Problem
A customer wants to monitor a text log file for an event. There is also a correlated event that will indicate a good state. There shouldn’t be any alert unless no correlating event has been added to the log file within an hour.
Discussion
My first thought was to create a scripted monitor to solve this. But after looking at the different log file monitor types that is available in the library I realized that you could, with some effort, create my own customized log file monitoring to solve this problem. Since there will be a correlated event it is possible to user a monitor instead of a rule.
Solution
Before starting with the MP let’s take a look at an example. In the MP “System.ApplicationLog.Library” and the MonitorType “System.ApplicationLog.GenericLog.MissingCorrelatedEventSingle2StateMonitorType” there is some interesting information.
We will need “log readers” and filters for matching the events with an error string. To correlate the events we need a filter for that too.
- A “log reader” for the first matching event in the log file.
- A “log reader” for the correlated matching event in the log file that generates Unhealthy state.
- A “log reader” for when monitor goes back to Healthy state.
- A filter for each of the “log readers”.
- A filter for correlation.
A reference to the MP “System.ApplicationLog.Library” is needed. In my example I’ll use the alias “AppLog”.
Start with creating a new empty MP fragment in your solution.
Set an ID for the MonitorType and the states for the monitor. I’ll use a two-state.
Set the parameters used under the Configuration tag. Also set which parameters that should be overrideable.
Add all member modules. All modules, except for the correlating filter, are built-in.
Set the run order of the modules. In my example I will not use On Demand detection just Regular.
Create the Display string.
Create a new fragment for module types and put the correlator there after taking a peek at the System.CorrelatorAutoMissingCondition module.
We need two modules in this correlator. One that handles the “correlator count” and one to filter the output.
In my example I’ll use a static threshold for the matching values. Hence, there should be one “item count” for the first event and null for the last one.
Set the modules to run in the right order.
The modules are set up. Now it is time to create the monitor. I’ll use the Unit Monitor template.
Fill in the Alert description. Populate with fitting alert parameters.
Next, set the Monitor configuration. Open the window and populate all in-parameters.
Set Monitor operations states.
After building the solution you are done.
The unsealed Management Pack can be found here.
Note, this Management Pack is developed for a lab/test environment only.
1 response to Customize your log file monitoring