The monitoring agents look for specific records given a text pattern in the monitored log files. They support regular expressions, which allows you to search for desired text patterns. The agents support PCRE (Perl Compatible Regular Expressions). For details about the PCRE syntax, visit http://perldoc.perl.org/perlre.html.
To monitor log records on a host, an agent establishes an SSH connection to Unix hosts, or a WMI or WinRM connection to Windows® hosts. Once this connection is in place, an agent executable is uploaded to the remote host (into %TEMP% on Windows and /tmp on UNIX®). The name of the executable name is unique to the agent instance. The executable then starts locating the monitored log files on the host and extracts the desired records, as specified in the agent properties. The agent sends back the extracted records to the agent for processing. The agent keeps track of the current location in all of the scanned log files so that the same information is only scanned once.
The monitoring agents use the same set of credentials as the other Foglight for Infrastructure agents, and the same credential purposes. For more information, see the Using Foglight for Infrastructure.
Default versions of these properties are installed with Foglight for Infrastructure, and configured for your agent instances when you run the configuration wizards. If you need to make changes to any list properties after configuring your monitoring agents, you can do so (see Configuring File Log Monitor agent properties and Configuring Windows Event Log Monitor agent properties). However, keep in mind that any changes you make to a list property can affect other agent instances. For more information about LogMonitor remote monitoring, see Configuring connections to remote Windows platforms.
For complete information about working with agent properties, see the Administration and Configuration Help.
a |
On the navigation panel, under Dashboards, select Administration > Agents > Agent Status. |
b |
For a configuration example, see FileLogMonitor configuration example.
The Monitored Host properties specify the hosts whose log files you want to monitor with this agent.
• |
Hosts: A list specifying the hosts monitored by the agent instance. Typically you want a cloned list that is associated with a specific agent instance. Each entry in the list includes the following columns: |
• |
Host: The name of the monitored host or its IP address. |
• |
Host name override: The host name under which this host’s data is stored in the data model. This property is optional. |
• |
Host Type: Windows or Unix. This property determines how the agent connects to the host: using SSH (Unix hosts), or using WMI or WinRM (Windows hosts). |
• |
SSH Port: The port number used for secure connections, if applicable. For Unix and Linux hosts, this value is typically set to 22. For Windows hosts, this is not applicable, and -1 should be specified (meaning not applicable). This property is optional. |
• |
Operation Timeout: The maximum amount of time in seconds given to the agent for each phase of a collection attempt. This includes uploading the native executable, scanning for log entries, and retrieving log content. |
• |
Collect System ID: This property indicates to the agent whether or not to collect a unique system ID from this system. This is not desirable when monitoring Hyper-V systems, as some Hyper-V systems use the same ID for multiple systems, preventing them from being unique. |
• |
Remote Collector Executable: The name of the agent native executable on the remote monitored host. This property is optional. If not specified, a random name is used. Configure this property only if you need to set a specific name for the executable so that you can write a sudo rule for it, or to have it uploaded to a non-default directory. In that case, provide a complete a full path name along with the file name. |
TIP: By default, the executable is created on the monitored host in the %TEMP% directory (Windows) or /tmp (Unix). |
• |
Secure Launcher: The name and path to the sudo that enables the agent to launch on Unix and Linux machines, for example: /usr/bin/sudo. This property is optional. |
The Log Files properties allow you to specify the monitored log files on each host the agent instance connects to, and the type of log records that you want to scan.
• |
Log Files: A list specifying the log files monitored by this agent. If the list is shared between agent instances, or if the agent instance is configured to connect to multiple hosts, the log file locations specified in this list are checked on every host the agent connects to. This is useful in situations when you want to scan a standard log file, for example, /var/log/messages, across multiple hosts. To do that, create one agent instance with its own Hosts list, (see Monitored Hosts), and a single row in this list. |
• |
Directory: The directory containing the log files that you want to monitor. |
• |
Filename Pattern: A regular expression that specifies which log files to monitor. |
TIP: The agent supports PCRE (Perl Compatible Regular Expressions). For details about the PCRE syntax, visit http://perldoc.perl.org/perlre.html. |
• |
File Format Name: The name of the file format the log file uses. File format definitions are specified in the File Formats properties. The value you provide in this column must match an existing file format. |
• |
• |
RegEx Match Patterns: A regular expression that the agent uses to look for specific text in the monitored log files. |
TIP: The agent supports PCRE (Perl Compatible Regular Expressions). For details about the PCRE syntax, visit http://perldoc.perl.org/perlre.html. |
• |
Match Severity: The severity associated with log records that match the specified regular expression, in the monitored log file. There are five available severities that you can choose from: Warning, Critical, Fatal, Debug, and Informational. |
• |
Tags: One or more comma-separated tags that you want to add to log records that match the specified regular expression, in the monitored log file. This property is optional. Tags are useful because they can help you quickly locate records with a desired tag. If set, tags are reported along with any record that matches the specified regular expression. For example, the tag security, auth can be applied to any records that match the regular expression “.*login failed.*”. This allows the agent to identify all records (regardless of file name, host, agent or content) that relate to either security or authorization, and to display them on the Log Monitor dashboard. |
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center