DX Unified Infrastructure Management

  • Private Community

  • 1.  logmon - Check for string not present in last 10 minutes

    Posted Apr 07, 2011 10:04 PM

    I need to setup a log monitor than checks for a string that is current. The string gets appended to log file every 30 seconds. If that string is not present in the log file for the past 10 minutes an alert needs to be generated. I know how to do this with a custom perl script but I would rather use the logmon probe if possible. Does anyone know if this is possible?



  • 2.  Re: logmon - Check for string not present in last 10 minutes
    Best Answer

    Posted Apr 07, 2011 10:20 PM

    Sure, there is an option when you create a watcher rule to tell the probe that you expect the rule to be matched on each check. Then it will generate an alarm if the line is not present, which is the opposite of what it normally does with watcher rules.



  • 3.  Re: logmon - Check for string not present in last 10 minutes

    Posted Apr 07, 2011 10:42 PM

    That makes sense now. I can have it send an alarm when it doesn't find a match. Then I can have the nas escalate the alarm after 10 minutes. Thanks!



  • 4.  Re: logmon - Check for string not present in last 10 minutes

    Posted Jul 20, 2012 11:08 PM

    I'm assuming you are refering to the "Match on every run" option on the Advanced tab of the Watcher Rule.  I'm having a tough time getting this to work as I would hope it would.

     

    The problem I'm running into is that I have the Profile set to mode "full_time".  So, I only want the watcher rules evaluated when the timestamp on the file changes.  The problem I'm seeing is that when I have the "Match on every run" option checked, even if the file has not been changed, I still automatically get the alarm on no match at the check interval.  This seems quite silly.

     

    I don't know if I'm using it incorrectly or what, but it seems to me that when I select that option, it will literally send an alarm everytime there is a check interval regardless of what I have for a match expression. (even if the phase I'm searching for actually exists in the file) or even if the file itself was updated.

     

    Sounds like the "Match on every run" does exactly that.  Just matches regardless.

     

    =====================

    UPDATE

     

    So, I did some more testing with this, and it is not that it is sending the "Match on every run" EVERY time, but if the setting is "full_time" or something that is looking for the contents or timestamp on the file to change in order to evaluate, it will send the alarm on no match if it does not evaluate the file (so, it doesn't see the expected match expression).  Maybe there is a good reason for this behavior, but this doesn't seem to be especially helpful to me...

     

    Karen