SCOM: How to monitor new line entries in a log or text file using OpsMgr 2007

This was originally posted on the SCCM and OpsMgr Arabic blog.  If you ever have the need to monitor a text or log file for new entries then this should do the trick.


You may wish to monitor any new entry in a log/text file and want to get an alert generated no matter what the entry is. Usually we want an alert to be generated once a word or expression is logged, but in this post I will be shedding lights on monitoring a log file and generate an alert when any new entry is logged in the log/text file.

  • Open OpsMgr Console and go to Authoring—> Management Pack Objects—> Rules
  • Click on “Scope“ button in the tool bar to narrow down our selection.
  • I assume the file is located on a windows computer, so we will search for “Windows Computer”
  • Select Windows Computer and then click Ok


  • Right click on rules and select “Create a new rule”
  • Expand Alert Generating Rules—>Event Based—>Generic Text Log(Alert)


  • In the above window click new to create a new management pack to save this new rule in it. In my case I have created a management pack called “TestRuleMP”
  • In the next screen, give a meaningful name to this rule.
  • The Rule Target should be Windows Computer
  • Make sure to to uncheck the option “Rule is enable” before you proceed


  • In the next screen provide the pattern of the file. If the file name is fixed and not changing every time the file is created, then you may give the exact name of the log as LogName.txt  but if the log file name is changing every time is created (LogFileName01, LogFileName02, etc..) then you may put the log file name as the following: LogFileName*.txt and then click next


  • Now it is time to set your event expression to generate the alert .
  • Click Insert so a new line will be added.
  • In the parameter name write: Params/Param[1]
  • In the operator select "Match wildcard
  • In the value put “?” – without quotes


  • Proceed to configure the alert as the following:

A new Entry was detect in the c:\log\bader.log

Logfile Directory : $Data/EventData/DataItem/LogFileDirectory$
Logfile name: $Data/EventData/DataItem/LogFileName$
String:  $Data/EventData/DataItem/Params/Param[1]$


  • Once you are done with editing the alert, click create.
  • We have not enabled the rule yet so we need to override the rule and just enable it for a specific computer on which the log is located


  • To reproduce the alert, I opened the log file and I typed a new line in it and saved the changes. See the below screenshot


  • Now the alert is generated


You can notice that the alert description includes the new entry which was logged in the log file.

Comments (4)
  1. John_Curtiss says:

    i'm not getting the description… im' getting 3 "alert parameter replacement failure" alerts, and my actual alert from the event log has

    Logfile Directory :

    Logfile name:


  2. RAV2 says:

    How to get more lines than one? Let say 10 at least. Thanks in advance.

  3. Eng.Akram says:

    Does your alert still works if you roll the log file daily/hourly etc (recreate a new log file every night etc) and add a new line? From what I know about the SCOM logfile monitor it keeps track of every line and where is was when the alert was generated (e.g. alerted on line # 100) and the log file rolled over, SCOM logfile monitor doesn't know that it needs to start from line # one in the new logfile as it will be looking for line # 101). let me know if you got this to work and how you did it.



  4. Vijayh says:


    I configured the steps as above but i received an error in server’s event log with event id:31705, “error Opening the log file directory”

    Error opening log file directory

    Directory =

    “D:Program Files (x86)Quest SoftwareQCVDSR6.0.3confslogs”

    Error: 0x8007007b

    Details: The filename, directory name, or volume label syntax is incorrect.

    Log file name is “operation_dumper.log.yyyymmdd…….every day the new file will be created with the data,month and year.

    i configured pattern as operation_dumper.log.????????

Comments are closed.

Skip to main content