logmon Use Case Examples

This article lists the following examples of how to configure the logmon probe, with minimum configuration settings:
uimpga-ga
This article lists the following examples of how to configure the logmon probe, with minimum configuration settings:
Example: When both "Generate alarm" and "Generate Quality of Service" check boxes are selected.
This example shows you the output when both 
Generate alarm
 and 
Generate Quality of Service
 check boxes are selected.
Follow these steps:
  1. Create a profile and a watcher with a variable.
  2. From the 
    General 
    tab, enable both 
    Generate Quality of Service
     and 
    Generate alarm
     check boxes.
  3. Navigate to 
    Watcher Rules
     > 
    QoS
     and enable the qos for variable.
  4. Create a qos for variable and assign a target.
    QoSTarget.jpg
  5. Apply and save the configuration.
  6. Check for alarms and QoS.
Result:
In this example, QoS settings are disabled as shown in the screenshot. This results in the following outcomes:
  • Alarm generated for matching pattern.
  • Qos generated for the variable. QoS on variables can only be sent on numeric value or state (true or false), provided that the option 
    As expected
     is selected on the QoS definition dialog (the dialog launched when creating a new QoS).
  • No QoS for profile is generated
Example: When only "Generate Quality of Service" check box is selected
This example shows you the output when only Generate Quality of Service check box is selected.
Follow these steps:
  1. Create a profile and a watcher with a variable. 
  2. From the 
    General 
    tab, enable 
    Generate Quality of Service
     check box.
  3. Navigate to 
    Watcher Rules
     > 
    QoS.
  4. Enter the 
    QoS Name
     and 
    QoS Target
    .
  5. Apply and save the configuration.
  6. Check for alarms and QoS.
Result: 
In this example, QoS settings are enabled because the profile is running in “Send QoS” Mode only. Hence user will get two QoS as follows:
  • A QoS for which you have created the target, "profile qos” as shown in the screenshot. In case the target is not set here, then it will take the default target as profilename.watchername. The value for this QoS depends on the alarm message being sent on matching pattern. For example, if the text message is an integer, profile qos will print the value of that integer else it would print 0 for a string.
  • A QoS for variable with target 10.112.77.242.variable as shown in the screenshot. QoS on variables can only be sent on numeric value or state (true or false), provided that the option
     As expected
     is selected on the QoS definition dialog (launched when creating a new QoS).
If running in Send QoS mode, the content of the 
Message to send on match
 field is converted to a number (double) unless the keyword NULL is used.
  1. Apply and save the configuration.
  2. Check for alarms and QoS.
Monitor Response of Ping Command
Objective:
Monitor the response of the
ping
command with the following parameters:
  • Generate alarm with text for round trip time in the format
    Maximum Time
    and
    Average Time
    . For example,
    2 and 1
    .
  • Individual QoS messages for both values.
  • Restrict the format to the last four lines.
  • Exclude alarms if one or more packets are lost.
Steps:
3
Prerequisites:
  • logmon probe is installed
  • permission to execute the CLI
Regular Expressions:
The regular expressions implemented in this use case are as follows:
  • Format Rule:
    The expression restricts the text block to start from the statistics section. For the end, we have used the line count.
    /.*Ping stat.*/
  • Exclude Rule:
    The expression looks for the count of lost packets. If the count is not zero, the lines are excluded from monitoring.
    /.*Lost = (?!0).*/
  • Watcher Rule:
    The expression looks for the line in the text with the maximum and average values. The values, as they are not constant, are specified using wildcards.
    /.*Maximum = (.*)ms, Average = (.*)ms.*/
  • Watcher Rule Variables:
    The following variables are defined to match the expression.
    • The variable for maximum value looks for the first match in the watcher rule. The value is picked from the first capturing group in the expression.
      Maximum =
      (.*)
      ms
    • The variable for average value looks for the second match in the watcher rule. The value is picked from the second capturing group in the expression.
