Set Up Log Tracking for a Resource

View Source

Topics marked with * relate to features available only in vFabric Hyperic.

Log Tracking Overview

IT problems can often be detected or diagnosed from messages generated by operating systems, application servers, network services, or middleware throughout the environment. Hyperic can monitor messages in log files and in memory, and record events in the Hyperic database based on criteria you specify.  

Configure Log Tracking

Hyperic Resource Types that Support Log Tracking

Hyperic supports log tracking for operating system platforms, network services, and most server types. If a resource supports log tracking, its Configuration Properties page contains log tracking configuration options.

Supported Log Message Types

Hyperic can monitor and record events for:

  • Log file messages that specify log levels using log4j log levels.

  • Events written to Windows Event Logs.

  • Network request results for a variety of network services.

Log Tracking Configuration Options

You enable and configure log tracking for a resource on its Configuration Properties page. Navigate to the resource's Inventory page, and click Edit in the Configuration Properties section to display the Configuration Properties page.

Note: Log and configuration tracking must be enabled for a resource if you wish to log events for log messages or configuration changes. Event logging is automatic for alerts and control actions. Log tracking configuration options vary somewhat by resource type.

Log tracking options vary by resource type. See the following sections for more detail:

Log Tracking for Resources with Log4j Logs

This section describes the log tracking configuration options for resources that whose log files use logj4 levels.

images/download/attachments/79038211/Log4jLogTrackOptions.png

An authorized user can set the values of these configuration options:

  • Enable/disable log tracking.

  • Specify one or more files to track, as a comma-separated list. The Hyperic Agent must be able to read these files, so make sure permissions are set appropriately.

  • Specify the highest log level to track:

    • Error - Messages with log level "FATAL" or "ERROR"

    • Warn

    • Info

    • Debug

  • Specify substrings or expressions to use as include/exclude filter criteria. Enter a substring or a regular expression that a log message must contain or match in Log Pattern Match. For more information, see http://download.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html.

Log Tracking for Network Services

This section describes the log tracking configuration options for network services.

images/download/attachments/79038211/DnsConfigOptions.png

An authorized user can set the values of these configuration options:

Log Tracking for Windows Platforms

This section describes the log tracking configuration options for platforms of type "win32".

images/download/attachments/79038211/Win32LogTrackOptions.png

An authorized user can set the values of these configuration options:

  • Enable/disable log tracking.

  • Specify one or more Event Log to track:

    • System - contains events logged by Windows system components. For example, if a driver fails to load during startup, an event is recorded in the system log. Windows predetermines the events that are logged by system components.

    • Application - contains events logged by programs. For example, a database program may record a file error in the application log. Events that are written to the application log are determined by the developers of the software program.

    • Security - contains events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. A Windows administrator or member of the Windows Administrators group specify which events are recorded in the security log.

    • "*" causes all event logs to be tracked

  • Specify the highest log level to track:

    • Error - Windows Events with level "ERROR" 

    • Warn - Windows Events with level "WARNING"

    • Info - Windows Events with level "INFORMATION" or "SUCCESS"

    • Debug - No Windows Event types map to this level

Content of Logged Windows Events

When Windows log tracking is enabled, an entry of this form is logged for events that match the criteria you specified on the resource's Configuration Properties page:

[Timestamp] Log Message (EventLogName):EventLogName:EventAttributes

where:

  • Timestamp - is when the event occurred

  • Log Message - is an text string

  • EventLogName - is the Windows event log type, "System", "Security", or "Application".

  • EventAttributes - a colon delimited string made of the Windows event Source and Message attributes.

For example, this log entry: 

 04/19/2010 06:06 AM Log Message (SYSTEM): SYSTEM: Print: Printer HP LaserJet 6P was paused.

is for an Windows event written to the Windows System event log at 6:06 AM on 04/19/2010. The Windows event Source and Message attributes, are "Print" and "Printer HP LaserJet 6P was paused.", respectively.

Tailoring the Content and Format of Logged Windows Events

Tou can configure the last portion of the log data that the agent writes for a Windows event - referred to above as EventAttributes. You can include additional event attributes, for example User and Computer. To do so, you add the platform.log_track.eventfmt property to the agent.properties file for the Hyperic Agent monitoring the Windows platform.

Usage of platform.log_track.eventfmt property is described below.

platform.log_track.eventfmt Property

Description

Specifies the content and format of the Windows event attributes that a Hyperic Agent includes when logging a Windows event as an event in Hyperic. agent.properties does not contain the platform.log_track.eventfmt property, you must explicitly add it if you want to tailor the data logged for Windows events.

Default BehaviorWhen Windows log tracking is enabled, an entry of this form is logged for events that match the criteria you specified on the resource's Configuration Properties page:

[Timestamp] Log Message (EventLogName):EventLogName:EventAttributes

where:

  • Timestamp - is when the event occurred

  • Log Message - is an text string

  • EventLogName - is the Windows event log type, "System", "Security", or "Application".

  • EventAttributes - a colon delimited string made of the Windows event Source and Message attributes.

For example, this log entry: 

 04/19/2010 06:06 AM Log Message (SYSTEM): SYSTEM: Print: Printer HP LaserJet 6P was paused.

is for an Windows event written to the Windows System event log at 6:06 AM on 04/19/2010. The Windows event Source and Message attributes, are "Print" and "Printer HP LaserJet 6P was paused.", respectively.

Configuration

You can use the parameters below to configure the Windows event attributes that the agent writes for a Windows event. Each parameter maps to Windows event attribute of the same name.

  • %user% — The name of the user on whose behalf the event occurred.

  • %computer% — The name of the computer on which the event occurred.

  • %source% — The software that logged the Windows event.

  • %event% — A number identifying the particular event type.

  • %message% — The event message.

  • %category% — An application-specific value used for grouping events.

For example, with this property setting:

platform.log_track.eventfmt=%user%@%computer% %source%:%event%:%message%

the Hyperic Agent will write the following data when logging Windows event:

04/19/2010 06:06 AM Log Message (SYSTEM): SYSTEM: HP_Admistrator@Office Print:7:Printer HP LaserJet 6P was paused.

This entry is for as for an Windows event written to the Windows System event log at 6:06 AM on 04/19/2010. The software associated with the event was running as "HP_Administrator" on the host "Office". The Windows event's Source, Event, and Message attributes, are "Print", "7", and "Printer HP LaserJet 6P was paused.", respectively.

View Log Events

Log events for a particular resource are indicated in the timeline at the bottom of the resource's Indicators page. A circular indicator over the timeline indicates a timeslice in which one or more events of any type - log events, configuration change events, or alerts - were logged. Click the event indicator to view the data collected at that time.

images/download/attachments/79038211/eventtimeline.png

In vFabric Hyperic, you can use the Event Center to view events over time for all, or selected groups of resources, and filter by log event severity. For more information see Event Center.

Defining Alert Conditions Based on Log Events

For information about defining alert conditions based on log events see the "Step 3: Define Alert Condition Set" in Define an Alert for a Resource.

Log Tracking Support Classes

For information about the Hyperic support class for log events for log file messages that specify a log4j level, see Log4JLogTrackPlugin.

For information about the Hyperic support class for tracking Windows Event logs, see Win32EventTrackPlugin.

Plugin classes monitor network services log events using the plugin.getManager().reportEvent method.