New Log Event rule not triggering
|Article:TECH153760|||||Created: 2011-02-18|||||Updated: 2012-07-21|||||Article URL http://www.symantec.com/docs/TECH153760|
After creating a new Log Event metric / rule and testing it against an existing log file, the rule fails to trigger.
Monitor Solution for Servers (all versions)
A Log Event based rule does not evaluate on previously existing data in a log file. A Log Event rule can only trigger on data which has been appended to the log file after monitoring has begun.
Ensure the data which meets the rule's criteria has the exact value used in the metric and the values being appended to the log file after monitoring has already been enabled against that log file.
If a log file gets overwritten entirely, as opposed to appended to, you may try the following alternative solution:
- Create a new Command metric with the following values:
Name: [desired log file name] search for [desired text]
Polling interval: 300 seconds
Data type: Numeric
Command line: type [path to desired log file] | find /c "[desired text to search for]"
Parsed lines: 0
Return value column: 0
- Create a new rule which references this new Command metric with a condition of "Is equal to or greater than 1". Any lines which match the desired text will increment the numeric metric value, therefore if any lines are met the metric value will be 1 or greater. If no lines match, the metric value will be 0.
Article URL http://www.symantec.com/docs/TECH153760