The Log Monitoring (logmon) probe scans ASCII-based systems and application log files by matching specified expressions. Alarms are generated when the log file content matches the defined expression.
The probe monitors the following items:
(record-oriented) log files
Content of HTML web pages:
You can use the URL Endpoint Response Monitoring (url_response) probe with the logmon probe to monitor the text in a web page.
after executing specified commands
in CA UIM queues
from remote shared folders
The probe also extracts and stores metric data from the matched log file entry in the QoS database.
This section describes the history of the revisions for logmon probe.
Support case(s) may not be viewable to all customers.
Fixed an issue where the variable WATCHERMATCHEDLINE did not work as expected.
Support case: 01259593
Updated the logmon MCS (version 2.02 onwards) as part of addressing the common vulnerabilities and exposures by updating the jackson-databind libraries. For more information and CVE numbers, see Addressing Jackson Vulnerabilities
Updated this probe as part of removing dependency on the end-of-life (EOL) Microsoft Visual C++ Redistributables in CA UIM 9.0.2. CA UIM 9.0.2 now uses Microsoft Visual C++ Redistributable for Visual Studio 2017.
(December 2018) Added support for monitoring Amazon Linux 2.
(February 2019) Added support for monitoring Windows 2019.
(April 2018 - Beta) New MCS template with enhanced profiles that enable you to configure metrics, baselines, alarm thresholds, alarms - including Time Over Threshold alarms - and custom alarm and close alarm messages, all within a single MCS profile. For more information, see Configuring Alarm Thresholds in MCS
(June 2018) Added support for monitoring Windows 10 (x64).
(June 2018) New MCS template (logmon_mcs_template 4.0) with enhanced profiles that enable you to configure metrics, baselines, alarm thresholds, alarms - including Time Over Threshold alarms - and custom alarm and close alarm messages, all within a single MCS profile. For more information, see Configuring Alarm Thresholds in MCS
(July 2018) Added support for monitoring RHEL 7.4 x86 and x86 64-bit, and zLinux 64-bit.
(September 2018) Added support for monitoring Ubuntu 18.04. Apply robot 7.93HF10 for this support.
Support Case: 01184423
The probe started reading the log file from the beginning after the probe was restarted.
Salesforce Case: 00802824
The probe failed to start when upgrading to version 3.91 on some Linux systems.
Salesforce Case: 00873778
The probe was running out of available threads when the threads were not terminating properly and were aborted after some time.
The probe was saving a variable created using MCS template with ‘Ignore “To”’ configuration as ‘To End of Line’.
Salesforce Case: 00668211
The probe version 3.91 failed to start on some Linux systems.
Salesforce Case: 00920811
Introduced the Variable Exceed Alarm, which generates alerts when the variables exceed the operator value.
The probe was creating core dumps.
Salesforce case: 00606262
The probe was not working on the SunOS 5.10 Generic_125101-04 i86pc operating system.
Salesforce case: 00712559
The field Send clear alarm was not available for MCS Profile Type Monitoring of the probe.
Salesforce case: 00764177
The user was not able to configure variables using MCS Profile Type Monitoring.
Salesforce case: 00668211
The 50-character limit on the Run Command On Match parameter in MCS Profile Type Monitoring affected the parameter list defined for a probe watcher. The parameter can now accept 1024 characters.
Salesforce case: 00840150
Added support to test profiles using regular expressions in file path.
Support case number 658483
Added support for internationalization on AIX 64 Bit and HP-UX IA 64-Bit platforms.
The probe did not convert values in non-English locales to decimal values in QoS messages.
Support case number 505302
The probe was unable to monitor URLs with the % symbol. The probe incorrectly expanded the % symbol in URL profiles as time formatting primitives.
Support case number 643969
This version of the probe does not support FIPS encryption.
(IM Interface only)
Added support for:
AES-128 encryption that is required for FIPS compliance
Monitor Windows systems where FIPS encryption is enabled. Before you deploy the probe version 3.80 on your IM, you must enable the FIPS encryption
on the system where the probe is deployed.
In a FIPS encryption enabled environment, you cannot configure the probe from Admin Console (AC) interface.
For the AS/400 systems, the probe was unable to search a text using the regular expression.
