The File Watching Monitor reads file content one line at a time, making it ideal for locating various types of information recorded in application or server log files, such as errors, events and notices.
Syslog files, which are sent across the network to a Syslog Server rather than being recorded locally, can also easily be monitored using the File Watching Monitor.
The File Watching Monitor scans the file you specify to locate any entries that match the Regular Expressions(s) you have defined. Regular Expression searching is ideal for filtering specific details from the lines in a file, because the format and contents in log files may vary significantly depending on the information recorded.
When a match is found, a Content Generator (you configure) parses the information, and then an Information Alert is triggered.
The File Watching Monitor may be configured to only trigger a single Information Alert per scan, as opposed to one per match, which can significantly reduce the number of Alerts you receive.
The File Watching Monitor maintains a pointer to the file offset, ensuring that lines are only analyzed once. Should the log file be reset, the pointer will also be reset.
The Test Parameters dialog box is used to identify the location of the file to monitor, and to enter one or more Regular Expressions to filter specific details from the log file.
File Name
Specify the name of the file to monitor.
Directory
Enter the Local directory or UNC Share that contains the file to monitor.
Credential for Monitoring
Assigning a Credential for Monitoring is an optional setting. If you wish to take advantage of ipMonitor's security model, you can provide a Credential to have the File Watching Monitor impersonate an account with necessary privileges required to access the local directory or UNC Share on the remote machine. When the Monitor attempts to open the file, it will use the Credential's account and password information to authenticate to the target machine.
If a Credential is not assigned, ipMonitor will use the current account privileges of the Windows Account assigned to the ipMonitor Service.
To select a Credential:
- Click the Select button to pop up the Credentials for Monitoring dialog
- Select an existing Credential from the Windows category
- To create a new Credential, click the New Credential button to start the Wizard
For specific details regarding configuration of a Credential to be used with the File Watching Monitor, refer to Credentials for Monitoring :: FILE WATCHING.
Note: For more information about Credentials, refer to the section titled About Credentials.
Exclusions by Line Text
Click the Enable button to exclude file content based on the Regular Expression you enter.
Note: The File Watching Monitor applies the Regular Expression to a single line at a time. Therefore, the Regular Expression cannot span multiple lines.
Content Matching Lines with Regular Expressions
A number of different filter Scenarios using Regular Expressions can be added to locate specific information within log files.
Note: The File Watching Monitor analyzes files one line at a time. As a result, Regular Expressions that range across more than one line cannot be added.
Note: The RegEx Wizard located in the Tools menu can be used to help create simple Regular Expressions.
Content Generator
Once the Regular Expressions have successfully filtered information, a Content Generator is used to format the results for Alerts.
A Content Generator is used to create an Information Alert message. It may contain data captured by a Regular Expression, such as a line from a log file, an Event log description, variable-binding data from an SNMP Trap, as well as other information relating to the Monitor, such as the Event timestamp or the source IP address of a received SNMP Trap.
Refer to Content Generators for more information regarding formatting and supplemental Tokens.
Preview
The Preview button is used to test your configuration. When clicked, ipMonitor connects to the specified file specified and searches log file entries that already exist using the Test Parameters provided.
The Notification Control section determines how many test failures must occur before an Alert is sent, as well as the maximum number of Alerts that will be sent.
For the File Watching Monitor, the Accumulated Failures per Alert and Maximum Alerts to Send parameters work no differently than with all other Monitors. Refer to General Monitor Settings for more information.
Information Alerts to Send
Three different options are provided to help manage the Information Alerts that are generated by ipMonitor:
- Combine up to 15 Found Scenarios into one Alert: 15 individual Information Alerts will be folded or merged into a single Alert. This is ideal for Events such as Information types that are apt to generate many of the same Events.
- Disabled - Send up to 5 Information Alerts (Individually): Refers to the "fold" feature. This option will send up to a maximum of five Information Alerts, one for each matching entry that is located. This is ideal for Events such as Application Errors.
- Disabled - Send first Found Scenario: Sends a single Information Alert for each Monitor test, regardless of how many matching entries are located. Only the first matching entry will trigger an Information Alert. This is ideal for Events such as Security, when you want to be informed immediately or take immediate action.
Most servers and server applications are capable of recording system errors to a log file. ipMonitor can be used to search through the contents of a log file for specific entries based on user-defined criteria, or a Regular Expression.
When a match is found, this information can be extracted from the file and formatted using a Content Generator before it is sent to an Information Alert.
Sample Line in Syslog :: Cisco PIX Firewall
Jul 29 2004 09:56:27: %PIX-1-103003: (Primary) Other firewall network interface 4 failed.
Monitor Configuration Settings
File Name: pix_syslog.log
Directory: \\SYSLOGSRV\logs\
Scenario #1: RegEx Pattern \i(.*?)\:\s+\%PIX\-1-103003:\s+(.*?)
Content Generator
Once the configuration settings are applied, it will then be necessary to create a Content Generator that will insert the results into an email message body (or other Alert type) when an Alert is triggered. A Content Generator is created in the Alerts / Content Generators section.
| Name: | Cisco PIX Interface |
| Value: | Error Occurred at: %capture[1]% PIX Error Code [PIX 1-103003] Error Message: %capture[2]% |
Error Message Offset = %capture[offset]% bytes
Once the Content Generator has been created and saved, it will then be necessary to assign the newly created Content Generator to the File Watching Monitor. This selection is made in the Information Alert Content drop-down box located in the Monitor configuration screen.
Information Alert Results
The following is a sample of the formatted result when ipMonitor finds an entry in the file matching the Regular Expression.
Error Occurred at: Jul 29 2004 09:56:27
PIX Error Code [PIX-1-103003]
Error Message: (Primary) Other firewall network interface 4 failed.
Error Message Offset = 23698 bytes
When the Monitor is in an Up state, test results are reported as shown in the example below:
rtt - Round-Trip Time. This value indicates the time it took the test packet to reach the monitored resource and return a response to ipMonitor. Round-trip time is measured in milliseconds (ms).
When the Monitor is in a Warn, Down, or Lost state, the Last Result field indicates the problem encountered. Different Monitor types generate specific Error Codes in accordance with the technical capabilities of the Monitor. Refer to the Error Codes section of this document for details.
When creating a new File Watching Monitor, note that the Monitor starts searching forward from the time of creation; it does not search historical content already in the file.
When configuring a Monitor, clicking the Force Test button will reset the testing cycle for the Monitor, allowing you to promptly reapply new configuration parameters. However, this will not work with the File Watching Monitor as its pointer will be reset to its current time or, essentially, the end of the file.
The Preview test, however, does search the file's existing content, making it ideal for configuration and troubleshooting purposes.
For information on settings common to all Monitor types, such as Identification, Timing, Notification Control and Recovery Parameters, refer to General Monitor Settings.
The following error codes are generated by the File Watching Monitor. Error codes are displayed in Real-time and Historical Reports. They can also be added to Alerts using Tokens.
| Message | Details |
|---|---|
| Configuration information for this item is missing some required fields | A required element(s) for Monitor connectivity or testing was not supplied to ipMonitor. |
| The required state information is not available | Temporary information used to let the Monitor know where to resume cannot be read. |
| The remote device could not find the requested file | ipMonitor was not able to connect to the specified file. This could be due to a Monitor configuration error such as incorrect path or filename. |
| An error occurred while reading the remote file | ipMonitor was not able to open the file for read access. |
For information on other features and concepts related to those discussed in this article, refer to the following ipMonitor resources:
< Back
Last Updated: March 30, 2007 | What did you think of this topic?