Log monitoring

Hi all!

Below is a proposed scheme for log monitoring.

I. Key points

1. Logs should be processed by agents.
2. Agent should check each log record against log processing policy, and
geberate appropriate event if match detected.
3. Agent can have more than one log processing policy installed.
4. Log processing policies should be created and distributed from
administrator's console, allowing centralized management of log
processing.

II. Log processing policy

Log processing policy is a set of matching rules with the following
attributes:

Matching criterias:
* Event id range (integer range)
* Event source (regexp)
* Log message (regexp)

Action data:
* NetXMS event id

Event ID range and event source matching used only for Windows Event
Log. All text log files should be matched only by message text.
Also, log processing policy should have version attribute, so agent
after restart could determine if he has latest policy installed and
request latest one from server if needed.

III. Additional questions to discuss

1. Should we implement log processing as a separate subagent or as part
of core agent?
2. How we can guarantee event delivery from agent to server?
3. What to do on agent startup - parse already existing log records or
just wait for new records?

Any comments?

Best regards,
Victor
Received on Tue Sep 13 2005 - 18:38:41 EEST