Text log monitoring in Operations Manager part 1

Posted on 2012/11/06 by Markus 0

Part 1: Built-in monitor

In these series of blog posts I will cover text log monitoring in SCOM.

First off, there are some limitations with the built-in monitor type for monitoring text log files on Windows servers. For example circular log files and fast re-created log files can’t be monitored. This is a known limitation and Microsoft has published a KB article with information about text- and csv-logfile monitoring. Read more here.

When using the built-in rule you can either create your monitor directly in the Operations Manager console, the Authoring console or the Visual Studio Authoring Extensions. I will demonstrate the steps in the Authoring Console.

1. Open the Authoring Console and create a new MP, Class and Discovery. (I will not cover this part in this blog post.)

2. Navigate to Health Model and Rules.

3. Right-click or use the Action menu and select New -> Alerting -> Text Log.

4. Set ID and Name of the Rule. Also target the rule at a class contained in the MP.

5. In Directory specify in which directory the log files are located on the server/servers. Pattern indicates the name of the log files. It is possible to use wildcards in the file name. If the log files use UTF8 encoding mark the check box, otherwise leave it be.

6. Next, an expression to match an event in the text log is needed. The text log entry will be passed in the parameter name “Params/Param[1]”, Using the operator Matches regular expression gives the ability to use a regexp value to match against.

A tip is to use the pipe symbol to match several values in one expression. A good resource to check your regular expression is the online RegexPal.

7. Set an Alert Name, Priority and Severity. In the Alert description put an informative text.

Finding the correct variable name to populate the alert description can sometimes be tricky. You can find some directions here: http://technet.microsoft.com/en-us/library/hh457540.aspx

8. Save the MP and import it in your Operations Manager environment.

In the next part I will look into using LogParser with a custom monitor.

Authoring, SCOM 2007 R2, SCOM 2012

Leave a Reply

Your email address will not be published. Required fields are marked *