Support case number 00601757
In a pure IPv6 environment, the probe was unable to generate alarms and QoS for the log files that were read from the HP-UX system.
Test Command mode profiles from the Probe Utility interface.
Added alarm message and severity options for pattern match thresholds.
Configure missing file and clear alarms for individual profiles.
Use positive lookahead regular expression in the end expression of a format rule.
(On iSeries platform)
The probe did not monitor a .mbr file in the EBCDIC format.
Support case number 521534
(On HP-UX platform)
The probe did not display correct exit codes as SHELL and PATH variables were missing in the environment.
Support case number 512468
(For Windows and UNIX platforms)
Updated the probe documentation about using % as a variable in a filename or a command.
Support case number 477760
Added support to monitor log files that are greater than 2 GB. We recommend that you monitor only the updates to large files. Monitoring large files from start can increase the CPU usage.
The probe does not support monitoring of log files that are greater than 2 GB on 32-bit UNIX systems.
Added support to use multiple strings in regular expressions using UTF-8 encoded pattern files.
The probe was unable to read UTF-8 files with special characters.
Support case number 357073
The probe was unable to read some files on AIX platform.
Support case numbers 00284131, 00290605.
The CPU utilization of the probe was high when monitoring URLs in UTF-8 encoding.
Support case number 00275815
When running on Japanese system, the probe generated illegible alarms when the system encoding was selected as UTF-8
Support case number 00272866
Updated the IM Configuration article to state that the probe does not support commands (such as Telnet) that require two-way communication between the user and the system.
Support case number 00268926.
Added a recommendation in the IM Configuration article about not including regular expressions while using the
Enable File Missing/Open Alarm
option to clear the missing file alarm.
Support case number 00308935
The probe did not correctly convert variable characters to defined file encoding in URL mode.
Support case number 00245330
The probe did not support white spaces in paths for batch files. Batch files include commands that can be monitored.
Support case numbers 00270650, 00246042
Added support for IBM iSeries version V7R2.
The probe was unable to read UTF-16LE files.
The probe was crashing with exit code functionality.
Salesforce case 00169505
The probe was unable to retrieve complete command output in the command mode.
Salesforce case 00169863
Updated document regarding localization support.
Updated the document regarding alarms in the url mode.
Salesforce case 00163388
The probe restarts when a variable was added to the sub-system id.
Salesforce cases 00170003, 00169384, 00167502, 00168440, 00168601, 00166738, 00168537
Upgraded support for factory templates.
Removed localization support on AIX platform.
Fixed an issue in which the probe was unable to detect “File encoding” when “File encoding” was selected from GUI.
Salesforce case 00167536
Upgraded OpenSSL to version 1.0.0m.
The probe can now generate alarms only on the first match of regular expression (defined in Watcher Rule), in a specified interval.
The regular expressions were not working with the defined threshold.
00156818, 00159939, 00158632
The probe was not generating correct exit code on Windows, Unix, Linux, Solaris, and AIX.
Exit code variables were not expanding on USM.
Improved CPU usage of the probe.
The probe can now be migrated to standard static alarm thresholds using the threshold_migrator probe.
Added support for factory templates
Entries for the QoS variable having multiple targets were getting overlapped on the USM.
No Exit code alarm was generated on Windows OS in case command was not found.
View option in the GUI did not show updated file content.
Probe stopped working when the number of characters in the match expression is greater than 1020.
No alarms were generated when the threshold applied on a watcher variable was breached.
The probe did not identify the UTF-16 log files.
Salesforce case: 00139268
Added a timeout option for the Command mode profiles to kill the command process and all its child processes after a defined time limit.
Added the localization support for AIX 64-bit operating systems.
Fixed a defect where the probe is reading the log file always from beginning when running in update mode. This issue occurred when the probe reads some unprintable characters.
Salesforce case 00136466
Fixed a defect where the probe was writing text Debug to the log file when the log level is zero.
Fixed a defect where the probe was not identifying the PCRE space characters (/s) in a regular expression. This issue was also causing the probe crash on Linux and Solaris operating systems.
Added a Timeout option to kill an executing script.
