I am trying to parse the windows application event log to look for sql agent jobs failures.
I want the full windows event log text sent over email since there can be a lot of job fails.
Agent parse file configuration looks like this
<parser>
<file>*Application</file>
<rules>
<rule>
<severity>6</severity>
<match>(SQL Server Scheduled Job)*(Message: The job failed)*</match>
<event params="1">100025</event>
</rule>
</rules>
</parser>
If I let it configured like this it will only send some generic information.
If I replace <match>(.*)</match> it will send the full event text.
In both situation it will send the message twice.
What am I doing wrong?
Hi!
It probably should be something like this:
<match>(SQL Server Scheduled Job.*Message: The job failed.*)</match>
if you want to capture full text but match only messages with certain words in it.
Best regards,
Victor
Thanks, it worked!
Now I have another issue with establishing a counter for the matched records and displayed in a dashboard.
I think the parameter I need is LogWatch.Parser.MatchedRecords(*) .
Simply placing this parameter in Data Collection Configuration dose not work
What do I need to replace * with in order to run correctly?
Hi!
You should replace * with parser's name. By default parser name is file name (given in <file>), but you can override it with name attribute, like this:
<parser name="AppLog">
<file>*Application</file>
<rules>
<rule>
<severity>6</severity>
<match>(SQL Server Scheduled Job)*(Message: The job failed)*</match>
<event params="1">100025</event>
</rule>
</rules>
</parser>
and then use LogWatch.Parser.MatchedRecords(AppLog)
Best regards,
Victor
Once again thanks a lot.
It's working like a charm.