Next Topic

Previous Topic

Book Contents

Assign Parser Sets

The Assign Parser Sets page creates and edits parser sets and assigns parsers sets to machine IDs. Optionally triggers an alert based on a parser set assignment. A machine ID only displays in the paging area if:

  • That machine ID has been previously assigned a log file parser definition using Monitor > Log Parser.
  • That same log file parser definition is selected in the Select Log File Parser drop-down list.

Note: Assigning a parser set to a machine ID on this page activates the log parser. Parsing occurs whenever the log file being parsed is updated.

Note: You can download a Configuring Log Parsers Step-by-Step PDF from the first topic of online user assistance.

Notification

The agent collects log entries and creates an entry in the log monitoring log based on the criteria defined by the parser set, whether or not any of the notification methods are checked. You don't have to be notified each time a new log monitoring entry is created. You can simply review the Log Monitoring log periodically at your convenience.

Parser Definitions and Parser Sets

When configuring Log Monitoring it's helpful to distinguish between two kinds of configuration records: parser definitions and parser sets.

A parser definition is used to:

  • Locate the log file being parsed.
  • Select log data based on the log data's format, as specified by a template.
  • Populate parameters with log data values.
  • Optionally format the log entry in Log Monitoring.

A parser set subsequently filters the selected data. Based on the values of populated parameters and the criteria you define, a parser set can generate log monitoring entries and optionally trigger alerts.

Without the filtering performed by the parser set, the KServer database would quickly expand. For example a log file parameter called $FileServerCapacity$ might be repeatedly updated with the latest percentage of free space on a file server. Until the free space is less than 20% you may not need to make a record of it in Log Monitoring, nor trigger an alert based on this threshold. Each parser set applies only to the parser definition it was created to filter. Multiple parser sets can be created for each parser definition. Each parser set can trigger a separate alert on each machine ID it is assigned to.

Log Monitoring Setup

  1. Log Parser - Identify a log file to parse using a log file parser definition. A log file parser definition contains the log file parameters used to store values extracted from the log file. Then assign the log parser to one or more machines.
  2. Assign Parser Sets - Define a parser set to generate Log Monitoring records, based on the specific values stored in the parameters. Activate parsing by assigning a parser set to one or more machine IDs previously assigned that log parser. Optionally define alerts.
  3. Parser Summary - Quickly copy active parser set assignments from a single source machine to other machine IDs. Optionally define alerts.

To Create a Parser Set Alert

  1. Check any of these checkboxes to perform their corresponding actions when an alarm condition is encountered:
    • Create Alarm
    • Create Ticket
    • Run Script
    • Email Recipients
  2. Set additional email parameters.
  3. Select the parser set to add or replace.
  4. Check the machine IDs to apply the alert to.
  5. Click the Apply button.

To Cancel a Parser Set Alert

  1. Select the machine ID checkbox.
  2. Click the Clear button.

    The alert information listed next to the machine ID is removed.

Passing Alert Information to Emails and Procedures

The following types of monitoring alert emails can be sent and formatted:

  • Log Monitoring parser alerts.
  • Multiple log monitoring parser alerts.
  • Missing log monitoring parser alert.

Note: Changing this email alarm format changes the format for both Assign Parser Sets and Parser Summary emails.

The following variables can be included in your formatted email alerts and in procedures.

Within an Email

Within a Procedure

Description

<at>

#at#

alert time

<db-view.column>

not available

Include a view.column from the database. For example, to include the computer name of the machine generating the alert in an email, use <db-vMachine.ComputerName>

<ec>

#ec#

event count

<ed>

#ed#

event description

<gr>

#gr#

group ID

<id>

#id#

machine ID

<lpm>

#lpm#

Log file set criteria

<lpn>

#lpn#

Log parser set name

<lsn>

#lsn#

Log file set name

Create Alarm

If checked and an alarm condition is encountered, an alarm is created. Alarms are displayed in Monitor > Dashboard List, Monitor > Alarm Summary and Info Center > Reports > Logs > Alarm Log.

Create Ticket

If checked and an alarm condition is encountered, a ticket is created.

Run Script

If checked and an alarm condition is encountered, an agent procedure is run. You must click the select agent procedure link to choose an agent procedure to run. You can optionally direct the agent procedure to run on a specified range of machine IDs by clicking this machine ID link. These specified machine IDs do not have to match the machine ID that encountered the alarm condition.

Email Recipients

If checked and an alarm condition is encountered, an email is sent to the specified email addresses.

  • The email address of the currently logged on user displays in the Email Recipients field. It defaults from System > Preferences.
  • Click Format Email to display the Format Alert Email popup window. This window enables you to format the display of emails generated by the system when an alarm condition is encountered. This option only displays for master role users.
  • If the Add to current list radio option is selected, when Apply is clicked alert settings are applied and the specified email addresses are added without removing previously assigned email addresses.
  • If the Replace list radio option is selected, when Apply is clicked alert settings are applied and the specified email addresses replace the existing email addresses assigned.
  • If Remove is clicked, all email addresses are removed without modifying any alert parameters.
  • Email is sent directly from the KServer to the email address specified in the alert. Set the From Address using System > Outbound Email.

Select Log File Parser

Select a log parser from the Select log file parser drop-down list to display all machine IDs previously assigned this log parser using the Log Parser page.

Define log sets to match

After a log parser is selected, click Edit to define a new parser set or select an existing parser set from the Define log sets to match drop-down list.

Alert when...

Specify the frequency of the parser set condition required to trigger an alert:

  • Alert when this event occurs once
  • Alert when this event occurs <N> times within <N> <periods>
  • Alert when this event doesn't occur within <N> <periods>
  • Ignore additional alarms for <N> <periods>

Add / Replace

Click the Add or Replace radio options, then click Apply to assign a selected parser set to selected machine IDs.

Remove

Click Remove to remove all parser sets from selected machine IDs.

Apply

Applies the selected parser set to checked machine IDs.

Clear

Clears the assignment of a selected parser set from selected machine IDs.

Clear All

Clears all parser sets assigned to selected machine IDs.

Select All/Unselect All

Click the Select All link to check all rows on the page. Click the Unselect All link to uncheck all rows on the page.

Check-in status

These icons indicate the agent check-in status of each managed machine. Hovering the cursor over a check-in icon displays the agent quick view window.

Online but waiting for first audit to complete

Agent online

Agent online and user currently logged on.

Agent online and user currently logged on, but user not active for 10 minutes

Agent is currently offline

Agent has never checked in

Agent is online but remote control has been disabled

The agent has been suspended

Machine.Group ID

The list of Machine.Group IDs displayed is based on the Machine ID / Group ID filter and the machine groups the user is authorized to see using System > User Security > Scopes.

Delete

Click the delete icon next to a parser set to delete its assignment to a machine ID.

Log Set Names

Lists the names of parser sets assigned to this machine ID.

ATSE

The ATSE response code assigned to machine IDs:

  • A = Create Alarm
  • T = Create Ticket
  • S = Run Procedure
  • E = Email Recipients

Email Address

A comma separated list of email addresses where notifications are sent.

Interval

The interval to wait for the alert event to occur or not occur.

Duration

Applies only if Alert when this event occurs <N> times within <N> <periods> is selected. Refers to <N> <periods>.

Re-Arm

Applies only if Ignore additional alarms for <N> <periods> is selected.