Fixed a defect where the -R option, which makes the monitoring start from the end of the file, was not working.
Fixed a defect where the probe was not starting due to dependency on ICU library files.
Added the localization support for Simplified Chinese, Japanese, Korean, Spanish, German, French, Italian, and B-Portuguese languages from VB and Admin Console GUI. For localization support through Admin Console GUI probe must run with CA UIM 7.6 or later version and PPM 2.34 or later version.
Added the support for zLinux environment.
Updated the probe VB GUI and Web GUI for configuring the format interval and for specifying the character encoding in different locales.
Do not use the Raw Configure GUI for updating the probe configuration in the non-English locales because it can corrupt the entire probe configuration file.
Enhanced the probe for making file missing/open alerts user-configurable with its clear alarms on probe restart.
Fixed the probe functionality issue when both the abort on match and the match on every run options are selected together.
Enhanced the Format Rule feature for making it functional across check intervals. The number of intervals is user-configurable.
Implemented a new alarm when the log file is missing or not readable.
Fixed an issue for not over writing the alarm subject.
Fixed issue that is related to Invalid entries in callback crashes probe.
Fixed issue that is related to Probe PID changing.
Fixed issue that is related to locale.
The probe is now available in Admin Console GUI.
Fixed issue that is related to logmon send empty QoS.
Fixed issue where Text profiles returns "0" instead of matching string as it used to.
Fixed memory leak issue on Windows, Linux, and AIX machines.
GUI changes in probe to display Japanese characters correctly.
Alarm display in Japanese character in IM alarm sub console and UMP alarm sub console.
Regular Expression in Japanese.
View File having Japanese character correctly.
Open file with Japanese character in file name.
Fixed a defect when probe contains more than one watcher and format rules
Fixed crash issue on Linux.
Added fix for variable expanding in message string.
Added option to override alarm severity for max alarm message.
Added fix to clear max alarm only if error condition is returned to normal.
Added fix to support abort on match functionality in URL mode.
Added support for exit code monitoring when mode is set as command.
Extended format rule limitation to 200 lines.
Added support to refer entire text block as a variable.
Fix Issue with QoS generation in test profile through GUI.
GUI fix: Test profile screen opens even if the watcher contains a numeric name.
The help button will display online help instead of CHM
Fixed localization issue in SOC
Added fixes for web-based Service Oriented Configuration.
Support for reading alarm tokens from cfg.
Added support for Web-based Service Oriented Configuration (SOC).
Added fix to read a new file from beginning for the first time when "Updates" mode is selected and "Match on every run" option is enabled. For example, when files are monitored based on time/day using %m,%M and so on.
Added support for wildcard characters in file-name.
Added support to configure severity and message for "Match on every run" option per watcher.
Added Support for internationalization.
Fixed the crash due to stack overflow.
Fixed a problem with variables, when using with format definitions.
Made changes to libraries with respect to configuration locking.
Added NIS (TNT2) Support.
Fixed the suppression key problem that was introduced in version 2.82.
Windows: Converted Command executable to short path name.
Fixed interaction between logmon and url_response probes
Fixed problem with large suppression keys in max alarms alarm situation.
Enabled Source override for max alarm situation.
Improved url_response probe interaction.
Fixed File browsing issue for AS/400 environment.
Added a feature to test a profile or individual watchers within a profile for regular expression.
Added a fix to set proper timeout.
Fixed issue in underlying library where the probe would fail to find the correct file location when the file had been both truncated and appended to.
Added a fix for monitoring files on non-domain machines in windows.
Added support for Linux systems with glibc 2.2.
Monitoring of files using UNC path is now possible on Windows only.
Suppressing logic to avoid sending excessive alarms.
Fixed the issue of message variables not getting filled properly.
Message variable expansion fixed when match on every run is selected.
When both QoS and Alarm are selected for a profile only Variable QoS or number of matches (if selected) are sent.
Modified layout of QoS tab for Watchers in the GUI.
Modified thread pool behavior to avoid timing problems.
Added logging to show when a thread has been started.
Retry after 5 seconds if a thread is not available (was 60 seconds).
Fixed log file preview function to enable viewing the last section of large log files.
Removed numeric input checking on variable 'limit'.
