Using a Generic Text Log rule to monitor an ASCII text file – even when the file is a UNC path
<!--[if lt IE 9]>
<![endif]-->
Comments
Anonymous
January 01, 2003
The comment has been removed- Anonymous
October 07, 2016
Dear Kevin i need your help in some other issue related to network discovery. Network monitoring discovered multiple entries of same device ip. Example it discovers 3 entries of IP 172.29.55.23. so how we can restrict this.
- Anonymous
Anonymous
January 01, 2003
Please post more details from the events you are getting - I dont know what those event ID's are.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
No - in my example - I used an agent using Local System.... which is an "Authenticated User" and therefore had access to this share. THis specific share had share permissions of Everyone-FullControl, and NTFS permissions of Everyone-Read. If your share or NTFS permissions are more strict - then make sure you grant the computer account of the agent access to both share and NTFS, or run the agent under a domain user account, which has access to the share/NTFS.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Yes and No. A rule/monitor workflow MUST target a class. Period. End of story. However - we have two options here:
- Target a generic class, like Windows Operating System - then disabled, then override as enabled for my one specific object. This is the example I used above.
- Create a new class, using WMI/Registry provider for example, and make only the one special computer I want to be a discovered instance of that class... then target that class (much more complicated)
Anonymous
January 01, 2003
<<<<3. Create a new class for your targets. You perceive this is difficult. It isnt - it is super simple and IS THE RIGHT way to target. It does require a bit more understanding of the product - but is easy.>>>> The article quoted is very good, but I'll need to read it a few more times to make complete sense of it. If there is to be a blog about this, can I request a Part 2....If part 1 is Discovery, can part 2 be Reporting? Thx, John BradshawAnonymous
June 20, 2009
The comment has been removedAnonymous
June 20, 2009
Nice work. Quick question. Does the SCOM Agent on th Watcher node need to be running under a Network account?Anonymous
July 16, 2009
Nice work. Just curious. Is it possible to set the Rule Target to specific machine/server rather than a class of machines?Anonymous
August 24, 2009
The comment has been removedAnonymous
August 27, 2009
i got error for the path "C:SummitCfAdapterPRODSummitCfAdapter-LOH-PRODlogSummitCfAdapterMaster.log" Error opening log file directory Event ID's 31705,31707 Please helpAnonymous
August 27, 2009
i got error for the path "C:SummitCfAdapterPRODSummitCfAdapter-LOH-PRODlogSummitCfAdapterMaster.log" Error opening log file directory Event ID's 31705,31707 Error description "Error opening log file directory Directory = C:SummitCfAdapterPRODSummitCfAdapter-LOH-PRODlog Error: 0x80070003 Details: The system cannot find the path specified." but when I change path to "C:SummitCfAdapterPROD" it works fine. is it because of "-" in the file path. I'hv tried enclosing path in the double and single quote also but the got error "The filename, directory name, or volume label syntax is incorrect."Anonymous
August 27, 2009
thanks kevin for your quick reply. Dont know how but it is working now. not changed anything just restarted the health service and it is working.Anonymous
October 04, 2009
Thanks Kevin for the excellent example. i have a problem as i fallowed excatly the steps you mentioned but it is not giving me any output. the path i tried 2 ways \localhostd$product & d:product file name is company.log is their a way to find if the rule is working or not????? -VRKumarAnonymous
December 17, 2009
Thanks for this example. I have create same rule and alert appears only when create log file don't when log file change ? It is Normal ? If Yes, is there a way to display an alert if a log file changes ? Thanks you for response.Anonymous
December 31, 2009
The comment has been removedAnonymous
January 21, 2010
I have been trying to find an example to collect events from a w3svc log file, in MOM 2005 you would select the IIS Application log provider but I can't find the equivilant in SCOM. I am aware that SCOM has the ability via the system.ApplicationLog.InternetLogEntryData library data type to read w3svc files, but I'm not sure how to create a rule using this. Any suggestions appreciated. PhilAnonymous
January 27, 2010
The comment has been removedAnonymous
January 27, 2010
i don't allow the disable and override process, we do script based discovery using the filesystem object, i believe authormp.com had a tutorial on this complete with examplesAnonymous
January 28, 2010