      Average =
      (.*)
      ms
Test Command Response using CLI
Test the command and its response using the CLI in your Operating System. For example, Command Prompt in Windows.
Follow these steps:
  1. Open the CLI.
  2. Execute the command and view the response.
For example, for the ping command, the response is as follows:
D:\Users\abc.d>ping 10.112.69.69
Pinging 10.112.69.69 with 32 bytes of data:
Reply from 10.112.69.69: bytes=32 time=1ms TTL=63
Reply from 10.112.69.69: bytes=32 time=2ms TTL=63
Reply from 10.112.69.69: bytes=32 time=2ms TTL=63
Reply from 10.112.69.69: bytes=32 time=1ms TTL=63
Ping statistics for 10.112.69.69:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 3ms, Maximum = 4ms, Average = 3ms
The expected alarm message text for this ping is as follows:
4 and 3
Configure Profile With Watcher Rule
You can configure the probe to monitor the ping response of a network system.
Follow these steps:
  1. Create a
    command
    profile. For example, CommandUseCase.
  2. In the
    General
    tab >
    Command
    field, specify the command in the
    ping <IP>
    format.
    For example, ping 10.112.69.69
    logmonCommandGeneral.png
  3. Create a Watcher rule.
  4. In the
    Watcher Rules
    tab >
    Standard
    tab of the rule >
    Match Expression
    field, specify the expression to match in the command response.
    For example, specify
    /.*Maximum = (.*)ms, Average = (.*)ms.*/
     to look for the last line of the text keyword in the response.
    If you specify * as the expression, the probe generates an alarm for each line of the response.
  5. Enable the watcher rule and the profile to start monitoring.
    logmonCommandWatcherStandard.png
  6. The probe generates the alarm with the following text:
        Minimum = 3ms, Maximum = 4ms, Average = 3ms
Configure Custom Variable in Watcher Rule
You can configure custom variables and use the variable in the alarm message text. You can also configure QoS messages for these variables.
Follow these steps:
  1. In the
    Variables
    tab, create a variable. For example, create a variable maxVar that extracts the maximum value from the ping response.
  2. In the
    Variable Settings
    dialog, specify the initial location of the string. For example, select
    Match Expression
    with value
    1
    to capture the first matching group
    .
    logmonCommandWatcherVariableSettings.png
  3. Repeat this for the average value with and has 
    Match Expression 
    with value
     2 
    to capture the second matching group.
  4. In the 
    Watcher Rules
     tab > 
    Standard
     tab of the rule > 
    Match Expression
     field, specify the variables in the alarm message.
    logmonCommandWatcherStandardVar.png
  5. The probe generates an alarm with the following text:
    4 and 3
  6. In the
    QoS
    tab, select the variable to generate QoS messages.
    The probe generates QoS messages with 0 as the value if the variable text is non-numeric.
    logmonCommandWatcherQoS.png
  7. The probe generates the following QoS messages:
    • With target
      CommandUseCase.W1.maxVar
      , the QoS value is
      4
      .
    • With target
      CommandUseCase.W1.avgVar
      , the QoS value is
      3
      .
Restrict Format Definition to Last Four Lines
You can restrict the profile to look for the string in a specific block of text using format rules. For example, create a format rule that restricts the search parameters to the last four lines of the ping response. In this example, the probe restricts the text block using the format rule, looks for the watcher rule expression in that text block, and when found, applies the variable parameters on the format rule block to generate the alarm.
When you use a format rule, variables in associated watcher rules are applicable on the format rule text block.
Follow these steps:
  1. In the 
    Format Rules
     tab, create a format rule.
  2. Specify the start and end expressions.
    For example, specify
    /.*Ping stat.*/
     as the start expression and end after four lines.
    logmonCommandFormat.png
  3. The probe generates the alarm with the following text:
    4 and 3
Exclude Monitoring If One or More Packets Are Lost
You can specify an expression to exclude lines of matching text from monitoring. In this example, the probe restricts monitoring if one or more packets are lost.