Fixed configurator failure on creation of new QoS from watcher.
Disabled 'View' button for mode 'command'.
Fixed error situations in file browser.
Added support for Windows on Itanium 2 systems (IA64).
Rebuild following NimBUS library fixes.
Modified pt-lib call to be able to detect log file changes when the file date was unchanged.
Fix problem assigning variable from regex which contains only one character.
Fix problem expanding date primitives in path. Fix problem with last line in a multi-line format rule being skipped.
Bring 2.5x into line with changes that are made in the 2.4x series.
Fix potential problem with parsing of variables from a matched line.
Added support for 64-bit Windows (x64).
For version 2.54 and higher of this probe, NimBUS Robot version 3.00 (or higher) is a prerequisite. You are advised to carefully read the document "Upgrading the NimBUS Robot" before installing/upgrading.
Fixed potential problem extracting variables from a matched line.
Added dynamic buffer allocation for suppression keys.
Corrected several minor issues with the configuration tool:
Advanced tab dimmed for url type profiles
Wrong tooltip for 'Send clear alarm'
-Move up/down changed active state and upper/lower case profile name problems.
Fixed a timing problem which could cause a line in the log file to be skipped by the next scan if it was written during the current scan of the file.
Does not post messages when not specified to do so.
QoS target defaults to profile.watcher when not specified.
Corrected parameter transfer on url View.
Modified handling of Exclude rules to minimize cpu usage when scanning files.
Allow wildcards in path names and file names.
Fixed memory leak when probe is restarted.
Fixed potential thread deadlock upon failure to save last_run time.
Fixed issue with file offset being stored incorrectly when probe is stopped/restarted.
UNIX: Fixed incorrect time display in logfile and potential heap corruption issues due to a non-threadsafe system call.
Increased size of buffers used to store profile and watcher names. Fixed memory leak when alarm message was over 1024 characters.
Fixes segmentation violation due to failed compilation of a RegEx. Log an error message when a RegEx fails to compile.
Added support for editing archived configurations.
Enhanced configuration tool resize.
Fixed problem with $FILENAME expansion.
Added support for referring environment variables.
Add advanced option "sendclear" to watchers. If set, it sends a clear alarm if the current watcher is as expected and the watcher has a suppression key set. This requires that the suppression key is unique enough that it cannot an alarm unexpectedly. Using a variable that is unique for each alarm situation in the suppression key is advised.
Apply changes to log level and log size after restart of the probe.
GUI: When copying a profile the excludes are also copied.
Store last run for profiles in logmon.dta so expansion of LASTRUN() is correct even after a restart.
Fix problem with Format rules not triggering.
Fix problem reading directories with / as path separator on windows systems.
Fix problem with abort on match flag. Fix problem with date expansion in filenames/commands.
GUI fix when trying to view contents of a web page
Library change (and platform list corrected)
Fixed problem where alarm flag would be reset to 'yes' on every restart.
Fixed potential hang situation where a thread would fail to release a lock.
Added support for URL authentication when windows authentication is used with a proxy configuration.
Probe has been re-written as a multi-threaded daemon.
Profiles are checked in a thread, allowing for higher throughput and configurable intervals for each profile.
A new mode 'url' is available, which fetches a web page through the url_response probe and performs checks on the page.
Variables in a watcher can be read from positions in the regular expression in addition to the fixed character or column specifications used prior to this release.
Variables can have a threshold set, where an alarm is sent only if the variable is outside the expected value.
Variables can generate Quality of Service (QoS) messages, either with their values (if numerical) or with the result of the check against an expected value (both numerical and strings).
A watcher is no longer bound to sending either Alarm, QoS or user defined messages. One or more types of message can be selected for each watcher.
Added ability to run a command when a watcher matches.
Fixed problem with using time formatting together with wildcards in filenames.
Extended timeout for getting 'queue' data.
Fixed crash caused by long log messages. Now long log messages will be cut after 1024 characters.
The introduction of wildcards caused the two modes of 'queue' and 'command' to not function any longer. The wildcard check is now only performed if the mode is set to scanning files, and for the modes of 'queue' and 'command' it is working as before wildcards was introduced. 'command' was also not showing up in dropdown list. This is fixed.
