Useful information regarding LogWatch

Started by nikos, May 20, 2009, 11:58:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

nikos

May 20, 2009, 11:58:12 PM
Below some useful informations:

Quote from: Victor Kirhenshtein on May 20, 2009, 11:07:12 PM
You don't need DCI for log monitoring - all LogWach.Parser.* parameters are for collecting parser statistic (and not working as expected in current release). When log parser finds record that match to certain rule, it just sends event specified in <event> tag of the rule to server. Overall configuration steps for configuring log monitoring is following:

1. Create events (in console via Control Panel -> Events);
2. In parser's XML config, use event codes of your created events in <event> tags. Parser will send them when matching record will appear in log.
3. Configure rules for processing these events in event processing policy - you can create alarms, send e-mails, and so on, as for any other event.

Best regards,
Victor

P.S. Can we move our conversation to public forum? It may be useful for others too.

jdl

#1
June 26, 2009, 09:28:27 AM
Hi all,

Would be nice if some one could explain how the logwatch actually works.
Is it polling the log file regularly (i.e. every X sec.) or does it somehow detects that log file has been modified and immediately react by parsing what has been added?

In fact: how often is the log file scrutinized? What is the trigger for the parser to treat what has been added to the log file?

This is interesting info to understand how implemented monitoring will work.

Best regards,
JDamien

Victor Kirhenshtein

#2
June 26, 2009, 10:21:36 AM
Hello!

It depends on log file and platform.

On UNIX, size of monitored file checked once per second. If size was changed, log parser reads and processes new data. If new size is less than previous, parser assumes that file was cleared, and reads it from the beginning.

On Windows, processing is different for text files and Windows event log. For text files, parser subscribes to file system change notifications (using FindFirstChangeNotification/FindNextChangeNotification API), and when change is detected, processes file in the same manner as on UNIX. For Windows event logs, parser opens them via Windows event log API and waits for changes. When new records added to the log, parser gets notified and processes new records. And starting from 0.2.27 release, parser uses different API for Windows Vista and Windows 2008 - this should solve various event log parsing problems on these systems.

Best regards,
Victor
Print
Go Up Pages1
User actions