Jul 20, 2010

How to monitor new line entries in a log/text file

You may wish to monitor any new entry in a log/text file and want to get an alert generated no matter what the entry is. Usually we want an alert to be generated once a word or expression is logged, but in this post I will be shedding lights on monitoring a log file and generate an alert when any new entry is logged in the log/text file.


  • Open OpsMgr Console and go to Authoring—> Management Pack Objects—> Rules
  • Click on “Scope“ button in the tool bar to narrow down our selection.
  • I assume the file is located on a windows computer, so we will search for “Windows Computer”
  • Select Windows Computer and then click Ok
clip_image001
  • Right click on rules and select “Create a new rule”
  • Expand Alert Generating Rules—>Event Based—>Generic Text Log(Alert)
clip_image001[5]
  • In the above window click new to create a new management pack to save this new rule in it. In my case I have created a management pack called “TestRuleMP”
  • In the next screen, give a meaningful name to this rule.
  • The Rule Target should be Windows Computer
  • Make sure to to uncheck the option “Rule is enable” before you proceed
clip_image001[7]
  • In the next screen provide the pattern of the file. If the file name is fixed and not changing every time the file is created, then you may give the exact name of the log as LogName.txt  but if the log file name is changing every time is created (LogFileName01, LogFileName02, etc..) then you may put the log file name as the following: LogFileName*.txt and then click next
clip_image001[11]
  • Now it is time to set your event expression to generate the alert .
  • Click Insert so a new line will be added.
  • In the parameter name write: Params/Param[1]
  • In the operator select "Match wildcard
  • In the value put “?” – without quotes
clip_image001[13]
  • Proceed to configure the alert as the following:
A new Entry was detect in the c:\log\bader.log
Logfile Directory : $Data/EventData/DataItem/LogFileDirectory$
Logfile name: $Data/EventData/DataItem/LogFileName$
String:  $Data/EventData/DataItem/Params/Param[1]$

clip_image001[15]
  • Once you are done with editing the alert, click create.
  • We have not enabled the rule yet so we need to override the rule and just enable it for a specific computer on which the log is located

clip_image002
  • To reproduce the alert, I opened the log file and I typed a new line in it and saved the changes. See the below screenshot
clip_image001[17]
  • Now the alert is generated
clip_image001[19]

You can notice that the alert description includes the new entry which was logged in the log file

No comments:

Post a Comment