==== System Logs ==== === Purpose === Lot's of problems can be detected by checking the system logs. This monitor gives the possibility to regularly check within a period of time if a given log pattern can be found in sys log. When a problem is detected, you will be notified by an alarm containing the line of logs itself, or a count of lines matching the pattern. This monitor can be very useful if you know the signature of a problem in the logs, to be notified as soon as it occurs. It can also be used to detect an abnormal number critical log lines. === Configuration hints === The monitor will look for a specific log level or string patterns in the log message. You can have two kinds of surveillance: - FORWARD mode : lines of log matching a filter will be forwarded as an alarm, if their number exceeds the threshold - COUNT mode, where an alarm will be sent if the number of lines matching the filter is over the threshold. Use the surveillance table to adjust the monitoring settings: - Log Id - Log Sub Id - Program - Text pattern **Pattern syntax** - str: Match if the string is contained in the text(case insensitive) - !str: Match if the string is *not* contained in the text(case insensitive) - str1,str2: Match if str1 or str2 is in the text(case insensitive) - str1+str2: Match if str1 and str2 is in the text(case insensitive) - str1+!str2: Match if str1 and *not* str2 is in the text(case insensitive) - Any regular expression. === Surveillance table === ^Parameter^Description^ ^Active|Use this field to activate or deactivate a line of configuration.| ^Mode|Choose the surveillance mode| ^Id|A filter for the line Id of the log| ^Sub Id|A filter for the SubId of the line.| ^Program|A filter for the program associated with the line.| ^String pattern|This field can be used to define the text pattern to look for in the log. Regular expressions can be used, or a coma separated list of strings.| ^Exclude Pattern|Use this field to exclude lines following a given pattern. Regular expressions can be used, or a coma separated list of strings.| ^Occurrence|In COUNT mode: The threshold for the maximum number of lines matching the filters. In FORWARD mode, the minimum number of (identical) matching lines necessary to forward the line in an alarm.| ^Period (min)|Defines how far in the past the probe will look for log lines. If set to 60, it will look for log lines written in the last 60 minutes.| ^Severity|The level of severity of the alarm generated by this line of surveillance.| ^Auto clear|If checked, the alarm will be cleared as soon as the alarm condition is not met anymore.| ^Alarm tag|This field allows to add custom text within the alarm message. %MSG% variable will contain the actual generated message and can be used such as: "my_prefix %MSG% my_suffix". By default, tag will be used as prefix.| ^Alarm|If checked, this line of surveillance will be used for alarm generation.| ^Metric|If checked, this line of surveillance will be used for metric generation.| ^Report|If checked, this line of surveillance will used for showing threshold and severity in the daily report| === Examples === ^Active^Mode^Id^Sub Id^Program^String pattern^Exclude Pattern^Occurrence^Period (min)^Severity^Auto clear^Alarm tag^Alarm^Metric^Report^ |true|COUNT|*|*|*|CPIC| |5|60|MAJOR|true| |true|false|false| **Effect** : Sends a MAJOR alarm if 5 or more lines of log contain the string CPIC in the last 60 minutes === Examples === ^Active^Mode^Id^Sub Id^Program^String pattern^Exclude Pattern^Occurrence^Period (min)^Severity^Auto clear^Alarm tag^Alarm^Metric^Report^ |true|FORWARD|*|*|*|CPIC| |5|60|MAJOR|true| |true|false|false| **Effect** : Computes the numbers of identical lines of log containing the string CPIC. Sends an alarm for each identical line with a count greater or equal to 5. === Generated metrics === ^metricId^metricUnit^metricTarget^metricDescription^ |SYSLOG_LINE_OCCURENCE|status|Pattern X on INSTANCE| |