Use this Knowledge Script to monitor the syslog file asynchronously for specific messages or search strings. You can enter the search strings to look for using regular expressions and modifiers to define an Include filter and an Exclude filter or you can enter your search criteria in a separate filter file and use this Knowledge Script to specify the location of that file.
You can use the Include filter, the Exclude filter, or both. If you use both filters, messages that contain any included search strings and do not contain any of the excluded search strings are returned.
To specify the include and exclude patterns, you need to be familiar with Perl regular expressions. For more information, see Section 4.1, Creating Filters with Regular Expressions.
On all platforms, the UNIX agent must run as root or as a user with root-level authority to configure and retrieve information from the syslog file. Before running this Knowledge Script, configure the UNIX agent to run as root or as a user that has been given root‑level authority using the sudo configuration file. SUSE10 no longer supports syslogd because it has introduced an upgraded syslog named syslogd-ng. However, if you need monitoring support for syslogd, you must install and configure the earlier, bsd-based syslogd.
This Knowledge Script creates a synchronized duplicate of the syslog file in $AM_HOME/log/, and uses the duplicate rather than the UNIX syslog file. If this is a security concern, either take measures to protect this file or do not run the script.
UNIX computer icon
The default interval for this script is Asynchronous. After you start the Knowledge Script job, it runs continuously on the monitored system and reports events or data as they occur.
Set the following parameters as needed:
|
Description |
How to Set It |
|---|---|
|
Event Settings |
|
|
Raise event if syslog matches filter? |
Select Yes to raise events. The default is y. |
|
Event message to display (clearing this setting will display the matched line) |
Type the event message you want to display when messages matching the search criteria are found. If you leave this field blank, the entry in the syslog file that matched your search criteria is displayed as the event message. If you specify a custom event message, you can still view the matching entry from the syslog file by displaying the Properties for the child event and clicking the Message tab. The default event message is Syslog match found. |
|
Event severity level |
Set the event notification level, from 1 to 40, to indicate the importance of the event. By default, the severity level is 8. |
|
Add filter expression string to event message? |
Select Yes for AppManager to add the filter to the details of the event message. The default is Yes. |
|
Remove timestamp string from event message? |
Select Yes to remove the timestamp from the event message. The default is unselected, which means that the syslog timestamp is included in the event message. |
|
Remove process id string from event message? |
Select Yes if you do not want to include the syslog process identifier in the event message. The default is no, which means that the syslog process ID is included in the event message. |
|
Event severity for internal failure |
Set the event severity level, from 1 to 40, to indicate the importance of an event in which this job experienced an internal error. The default is 5. |
|
Filter Settings |
|
|
Include Filter |
|
|
Base regular expression |
Enter a regular expression, in Perl, to identify the pattern you want to look for in the monitored text file. The default expression matches all strings. For information about writing Perl regular expressions, see Section 4.1, Creating Filters with Regular Expressions. Control Center also allows you to override values for parameters. You might want to use that feature instead of, or in conjunction with, this parameter. For more information about setting overrides, see the Control Center User Guide. |
|
Special regular expression |
Enter an additional regular expression to look for in specific situations. For example, you can have a base regular expression that you use in jobs that run on all computers, then an additional regular expression that you only use in jobs running on some computers. Control Center also allows you to override values for parameters. You might want to use that feature instead of, or in conjunction with, this parameter. For more information about setting overrides, see the Control Center User Guide. |
|
Modifier for regular expression |
You can use optional modifiers to change the behavior of the regular expression. For example, specifying i makes the include filter case-insensitive. |
|
Exclude Filter |
|
|
Base regular expression |
Enter a regular expression, in Perl, to identify the pattern you want to exclude in the monitored text file. The default is .*. |
|
Special regular expression |
Enter an additional regular expression to exclude in specific situations. For example, you can have a base regular expression that you use in jobs that run on all computers, then an additional regular expression that you only use in jobs running on some computers. For information about how to selectively run jobs, see the Control Center User Guide for NetIQ AppManager. |
|
Modifier for regular expression |
You can use optional modifiers to change the behavior of the regular expression. For example, specifying i makes the include filter case-insensitive. To use the case-insensitive modifier, enter i. |
|
Optional file containing additional filters |
Enter the full path to a file containing any additional filter items you want to match. You can also use this parameter if you only want to specify matching expressions in an external file. |
|
Collect data? |
Select Yes to collect data for reports and graphs. If set to y, the script returns the number of messages matching the search criteria. The default is n. |
|
Enable debugging? (y/n) |
Select Yes to enable debugging. The default is n. |
This Knowledge Script allows you to specify include and exclude expressions as Knowledge Script properties or maintain your search criteria independent of the Knowledge Script parameters in a separate filter file.
In many cases, specifying a filter file provides greater flexibility and makes modifying your search criteria more straightforward because you can add virtually any number of expressions and you do not need to modify the Knowledge Script properties through the Operator Console to pick up your changes.
If you want to use a filter file:
Identify the strings that you want to find a match for in the syslog file (the entries you want to include in your results).
Create the file with one regular expression string per line to locate matching strings.
Make sure the file exists on the target UNIX computer.
Enter the absolute path to the file on the local UNIX agent in the Optional file containing additional filters parameter and start the job.