Follow these steps:
  1. In the 
    Exclude Rules
     tab, create an exclude rule.
  2. Specify the expression to exclude the matching text.
    For example, specify
    /.*Lost = (?!0).*/
     as the expression.
    logmonCommandExclude.png
  3. The probe generates the following alarm message if no packets are lost:
    logmonCommandAlarm.png
  4. The probe generates the following QoS messages if no packets are lost:
    logmonCommandQoS.png
Monitor a log file using regular expression and run a script
Objective: 
Monitor a log file and run a script when the specified text is found in the file.
Prerequisites:
  • logmon probe is installed, configured and active.
  • log file is available for monitoring.
  • script file is available for execution.
Follow these steps:
  1. Create and configure a profile (for example, demo_logmon) in the probe with the following minimum settings:
    • From the 
      General 
      tab
      ,
      browse and select the monitored log file (for example, my.log file). 
    • Select the
      Mode 
      as 
      cat
       to search for the required text in the entire log file.
    • Select the
      Generate Alarm 
      check box to receive alerts when the match is found.
      generalsection.PNG
  2. Create and configure a watcher rule (for example, script_run), with the following minimum settings to define the conditions to run the script.
    • Under
      Match Expression,
      add the expression that the probe will search in the log file. For example, add *[Hh]eartbeat*. When the text, Heartbeat or heartbeat is found in the log file, the specified script will be executed. For more information about 
      Regular Expression Construct Rules
      , see logmon Hints and Examples.
    • Under 
      Message to Send on Match, 
      add the text that will be displayed as an alert when the match is found. For example, "Match Found".
    • Select the
      Run Command on Match
      check box to run the script when the match is found.
    • Browse and select the script file that will be executed, upon successful match. For example, script.sh file.
      watcherrule.PNG
  3. Activate the profile to start monitoring.
Output:
In this example, when the script is executed, the "script.txt" file is created. See the following screenshot.
verifyscript.PNG
An alarm is also displayed with the specified "Match Found" text.
alarmmessage.PNG
Monitor a log file using regular expression and use the matched string as the alarm message
Objective:
Monitor the log file and generate an alert when the specified text is found. The alarm message is same as the found text.
Prerequisites:
  • logmon probe is installed, configured and active.
  • log file is available for monitoring.
Follow these steps:
  1. Create and configure a profile (for example, demo_logmon2) in the probe, with the following minimum settings:
    • From the 
      General 
      tab
      browse and select the monitored log file (for example, my.log file). 
    • Select the 
      Mode 
      as 
      cat
       to search for the required text in the entire log file.
    • Select the 
      Generate Alarm 
      check box to receive alerts when the match is found.
      Example2_generaltab.png
  2. Create and configure a watcher rule (for example, alarm), with the minimum following setting:
    • Under 
      Match Expression, 
      add the expression that the probe will search in the log file. For example, add *[Hh]eartbeat*. When the text, Heartbeat or heartbeat is found in the log file, an alarm will be generated. For more information about 
      Regular Expression Construct Rules
      , see logmon Hints and Examples.
      Example2_Watcherrule.png
  3. Activate the profile to start monitoring.
Output:
In this example, the
 
"my.log" file contains the text, "heartbeat found in file". When the profile found the "heartbeat" text in the log file, the following alarm is generated.
Example2_Alarmmessage.png
Monitor a text file using regular expression and generate a QoS message
Objective:
Monitor a text file and generate a QoS message when the specified text is found. The QoS message displays the monitoring information, such as the number of times the text was found in the log file.
Prerequisites:
  • logmon probe is installed, configured and active.
  • file is available for monitoring.
Follow these steps:
  1. Create and configure a profile (for example, my_log) in the probe with the following minimum settings:
    • From the 
      General 
      tab
      browse and select the monitored file (for example, test.txt). 
    • Select the 
      Mode 
      as 
      cat
       to search for the required text in the entire log file.