Added possibility to send number of matches per run as QoS.
Fixed core dump on True64 (long regexp).
Fixed GUI problem when minimizing/restoring window.
Fixed spelling error in GUI.
Changed name of ‘Checkpoint ID’ field to ‘Suppression key’.
Fixed missing subsystem ID when copying profiles.
Stripped off unnecessary text in $PROFILE variable.
Fixed problem with blank fields and tabs.
Added possibility of using wildcards in filenames.
Fixed blank variable problem.
Fixed problem with long matching lines.
Added FILENAME message variable.
Resolved problems with large amounts of new log-data arriving while scanning for updates on a log file.
The probe supports the following encoding files for various locales.
The probe versions 3.80 and earlier support internationalization only on Windows and Linux systems.
Chinese Simplified (GB18030)
Chinese Simplified (GB2312)
Chinese Traditional (Big5)
Western European (ISO)
Central European (ISO)
Central European (Windows)
Western European (Windows)
Do not use the Raw Configuration GUI when the probe is deployed in a non-English locale.
Threshold Configuration Migration
From logmon version 3.49, the threshold configurations can be migrated to standard static alarm thresholds using the threshold_migrator probe on CA UIM 8.2 or later. Refer the threshold_migrator
probe document for information about how to migrate a probe.
The changes in the probe after migration are:
The Infrastructure Manager (IM) GUI of the probe will not be available and the probe will only be configured using Admin Console (AC).
Probe specific alarm configurations in the probe monitors will be replaced by Static Alarm, Time To Threshold, and Time Over Threshold configurations.
The alarms will be sent by the
Any section of the probe with an applied policy will no longer be available for configuration through the probe. The policy must be removed to configure the probe using the Admin Console GUI.
The probe has the following preconfiguration requirements:
The probe requires at least one of the following components for monitoring:
ASCII-based log files
URL of the web page
Messages in the CA UIM Hub queues
probe for monitoring web page content.
: The probe does not support url_response mode on AIX platform. Thus, this mode must be disabled for both Admin Console and Infrastructure Manager.
Secure Hub & Robot (CA UIM 9 SP1 and above) - In a secure environment, if any probe that is installed on an independent secure robot tries to subscribe to queues in the related secure hub, the probe fails to attach to the queues. As a workaround, if the probes requires to read or publish to a hub queue, then deploy the probe on the primary hub robot. For more information, see Secure Hub and Robot
Probe Specific Hardware Requirements
The logmon probe should be installed on systems with the following minimum resources:
Memory: 2-4GB of RAM. The probe OOB configuration requires 256MB of RAM
CPU: 3GHz dual-core processor, 32-bit or 64-bit
Probe Specific Software Requirements
The logmon probe requires the following software environment:
CA Unified Infrastructure Management 8.0 or later
Robot 7.62 or later (recommended)
(to enable FIPS encryption) Bus (Robot) version 7.80
Probe Provisioning Manager (PPM) probe version 3.20 or later (required for Admin Console)
Java JRE 6 or later (required for Admin Console)
glibc 2.5 or later (required for Linux platforms)
Download and install the VS-2017 redistributable package (vs2017_vcredist_x64 and vs2017_vcredist_x86) to the Archive.
(Version 3.80) Probe Specific Changes After Upgrade
The probe supports AES-128 bit encryption and decryption. To enable this feature in your Infrastructure Manager (IM), set the
environment variable to one of the following values in the controller
If you do not set any value of the environment variable, then the probe uses
encryption and decryption, by default.
Set this value in all the robots where the logmon probe is configured.
Nimsoft Robot Watcher
service after you set the environment variable.
The probe fails to start if you provide incorrect values for the environment variable. CA does not recommend you to change this value after you set it once.
However, if your probe still fails to respond, see
Known Issues and Workarounds
section for more information.
logmon probe 3.91 fails to startup on RHEL 6 and RHEL 7 servers.
