterion settings after you configure the instance.

    OK Click to save the configuration.
    Close Click this button to exit without saving any changes.

    Field
    Description
    Monitoring environment label Enter the name of the label for the log file that you want to monitor.
    Monitoring file logical name

    Enter the logical name of the instance that you want to monitor. A maximum of 80 characters are allowed in this field.

    Script file (full path)

    Enter the full path and the filename of the script that you want to monitor.

    A maximum of 900 characters are supported in this field.

    To successfully run and monitor a script file output, ensure that the script can run without any runtime dependency. For example, the script file \temp\cpumonitor.bat can run without any runtime dependency. Therefore, it is monitored by the KM. However, if the script file requires a command to run or has any other runtime dependency, the KM does not monitor it. For example, if the \temp\cputmonitor.py script is executed by running the following command:

    python \temp\cputmonitor.py

    Such a script output is not monitored by the KM.

    Arguments Enter script arguments. Separate multiple arguments with a space.
    Path contains environment variables

    Select the check box if the full path contains environment variable and the path defined by the environment variable is resolved at run time.

    Data collection interval for local monitoring (min) For local monitoring, set the data collection interval in minutes. For remote monitoring, the data is collected every 2 minutes only. For large systems, BMC recommends that you use the 10 or 30 minutes option.

    Advanced settings

    If no match on next scan return to OK
    Select the check box if the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.
    Text settings
    Number of lines in log entry Specify the number of lines that you want to be displayed when a match is found. For example, if you want to determine when a disk is full and where the disk is mounted, enter Error: Disc Full as the search string and 2 in this field. When a disk is full, the product displays the following message in the LOGMatchString text parameter: 

    Id=id1 
    031605: Error: Disc Full 
    Id=;MatchedLines 
    /hd001 mounted as /opt 
    SUMMARY:id1=1;

    Note: If either the search string or the nullify string occurs again within the number of lines selected to be displayed, the KM does not find the instances of the search strings for all the search identifiers.
    Search criteria to nullify an Alarm/Warning state

    Specify the string to nullify the alarm for the dual search feature. You can configure dual search for an instance so that the KM goes into the alarm state when any of the search criteria is found in the monitored file and nullifies the alarm when the nullify string is found in the monitored file.

    You must specify the first string in the Search String 1 > String text box of the Pattern search criteria section and the nullify string in this text box. For the nullified customized events, the default custom event message is used (as provided in the Custom Event Message text box in the Pattern search criteria section).

    If you specify Alarm up in the String1 text box and Alarm down in this text box, the KM goes into an alarm state when Alarm up is found in the monitored file and the alarm is nullified when Alarm down is found in the monitored file.

    Multiline Search
    Start delimiter Specify the start limit to search a block of lines containing a match string.
    Stop delimiter Specify the end limit to search a block of lines containing a match string.
    Remote monitoring
    Remote host name Enter the host name for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.
    Search criteria strings
    Regex type

    Select the regex type that you want to use to prepare the search criteria.

    Note: The ECMAScript option is not supported on the HP-UX platform.

    Pattern search criteria Click Add to add the pattern search criteria.
    Search identifier name Enter a unique label in the text box and configure a search string to define what type of messages the KM would search for.
    Search string 1 and 2

    In the String text box, enter the search string in one of the following formats:

    • A combination of XML elements and values that you want to find in the monitored file. For configuring XML search strings, see Rules for entering XML search strings.
    • Search pattern(s) - Each search pattern must be a valid regular expression. Enclose each pattern in parentheses ({}).
    If you do not want to match the entered string, select the NOT check box.
    Number search

    Expand the Number search section to specify the search range in the log file.

    Use this section to define a range of numbers found in your log files. Locate those lines by specifying the numbers in the First number and Second number fields. You can use the Operator fields to select an operator that creates a wider range of the numbers that you specify. For example, all the numbers greater than 500 and less than 599. In this case, enter 500 in the First number field, select > in the first Operator field, enter 599 in the Second number field, and select < in the second Operator field.

    Tokens are the numbers that the KM assigns to words, characters, or punctuation marks in a log line. When a space is encountered in a line, next token number is assigned to the word, character, or any symbol that appears after the space. For example, in the following log line - 541 - Error - This field cannot be blank. Here is the token assignment for this log line:

    Use the Begin token and End token fields to capture the words that you want to monitor in the log lines.