    • Select the
      Generate Quality of Service
       check box to generate the QoS message, upon successful match.
      Example3_GeneralSetup.png
  2. Create and configure a watcher rule (for example, ora), with the following minimum settings:
    • Under 
      Match Expression, 
      add the expression that the probe will search in the text file. For example, add *us*. For more information about 
      Regular Expression Construct Rules
      , see logmon Hints and Examples.
      Example3_WatcherRule.png
  3. From the 
    QoS 
    tab, select the 
    Count Matches 
    check box.
    Example3_QoS.png
  4. Save the information and restart the probe.
Output: 
An alarm is generated when "us" expression is found in any word in the text file. As shown in the following screenshot, QOS_LOGMON_VARIABLE captures the number of times the expression "us" has been found in the text file. In this example, the expression has been found only once, so the 
samplevalue 
shows "1".
Example3_QoSResult.png
Example: Maximum Alarm Count based on Suppression Keys
You can configure the probe to generate maximum number of alarms specified in the
Maximum Alarm Count
field based on Suppression Keys defined for a watcher.
When the
MaxAlarmPerWatcherSuppKey
 value set to
No
, the probe limits the number of alarms to the value specified in the Maximum Alarm Count field per watcher.
For example, for a profile with Maximum Alarm Count not specified and watcher configured with the regex pattern
/(?i:WSVR0220I\:[^\:]*\:(?<apllog>\s*[^\s]*))/
, Suppression Key (suppid)
GBM_${apllog}_SCH
. For file update mode with below log file content:
[10/3/17 13:23:13:390 CEST] 0000004d ApplicationMg A WSVR0220I: Application stopped: GlobalConfirmingBatchListaceEAR 
[10/3/17 13:23:13:390 CEST] 0000004d ApplicationMg A WSVR0220I: Application stopped: GlobalConfirmingBatchListaceEAR 
[10/3/17 13:23:13:390 CEST] 0000004d ApplicationMg A WSVR0220I: Application stopped: GlobalConfirmingBatchListaceEAR 
[10/3/17 13:23:13:390 CEST] 0000004d ApplicationMg A WSVR0220I: Application stopped: GlobalConfirmingBatchListaceEAR 
[10/3/17 13:23:13:390 CEST] 0000004d ApplicationMg A WSVR0220I: Application stopped: GlobalConfirmingContabilidadEAR 
[10/3/17 13:23:13:390 CEST] 0000004d ApplicationMg A WSVR0220I: Application stopped: GlobalConfirmingContabilidadEAR 
[10/3/17 13:23:13:390 CEST] 0000004d ApplicationMg A WSVR0220I: Application stopped: GlobalConfirmingContabilidadEAR 
[10/3/17 13:23:13:390 CEST] 0000004d ApplicationMg A WSVR0220I: Application stopped: GlobalConfirmingContabilidadEAR 
The probe generates two different alarms with supp count equals to 4.
  • Four events with supp id: 
    GBM_BVMNGLAPCFSI21_BVMNGLAPCFSI22_STOPPEDSTARTING_GlobalConfirmingBatchListaceEAR_SCH
     
  • Four events with supp id: 
    GBM_BVMNGLAPCFSI21_BVMNGLAPCFSI22_STOPPEDSTARTING_GlobalConfirmingContabilidadEAR_SCH
     
When the 
MaxAlarmPerWatcherSuppKey
 value set to
Yes
and for the same regex pattern, Suppression Key, and the
Maximum Alarm Count
value as
1
, the probe generates:
  • One event with supp id:
    GBM_BVMNGLAPCFSI21_BVMNGLAPCFSI22_STOPPEDSTARTING_GlobalConfirmingBatchListaceEAR_SCH
  • One event with supp id:
    GBM_BVMNGLAPCFSI21_BVMNGLAPCFSI22_STOPPEDSTARTING_GlobalConfirmingContabilidadEAR_SCH