Next Topic

Previous Topic

Book Contents

Log Parser

Monitor > Log Parser

The Log Parser page defines log parsers and assigns them to selected machine IDs.

Note: The log parsers are only active if they are subsequently assigned a log parser set using Assign Parser Sets.

Log Monitoring

The VSA is capable of monitoring data collected from many standard log files. Log Monitoring extends that capability by extracting data from the output of any text-based log file. Examples include application log files and syslog files created for Unix, Linux, and Macintosh operating systems, and network devices such as Cisco routers. To avoid uploading all the data contained in these logs to the KServer database, Log Monitoring uses parser definitions and parser sets to parse each log file and select only the data you're interested in. Parsed messages are displayed in Log Monitoring, which can be accessed using Agent > Agent Logs > Log Monitoring or the Agent Logs tab of the Machine Summary page or by generating a report using Reports > Logs > Log Monitoring. Users can optionally trigger alerts when a Log Monitoring record is generated, as defined using Assign Parsing Sets or Parser Summary.

Log Monitoring Setup

  1. Log Parser - Identify a log file to parse using a log file parser definition. A log file parser definition contains the log file parameters used to store values extracted from the log file. Then assign the log parser to one or more machines.
  2. Assign Parser Sets - Define a parser set to generate Log Monitoring records, based on the specific values stored in the parameters. Activate parsing by assigning a parser set to one or more machine IDs previously assigned that log parser. Optionally define alerts.
  3. Parser Summary - Quickly copy active parser set assignments from a single source machine to other machine IDs. Optionally define alerts.

The Log File Parsing Cycle

The parsing of a log file is triggered whenever the log file is changed. In most cases this involves appending new text to the end of the file. To avoid scanning the entire log file from the beginning each time the file is updated, the agent parses log files as follows:

  • After each update the agent stores a "bookmark" of the last 512 bytes of a log file.
  • When the log file is updated again, the agent compares the bookmark from the old update with the same byte position in the new update.
  • Since log files may be archived before the log parser is run, parsing can include archives files if they exist.
  • You can specify sets of log files and sets of archive files by specifying full pathnames with asterisk (*) and question mark (?) wildcards. If a set of files is specified the parser begins with the latest file in the set.
  • If the bookmark text is the same in both the old update and the new update, the agent begins parsing text after the bookmark.
  • If the bookmark text is not the same and no Log Archive Path is specified, the agent parses the entire log file from the beginning. If a Log Archive Path is specified, the agent searches for the bookmark in the archive files. If the bookmark cannot be found, the agent bookmarks the end of the log file and starts parsing from there in the next cycle.
  • Once parsing is completed a new bookmark is defined based on the last 512 bytes of the newly updated log file and the process repeats itself.

Note: The parsing of a log file is not a script event itself. Only a new configuration, or reconfiguration, using Log Parser, Assign Parser Sets or Parser Summary generates a script you can see in the Script History or Pending Script tabs of the Machine Summary page.

Apply

Click Apply to assign a selected log parser to selected machine IDs.

Clear

Click Clear to remove a selected log parser from selected machine IDs.

Clear All

Click Clear All to remove all log parsers from selected machine IDs.

New...

Select <Select Log Parser> in the Log File Parser drop-down list and click New... to create a new log parser.

Edit...

Select an existing log parser in the Log File Parser drop-down list and click Edit... to edit the log parser.

Add Log Parser / Replace Log Parsers

Select Add Log Parser to add a log parser to existing machine IDs. Select Replace Log Parsers to add a log parser and remove all other log parsers from selected machine IDs.