    Custom Event handling configuration Expand the Custom Event handling configuration section to specify how to handle custom events.
    Override Global Event handling configuration

    Select this check box to custom-define the settings for each search criterion.

    You can custom-define a search criterion with the settings that are different from the default settings.

    Threshold #1 and Threshold #2 Enter the minimum number of text search string matches in a data collection interval required to produce a specified state. You can specify a different state and a different number of matches in Threshold #1 and Threshold #2. Ensure that value in Threshold #2 is greater than Threshold #1. To search for a minimum number of text strings across a number of collection intervals, enter values in the x:y format.
    Threshold #1 State and Threshold #2 State Select the state of the KM when a threshold is reached.
    Custom Event message Enter the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
    Custom Event origin

    Enter the customized origin for events. If you do not specify the origin, the KM uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName.

    You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Ignore duplicate Events for next (min)

    Specify the time threshold for which duplicate events are ignored.

    Note: You can also modify the default search criterion settings after you configure the instance.

    Global Event handling configuration for all search criteria's
    Threshold # 1 and Threshold #2 Enter the minimum number of text search string matches in a data collection interval required to produce a specified state. You can specify a different state and a different number of matches in Threshold #1 and Threshold #2. Ensure that value in Threshold #2 is greater than Threshold #1. To search for a minimum number of text strings across a number of collection intervals, enter values in the x:y format.
    Threshold # 1 state and Threshold #2 state Select the state of the KM when a threshold is reached.
    Custom Event message Enter the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
    Custom Event origin

    Enter the customized origin for events. If you do not specify the origin, the KM uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName.

    You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Ignore duplicate Events for next (min)

    Specify the time threshold for which duplicate events are ignored.

    Note: You can also modify the default search criterion settings after you configure the instance.

    Field

    Description

    Label for new file to be added Specify the name of the label for the log file that you want to start monitoring.
    Logical name

    Specify the logical name of the instance that you want to monitor. Maximum 80 characters are supported in this field.

    File name

    Specify the full path and the filename for the file that you want to monitor.

    Note: To monitor log files that have dynamic names, use the * and ?regular expressions to define the file name. For example, if a log file is named backup_date.log, where date changes each day, enter the log file name as backup_*.log.

    Regular expressions are not accepted for named pipes. Maximum 900 characters are supported in this field.

    Path contains environment variables

    Select this check box to enter a path defined by an environment variable that is resolved at run time. If you select this check box, environment variables in the XML file path are resolved. Otherwise, the XML file is treated as a pure file name.

    Advanced Settings

    File disposition Select ALL option if you are monitoring a dynamically named file and you want to monitor all of the files using the dynamic name specified in the File/Pipe Name field, rather than just the latest file.
    Scan priority

    The KM has three predefined collection intervals which can be set by configuring the Scan Priority field. This field displays the priority level at which you want the instance to be scanned.

    The priority-collection interval mapping:

    Scan Priority

    Predefined Data Collection interval

    Normal

    2 minutes                        

    Medium

    10 minutes

    Low

    30 minutes

    • Normal is associated with the LogMainColl and LogRemoteMainColl collectors. Select this option to scan the file every 2 minutes.
    • Medium is associated with the LogMainCollP2 collector. Select this option to scan the file every 10 minutes.
    • Low is associated with the LogMainCollP3 collector. Select this option to scan the file every 30 minutes.

    If you want to change how often the file is scanned, change the polling time of these collectors. The default scan interval is 2 minutes.

    Note: You cannot select a value other than Normal for remote log instances. Attempting to do so will result in an error message.

    Setting a custom collection interval:

    You can set a none-default value also known as, custom collection interval, for each of the above priority values.

    1. Navigate to your Log Management KM policy and select the Polling Intervals tab.
    2. Click Add Polling Interval.
      1. In the Monitoring solution field, select Log Management.
      2. Select the version.
      3. Select the Monitor Parameter as per your requirements. For more information, refer Scan priority, collection interval, and collection timeout table.
      4. Set the polling interval of the monitor parameter with the custom collection interval.

      5. Save the policy.

    Scan priority, collection interval, and collection timeout table

    Priority

    Monitor Parameter

    Predefined Data Collection
    interval

    Collection timeout

    Normal

    LogMainColl

    2 minutes

    8 minutes

    Medium

    LogMainColl2

    10 minutes

    13 minutes

    Low

    LogMainColl3

    30 minutes

    33 minutes

    Note: If you are using Log Management KM prior to version 2.7.30, ensure that the predefined data collection interval value does not exceed the collection timeout value.

