共用方式為

SCOM: How to monitor new line entries in a log or text file using OpsMgr 2007

  • 發行項

This was originally posted on the SCCM and OpsMgr Arabic blog.  If you ever have the need to monitor a text or log file for new entries then this should do the trick.

 

You may wish to monitor any new entry in a log/text file and want to get an alert generated no matter what the entry is. Usually we want an alert to be generated once a word or expression is logged, but in this post I will be shedding lights on monitoring a log file and generate an alert when any new entry is logged in the log/text file.

  • Open OpsMgr Console and go to Authoring—> Management Pack Objects—> Rules
  • Click on “Scope“ button in the tool bar to narrow down our selection.
  • I assume the file is located on a windows computer, so we will search for “Windows Computer”
  • Select Windows Computer and then click Ok

clip_image001

  • Right click on rules and select “Create a new rule”
  • Expand Alert Generating Rules—>Event Based—>Generic Text Log(Alert)

clip_image001[5]

  • In the above window click new to create a new management pack to save this new rule in it. In my case I have created a management pack called “TestRuleMP”
  • In the next screen, give a meaningful name to this rule.
  • The Rule Target should be Windows Computer
  • Make sure to to uncheck the option “Rule is enable” before you proceed

clip_image001[7]

  • In the next screen provide the pattern of the file. If the file name is fixed and not changing every time the file is created, then you may give the exact name of the log as LogName.txt  but if the log file name is changing every time is created (LogFileName01, LogFileName02, etc..) then you may put the log file name as the following: LogFileName*.txt and then click next

clip_image001[11]

  • Now it is time to set your event expression to generate the alert .
  • Click Insert so a new line will be added.
  • In the parameter name write: Params/Param[1]
  • In the operator select "Match wildcard
  • In the value put “ ? ” – without quotes

clip_image001[13]

  • Proceed to configure the alert as the following:

A new Entry was detect in the c:\log\bader.log

Logfile Directory : $Data/EventData/DataItem/LogFileDirectory$ Logfile name: $Data/EventData/DataItem/LogFileName$ String: $Data/EventData/DataItem/Params/Param[1]$

clip_image001[15]

  • Once you are done with editing the alert, click create.
  • We have not enabled the rule yet so we need to override the rule and just enable it for a specific computer on which the log is located

clip_image002

  • To reproduce the alert, I opened the log file and I typed a new line in it and saved the changes. See the below screenshot

clip_image001[17]

  • Now the alert is generated

clip_image001[19]

You can notice that the alert description includes the new entry which was logged in the log file.

Tags SCOM## Comments

  • Anonymous
    January 01, 2003
    i'm not getting the description... im' getting 3 "alert parameter replacement failure" alerts, and my actual alert from the event log has Logfile Directory : Logfile name: String:

  • Anonymous
    March 21, 2011
    How to get more lines than one? Let say 10 at least. Thanks in advance.

  • Anonymous
    July 18, 2011
    The comment has been removed

  • Anonymous
    January 28, 2013
    Hello, I configured the steps as above but i received an error in server’s event log with event id:31705, “error Opening the log file directory” Error opening log file directory Directory = “D:Program Files (x86)Quest SoftwareQCVDSR6.0.3confslogs” Error: 0x8007007b Details: The filename, directory name, or volume label syntax is incorrect. Log file name is “operation_dumper.log.yyyymmdd…….every day the new file will be created with the data,month and year. i configured pattern as operation_dumper.log.????????