Create Unix log file unit monitor in SCOM 2007

We had number of questions for creating a log file monitor based on good and bad expression. What I meant by this is, I want to generate an alert if the entry ERROR is seen in the log and reset to healthy when SUCCESS is seen in the log. so we don't have to manually close it. 

We already have a template to create a log file rule which you should be able to see under rule section, but here we are just trying to create a Unit Monitor. So lets start in a simple way.

Step 1: Install an authoring console from tool kit  Here


Step 2: Create a new MP and add below references to it.

  • Microsoft.Unix.Library
  • Microsoft.Unix.LogFile.Library

Rest libraries are already added. So no worries.

Step 3: Go to health model Pane and check Monitors.

Create a new monitor (Custom Unit Monitor)

Step 4: Go to Type LIbrary Pane and right on the blank space to create New composite monitor Type, 

             Name: <Name that you want>, Fill the General Tab

           States: State 1-->healthy and State2-->Critical

            Member Modules: Click on Add, and uncheck Condition detection and Probe action, and select "Log File Datasource" from the list, (2 times as shown below)

    Here GoodExpression and BadExpression are the module ID


        Regular: Check good Expression box and select Monitor state output from drop down from 2nd box. Double click on "Complete" which is set to "NO' it will turn to "Yes" as below

         On Demand: leave it as it is

        Configuration Schema: Its difficult to describe, but below should tell you what to do 🙂

             Overridable Parameters: Create 3 Parameters. 

Step 5:  Name: <name that you want>

             Target: Unix computer

             Parent Monitor: Entity Health <Your wish to select which ever you want>

Step 6: Hit configuration tab and click on Browse where your Monitor type should be “Linux Log File Monitor Type”

            Host :  $Target/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$

            LogFile:  <Your log File location and name>

           GoodRegex:  <Value that makes monitor healthy>

           BadRegex:  <Value that makes your monitor critical or unhealthy>

Step 7: Define your healthy and critical criteria.

Step 8: Define alerting

And you are done.!!

Save this MP and import to your OpsMgr console. Expressions, Log file & location and targets are overridable parameter here.           

Note: This is again a probe based module so defined expression is queried every 5 min. Either that’s a healthy or unhealthy expression. So we have to be patient. So for any state change based on what log has got, it needs to wait for 5 min.


Comments (12)
  1. OK, I have attached the MP with this post. hope that helps

  2. Anonymous says:

    I believe step 4 should be done before step 3

  3. Marc, Sorry for the late reply. I have modified with the screenshots. Hope this helps

  4. I have not tried it yet. Will try and post the result.

  5. Anonymous says:

    Thank you so much for this example! One semi-related question: I noticed there is a Microsoft.Unix.WSMan.LogFile.TimedEnumerator data source. Would that be used to make a timer reset monitor for a Unix log file? I couldn’t find any documentation on it.

  6. SCOM looks for the initial lines of the logs and creating a new log will be handled automatically based on the wild card that will start fro line 0.

  7. Marc Nalder says:

    Thanks for your blog. I cannot find the Linux Log File Monitor Type as described. I have added in the two references you mentioned but there is no monitor called Linux Log File Monitor Type.

    Please could you help?



  8. Nikhil Chordia says:

    I was working on a similar requirement recently and came up with an extensive step by step documentation for custom management pack to monitor unix text log files using a centally located config file. You can find more details on

    Let me know if anyone has any questions and I would be glad to help out.



  9. Gowdhaman says:

    How is log rotation handled by SCOM Native Unix  Log file monitoring Data Source?

  10. Dave Kelch says:

    Chandan.  These instructions look great, but I feel like I am missing something basic.

    1) When creating the Unit Monitor under health model, what parameters shoudl we use to configure it?

    2) When I try to do the Composite monitor under Library, I can't ever find the Log File DataSource.  I see some sources under Unix.Library, and under Windows, but I see nothing referencing Unix.LogFile.Library.  Also, it won't allow me to actually select anything.

    Any suggestions?


  11. Dror says:

    Hi Bharti
    very good post
    I need to look for specific text in a file, but unlike the above, I have no bad Expression
    if the text was found, it will be in health state, if not in bad state. any suggestion how to do it?

  12. Doreen says:

    Hi Chandan,

    thanks for this article and the MP. I downloaded and imported it to my environment but I did not see this monitor. I have scom 2012sp1 – does it run with it?

Comments are closed.

Skip to main content