    Generate alarm if file not modified

    Select this check box if you want the instance to generate an alarm if the monitored file is not modified periodically. Specify the time in minutes after which you want the KM to alarm if the file is not modified, in the minutes text box.

    If no match on the next scan return to OK

    Select this checkbox iIf the KM goes into an alarm or a warning state because the search string is found and you want the KM state to return to OK if the search string is not found on the next scan.

    XML Settings

    Expand the frame to configure the XML settings.

    Field Description
    Once closing root-tag is found, Delete instance after (minutes) Specify the time in minutes after which you want the KM to delete the instance once the closing root-tag is found.
    Always read at beginning Select this checkbox if you want to scan the entire XML file on each scan, rather than scanning only the new content.

    Multiline Search

    Expand the Multiline Search frame to configure the start and end delimiters.

    Field Description
    Start delimiter Specify the start limit to search a block of lines containing a match string.
    End delimiter Specify the end limit to search a block of lines containing a match string.

    Remote Monitoring

    Expand the Remote Monitoring frame to add a remote host for monitoring.

    Remote hostname: Specify the hostname for remote monitoring. This field is applicable only for UNIX and Linux platforms. UNIX KM must be installed and the Remote Monitoring policy must be defined.

    Search Criteria Settings

    Pattern Search Criteria: Click  to configure a Pattern Search Criteria for the configured file. 

    Field Description
    Search Criterion
    Search Identifier Name Specify a unique label in the Search Identifier Name text box and configure a search string to define what type of messages the KM should search for.
    String

    In the String text box, enter the search string in one of the following formats:

    • A combination of XML elements and values that you want to find in the monitored file. For configuring XML search strings, see Rules for entering XML search strings.
    • Search pattern (s). Each search pattern should be a valid regular expression. Enclose each pattern in parentheses ({}).

    Search Criteria Event Handling ConfigurationExpand the frame to add a search criteria for handling events.

    Field Description
    Override default setting

    Select this checkbox to custom-define the settings for each search criterion.

    You can custom-define a search criterion with settings that are different from the default settings. To do so, select the Override default setting check box and custom-define the settings for each search criterion.

    Threshold # 1 Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.
    Threshold # 1 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Threshold #2 Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.
    Threshold # 2 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm
    Custom event message Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.
    Custom event origin

    Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName.

    You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Ignore duplicate events for next (mins)

    Specify the time threshold for which the duplicate events will be ignored.

    Note:

    You can also modify the default search criterion settings after you configure the instance.


    Default Settings For Search Criteria
    Threshold # 1

    Specify the minimum number of text search string matches in a polling cycle required to produce a specified state.

    To search for a minimum number of text strings across a number of polling cycles, enter values in the x : y format; x represents the minimum number of text string matches, and y represents the total number of polling cycles.

    Threshold # 1 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Threshold #2

    Specify the minimum number of text search string matches required to produce a specified state. You can specify a different state and a different number of matches from Threshold #1. Threshold #2 should be higher than Threshold #1. To search for a minimum number of text strings across a number of polling cycles, enter values in the x:y format.

    Threshold # 2 state

    Select the state that you want the KM to exhibit when a threshold is reached.

      • None
      • Ok
      • Warn
      • Alarm

    Note: If you want the KM to go into alarm when the search string is found 3 times in the monitored file, then you would set the value of Threshold #1 to 3 and select Alarm from the State list.

    Custom event message

    Specify the message that you want to be displayed in the events when your search string conditions are satisfied. For more information, see Customizing event messages.

    Custom event origin

    Specify the customized origin for events. If you do not specify the origin, the product uses the instance name as the default origin of events, which is APPCLASS.INSTANCE.textFileName. You can use built-in macros (except the %x[-%y] macro) as the customized origin for events.

    Modifying this field affects the generated custom event origin causing the event to not be associated with the LOG instance level in the Central Monitoring Administration console.

    Ignore duplicate events for next (mins)

    Specify the time threshold for which the duplicate events will be ignored. You can also modify the default search criterion settings after you configure the instance.

    OK Click to save the configuration.
    Close Click this button to exit without saving any changes.


    Was this page helpful? Yes No Submitting... Thank you

    Comments