-
Title
How to modify a log filter rule that it behaves different for some log filter agents? -
Description
Having a lot of log filter agents running on different hosts. Now for some of the agents the log filter rule should behave different: it should fire an alarm after it evaluate the condition 2 times and both times it returns true.
How to modify a log filter rule that it behaves different for some log filter agents?
-
Resolution
As the new rule behavior should be available only for few agents a second log filter rule is needed.
Please follow the steps below:
1. Make a copy the original log filter and use that copy for the exceptional agents.
2. To get the copied rule working correctly please follow the step in solution sol65573:
https://support.quest.com/Search/SolutionDetail.aspx?id=SOL655733. Now open the copied rule and change the scope of it.
- Click on tab "Rule Definition".
- There you find the scope of the rule which is currently "LogFilter_ErrorVerbose".
- Change it to: LogFilter_ErrorVerbose where monitoringAgent.name = 'MyAgentName'
(Replace MyAgentName with your agent name)4. Open the tab "Behavior" and modify the Action Behaviors here.
5. Save the rule
6. Open the original log filter rule and modify the scope to exclude the exceptional agents from this rule:
- Click on tab "Rule Definition".
- There you find the scope of the rule which is currently "LogFilter_ErrorVerbose".
- Change it to: LogFilter_ErrorVerbose where monitoringAgent.name != 'MyAgentName'
(Replace MyAgentName with your agent name)7. Save rule
-
Additional Information
Instead of monitoredAgent.name also other agents properties can be used to modify the scope. The property monitoredHost.name can also be used to ex/include all log filter agents configured an a specific host
Instead of the equal sign "=" the word "like" can be used. When using "like" regular expressions can be used, for example the place holder "%" while the equal sign is looking for exact matches.