logmon (Log Monitoring)

The following questions will help you understand the Log Monitoring (logmon) probe and how it works.
The following questions will help you understand the Log Monitoring (logmon) probe and how it works.
What does the logmon probe monitor
The probe monitors the following items:
    Log files:
     The files are monitored at defined time intervals for new entries.
    Content of HTML web pages:
     You can use the URL Endpoint Response Monitoring (url_response) probe with the logmon probe to monitor the text in a web page.
    Text output 
    after executing specified commands For example, you can execute the following command to generate alarms when the packet loss is more than 50 percent:
    ping <IP Address>
    Text Messages
     in CA UIM queues
    Example: you can define a custom queue, such as Queue1, on a CA UIM hub. The queue is configured to read all messages where the message subject is SMS-IN. You can specify the queue name in the monitoring profile to scan messages in the 
     queue. You can then generate alarms on identifying any unexpected text.
     EBCDIC files (on AS400/iSeries) and ASCII-based system and application log files (on other platforms)
The probe searches the specified targets and matches text against string patterns or regular expressions. The probe generates alarms when the log file content matches the defined expression.
Why do I use logmon probe
The logmon probe allows you to monitor multiple log files and assists you as follows:
  • Automatically informs about error situations immediately after they have occurred.
  • Filters out the log-file entries that need manual action. You can set up profiles to generate alarms only for important messages defines in the files.
  • Allows you to specify enhanced alarm messages by modifying the original message text. This allows you to locate and resolve issues with greater ease.
Log files from multiple sources have different layouts. Some examples are as follows:
  • Line oriented, single-line files such as UNIX system log files (/usr/adm/messages)
  • Record oriented, multiple-line files such as logs generated by Oracle products. To extract information from a record-oriented log-file, the probe needs to determine the location where a block starts and ends. This may be specified using string matching rules and/or a line counter. A typical scenario is to have a set of format rules with watchers when using monitoring record-oriented log-files. For more information, see 
    Format rules
    How does the probe collect data
The probe monitors both type of log files, line by line or based on the defined format, for new entries at configurable intervals and tracks the position within the file between each run. This ensures that only the probe generates only one alarm for each log entry. A single instance of the probe can monitor multiple log files simultaneously, each with individual monitoring parameters. Within each file, logmon can also identify occurrences of multiple  types of entries with different alarm messages for each entry. The alarms can include both text from the original log file entry and user defined text.
How does the probe collect data
The probe allows you to create profiles with the following information:
  • Which file to monitor?
  • How to monitor it?
  • What to look for?
  • How to report it?
The profiles monitors information using a combination of three types of rules which are processed in the following order:
    Format rules
     identify the required text in a record-oriented (multiple lines) log file. The probe limits its search within specified expressions using format rules. For example, you can specify the probe to only look for the text in the four sentences after Ping statistics in a ping response.
    Exclude rules
     define the lines with a matching expression that you can exclude from monitoring. For example, you can exclude the individual replies of each packet in a ping response. 
     rules define the conditions to monitor the text. The probe searches for the required string in the text using the watcher rule. For example, you can look for the packet statistics of a ping response message. You can define multiple watcher definitions to extract different messages from the log-file or specify different criteria for the same message. You can also define variables that allow you the following options:
    • Extract only a part of the message.
    • Define positioning criteria (such as column or character position) to extract variables values.
    • Identify messages within a block of lines, and restrict the watcher rule to the active formatting definition.
The probe skips steps 1 or 2 if format or exclude rules are not applicable.
How does the probe display data on USM
The probe does not publish attributes of monitored entities. The probe publishes QoS and alarm messages with the default host. You can customize the following properties:
  • Alarm messages: subject, text, severity, subsystem ID, suppression key, and source
  • QoS messages: target of QoS on custom variables
The following diagram shows how the probe monitors the text and displays monitoring information on the Unified Service Management (USM):
logmon Architecture
logmon Architecture
  1. The probe monitors the text using profiles that access information from the following methods:
       file operations such as fopen, fgets, fclose, and fseek
       CLIs such as CreateProcess (Windows) and fork (UNIX)
       using the url_response probe
       using CA UIM callbacks
  2. Define format, exclude, and watcher rules.
  3. The probe monitors the defined thresholds and QoS.
  4. The 
     probe stores this data in the UIM database.
  5. The USM gathers performance data from the database to display it.
  6. The discovery server identifies the host where the data is displayed in USM.