Monitor multiple events in a logfile within X minutes

This is a example how you can configure a monitor to generate an alert if a log file contains a word more then X times during Y minutes. In the following example I have configure a monitor to generate a critical alert if the logfile contains “error” more then four times during a minute. The following example look in any file named logfile*.log in the C:\logfiles folder. It the application writes a “success” to the logfile, the monitor will be reset back to healthy.

1. Go to the Authoring workspace and create a new monitor, Log Files/Text Log/Repeated Event Detection/Event Reset

2. General
Name: Contoso – Logfile – Repeated Event w event reset
Monitor Target: for example Windows Server 2008 Computer (more about targeting here and here)
…next

3. Single Generic Log
Directory: C:\logfiles
Pattern: logfile*.log
…next

4. Single Event Expression
Parameter Name: Params/Param[1]
Operator: Contains
Value: success
…next

5. Repeated Generic Log
Directory: C:\logfiles
Pattern: logfile*.log
…next

6. Repeated Event Expression
Parameter Name: Params/Param[1]
Operator: Contains
Value: error
…next

7. Repeated Event Description
Counting mode: Trigger on count
Compare Count: 4
Based on items occurrence within a time interval: 1 Minutes
…next

 

8. Health
Event Raised: Healthy
Repeated Event Raised: Critical
…next

9. Alerting
Check “Generate alerts for this monitor”
Input a suitable alert description, also try include a couple of the data parameters
…create

If any file named logfile*.log in the C:\logfiles folder now writes four “error” within one minute an critical alert will generated. Then, if a “success” is any file the monitor will be set back to healthy state. Step 3 and 4 configure the event that will set the monitor back to healthy.

(click on a picture twice to enlarge it)

About

Microsoft

11 thoughts on “Monitor multiple events in a logfile within X minutes

  1. Hi, if you search my blog for logfile and script you will find a number of different examples where I use scripts to monitor logfiles. I think one of them can help you, to monitor for expected error in the log.

  2. Hi,thanks for the post. it’s similar to what I am working on,can you advise what I can do ? I am going to monitor a few log files, it suppose to have one line added into the log — “Agent will be halted until the synchronization interval of 1 minute(s) is over” every 3 to 5 minutes. If there is no such a thing within a period a 10 minutes, I need SCOM2012 to generate an alert. Can this be done following your way? Thanks! KF

  3. dear Anders Bengtsson
    i need an alert in my monitor on the log file (*.dat file) and that alert will sent by an email to an a group of users (mailing list)

    at the scom console , how i creating the audit (monitor) for only specific log file of one of my computer on my domain. if you can sent me the answer to my email

    thank you very much
    and if can help mw again i will very appreciat it

    thank you also
    for the last comment of yours

  4. i need some help if i create this monitor who i make the monitor tracking on specific file on an spicific computer on my network.
    the problem is how i track a line in some dat file in one of my computer in the domain
    and sent it to an employ by email?

  5. Tnx for response,

    Ok , so OID is in general the object that we look for in rule/monitor, I configured couple of SNMP monitors where I used OIDs for recognizing the specific SNMP massages.
    I have particular problem with alert generting rule (generic text log).
    I’m looking for exact word (Error).
    Configuration is:

    Parameter Name: Params/Param[1]
    Operator: Contains
    Value: Error

    The problem is that alert is also generated for word Errors, what I don’t want.
    I also tried Operator : Matches Wild card, that didn’t work.

    Sorry for bothering you with my problems but like I said there is no good material to read on that subject. If you know one please tell me, and I won’t bother you any more:-)

    Regards,
    LL

  6. Hi,

    Can you please explain me how did you get to the Parameter Params/Param[1]?
    That is great mystery to me and I’m unable to find good reading on that subject.

    Thanks in advance.

    Regardds,
    LL

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.