Log file specification considerations

Each monitored log has a DefaultFacility and DefaultSeverity directive, followed by multiple optional UseFacility and UseSeverity statements. Each UseFacility and UseSeverity statement can have multiple MatchKeyWord statements, providing a simple way to configure facilities and severities for any particular message.

A message's content can match multiple UseFacility or UseSeverity statements:

  • If a message matches multiple UseSeverity statements, the severity used is the highest severity level (that is, the lowest number) of any severity matched.
    For example, if a message matches two UseSeverity statements and one is informational and the other is critical, the transmitted message uses the critical severity.
  • If a message matches multiple UseFacility statements, the transmitted message uses the facility with the highest-numbered facility code. If no facility matches but the severity matches, the DefaultFacility value is used.


Related topic

CO-logmon-configuration-file

To filter out data that is not important, you can make the DefaultSeverity for each log file disabled. The default severity is applied only if no other severity specification is found. In this case, only messages that have assigned severities are sent as syslog messages. This reduces the load on the syslog server if you have thousands of log file monitors. Using this technique, the administrator can target a key set of messages.The LogStatChange directive lets you monitor for the existence or modification of any file system object. This directive should not use any UseFacility or UseSeverity values, or any MatchKeywords. The directive permits watching for changes to critical file system objects, such as password files, configuration files, or directories. You can use this directive only with the LogFile directive.

Important

An optional MaxSizeChange directive is associated with log file monitoring. If the log file size increases to a large value, rather than sending out many syslog messages, the program sends a single File Size Changed syslog message. This prevents a situation in which the administrator must truncate the file manually or copy another file on top of the monitored file.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*