Executing the logmon probe binary from the command prompt:
results in the following error:
/logmon ./logmon: error while loading shared libraries: libicuuc.so.51: cannot open shared object file: No such file or directory
You can either use the logmon probe version 3.90 or manually set the environment variables in the controller probe as following:
In the controller probe:
To execute the binary from the command prompt:
The known issues of the probe are as follows:
On the AIX platform, if the files selected for monitoring using a wildcard are very large (~500+ depending on the file size), the probe crashes due to AIX platform limitations.
(On Version 3.91)
The probe, when using the URL mode, can read only one line at a time.
(On Version 3.80)
On your IM on a Windows system, sometimes the probe GUI might not open or might not respond. To fix this, create an environment variable on the Windows system from where you are accessing the IM.
Advanced System Settings
to open the
, and then click
to add a new variable.
Specify the following details for the
New User Variable
and exit from System Properties.
Nimsoft Robot Watcher
service after you set the environment variable.
(From logmon 3.70)
The probe has the following limitations on iSeries platforms:
The probe displays incorrect probe version number on the GUI and the probe logs.
The probe intermittently does not display the monitored .mbr file on the GUI.
The probe does not support monitoring log queues with multiple encodings. If the sysloggtw probe monitors syslog devices with different encodings, the probe might not be able to identify the characters from the SYSLOG.IN queue.
The probe does not support Byte Order Mark (BOM) in the monitored files. If BOM is present in the files, the first character might be a '?'.
The probe only generates alarms for a file if the probe continuously receives pattern matches, as in Queue mode or from a continuous running command, from the monitored file.
Command for some system calls (fgets) fail, resulting in wrong exit code by the probe.
Signal 13 and 15 result in exit code 141 and 143. The signals are used to kill a process.
The logmon Probe Provisioning UI does not allow user to view the file for URL mode.
The probe does not support URL mode, Command mode and Run Command on Match on IBM iSeries platform.
The probe has the following limitations when deployed in a non-English locale:
While monitoring an ASCII-based file using the ASCII characters for matching, you cannot use Japanese characters in the alarm message text. The probe cannot identify Japanese characters in alarm messages in such cases.
The probe displays illegible file name when clicking the
button, while monitoring a Japanese log file.
The probe GUI shows illegible text on clicking the
button to view the log file text.
GUI of the probe is not supported for updating the probe configuration because it can corrupt the entire probe configuration file.
The localization is supported only on Windows 32-Bit, Windows 64-Bit, and Linux 64-Bit.
The probe does not support queues with multiple encodings.
This section provides information that is required while upgrading the probe from a previous version to other higher versions.
Upgrade to version 3.42 or Later
While upgrading the probe from a previous version to 3.42 or later in the Japanese locale, take a back-up of your existing
file in UTF-8 encoding. The process ensures that the configuration file is not corrupt and the upgraded probe reads the Japanese characters correctly.
Deactivate older release of logmon probe.
Copy the existing
file to any other location of your system to make a backup.
Open the copied
file and save it to UTF-8 without BOM. If the file is with BOM, the probe throws an error while reading the file.
BOM is a special text at the beginning of the text file for identifying the file encoding. You can use a text editor, like
on Windows system and
on Linux system, for defining your file encoding. You can also use the
command on Linux for changing the character encoding. Alternatively, edit the configuration file on Windows system and copy it back to the Linux system.
Upgrade the probe to 3.42 or later version.
Activate the probe.
The probe reads the Japanese characters of the
In case, the probe is already upgraded to version 3.42 or later without taking a back-up of the configuration file, you can delete all such profiles and can recreate them.
Upgrade from a Previous Version to 3.44 or Later
The existing monitoring profile, where the
Run Command on Match
option is selected for a watcher rule, does not have any value for the
field. This field is introduced with the 3.43 version onwards of the probe. Open the probe GUI and save the configuration for adding a default value (1 second) for this
Upgrade from a Previous Version to 3.47 or Later
The probe is introduced with an option to kill the command after given time limit, which the
type monitoring profile executes. This new option does not kill the already running processes, which are executed by a previous version or when command timeout key is not enabled. You can manually kill those already running processes.
Upgrade from a Previous Version to 3.49 or Later
Starting with version 3.49, alarms will be generated only for Count Match Alarms.
Upgrade from a Previous Version to 3.56 or Later
In the url mode, the probe generates single alarm for all the matches in the webpage when using * as the match expression.