We had number of questions for creating a log file monitor based on good and bad expression. What I meant by this is, I want to generate an alert if the entry ERROR is seen in the log and reset to healthy when SUCCESS is seen in the log. so we don't have to manually close it.
We already have a template to create a log file rule which you should be able to see under rule section, but here we are just trying to create a Unit Monitor. So lets start in a simple way.
Step 1: Install an authoring console from tool kit Here
Step 2: Create a new MP and add below references to it.
Rest libraries are already added. So no worries.
Step 3: Go to health model Pane and check Monitors.
Create a new monitor (Custom Unit Monitor)
Step 4: Go to Type LIbrary Pane and right on the blank space to create New composite monitor Type,
Name: <Name that you want>, Fill the General Tab
States: State 1-->healthy and State2-->Critical
Member Modules: Click on Add, and uncheck Condition detection and Probe action, and select "Log File Datasource" from the list, (2 times as shown below)
Here GoodExpression and BadExpression are the module ID
Regular: Check good Expression box and select Monitor state output from drop down from 2nd box. Double click on "Complete" which is set to "NO' it will turn to "Yes" as below
On Demand: leave it as it is
Configuration Schema: Its difficult to describe, but below should tell you what to do 🙂
Overridable Parameters: Create 3 Parameters.
Step 5: Name: <name that you want>
Target: Unix computer
Parent Monitor: Entity Health <Your wish to select which ever you want>
Step 6: Hit configuration tab and click on Browse where your Monitor type should be “Linux Log File Monitor Type”
Host : $Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$
LogFile: <Your log File location and name>
GoodRegex: <Value that makes monitor healthy>
BadRegex: <Value that makes your monitor critical or unhealthy>
Step 7: Define your healthy and critical criteria.
Step 8: Define alerting
And you are done.!!
Save this MP and import to your OpsMgr console. Expressions, Log file & location and targets are overridable parameter here.
Note: This is again a probe based module so defined expression is queried every 5 min. Either that’s a healthy or unhealthy expression. So we have to be patient. So for any state change based on what log has got, it needs to wait for 5 min.