Thanks for the info (Link in #3 above-> checking it out right now)! Does having "a laundry list of disabled monitors showing up in Health Explorer" cause any problems anyone knows about (or, in theory could cause issues if taken to the extreme)? I ask this because some vendor packs we've loaded do this...Anonymous
February 24, 2010
The comment has been removedAnonymous
March 21, 2010
The comment has been removedAnonymous
April 14, 2010
Hi, This post is really useful. However, i am planning to use SCOM to monitor any changes in our DHCP leased file. Meaning i have to constantly log the IPs that are leased out and when a new IP is being leased out, i will log the new IP. Any idea how can i do that? This rule basically alert on a parameter being detected, so basically, i need to change the alerting from detecting a paramenter to detecting a change in the parameter and logging it. Thanks.Anonymous
April 14, 2010
Has a solution been found for using Params/Param[1] for alert suppression when the string included a timestamp at the beginning?Anonymous
November 15, 2010
I'm trying to monitor a log file which is on a NAS share. The scom action account has read only permissions on the log file but the agent is not able to read that file as it runs on local system. Shouldn't the "run as" option work over here when the SCOM infrastructure has been configured to make use of scom action account as a "run as" account for all the SCOM agents? Is there any way that the log file can be monitored with restricted permissions? Do i need to use the set action account utlity on the agent? AdhokAnonymous
November 15, 2010
I'm trying to monitor a log file which is on a NAS share. The scom action account has read only permissions on the log file but the agent is not able to read that file as it runs on local system. Shouldn't the "run as" option work over here when the SCOM infrastructure has been configured to make use of scom action account as a "run as" account for all the SCOM agents? Is there any way that the log file can be monitored with restricted permissions? Do i need to use the set action account utlity on the agent? AdhokAnonymous
December 27, 2010
The comment has been removedAnonymous
March 24, 2011
The comment has been removedAnonymous
January 19, 2012
The comment has been removedAnonymous
January 24, 2013
Hello Kevin, I got below error in event viewer Error opening log file directory Directory = “D:Program Files (x86)Quest SoftwareQCVDSR6.0.3confsMRO-389logs" Error: 0x8007007b Details: The filename, directory name, or volume label syntax is incorrect. One or more workflows were affected by this. Workflow name: UIGeneratedMonitor642fcc2492734d1bbcf373a7b64785f1 Instance name: Microsoft Windows Server 2008 R2 Enterprise Instance ID: {18469874-BBD2-A085-0744-9EC5DC7B2D5A}Anonymous
January 24, 2013
Another information, my log file name would be operation_dumper.log-yyyymmdd.log....so in pattern i gave as operation_dumper.log.*..i am getting the same 31705 error in event viewer.Anonymous
January 31, 2013
My requirement for log file monitoring: Log file location: D:Program files (x86)company namelogs Log file name: verigy_name.log.yyyymmdd.log I've created log file monitor with directory in double quotes due to space in program files "D:Program files (x86)company namelogs" Pattern: verigy_name.log.*.log created overrides for specific servers, but i didn't receive any alert and got the error in event viewer with event id: 31705..error opening log file directory, the file name, volume label name syntax is incorrect. Please help me to fix this.Anonymous
January 22, 2014
I have followed your instructions and created a rule but if I select ConfigMgr Pri Site Server as Target the rule doesn't work can you please help me to make it work.Anonymous
February 28, 2014
Hi,
anyone give information about params/param[1] ?Anonymous
July 14, 2014
Hello Kevin,
I just would like to know if you have even try to monitor text log files on different server locations?
Ex. The requirement is to monitor the path D:SampleTestlog.txt.
This path is present on 100+ servers and should be monitored by an MP. And I know i'ts very illogical to create 100+ rules just to point to 100+ different server locations.
Hope you could help me. Thanks in advance!Anonymous
October 12, 2014
In this post I'll talk about IIS log file monitoring. Log file monitoring and event collections rulesAnonymous
October 24, 2014
The comment has been removedAnonymous
February 16, 2016
Is it possible to modify the log file rule with respect to time ,so that unnecessary alert could be minimised.Anonymous
September 28, 2016
The comment has been removedAnonymous
April 11, 2017
Hi Kevin,Is there any way of disabling alerting for a particular type of error logs and for rest of the error logs we get alerts.Anonymous
April 11, 2017
Hi Kevin,we need to monitor error logs for a particular log file and we need to exclude certain error logs from getting monitor. How can we exclude those logs from getting monitored?