New Log Event rule not triggering

Article:TECH153760  |  Created: 2011-02-18  |  Updated: 2012-07-21  |  Article URL http://www.symantec.com/docs/TECH153760
Article Type
Technical Solution


Issue



After creating a new Log Event metric / rule and testing it against an existing log file, the rule fails to trigger.


Environment



Monitor Solution for Servers  (all versions)


Cause



A Log Event based rule does not evaluate on previously existing data in a log file. A Log Event rule can only trigger on data which has been appended to the log file after monitoring has begun.


Solution



Ensure the data which meets the rule's criteria has the exact value used in the metric and the values being appended to the log file after monitoring has already been enabled against that log file.

If a log file gets overwritten entirely, as opposed to appended to, you may try the following alternative solution:

  1. Create a new Command metric with the following values:
      
    Name:  [desired log file name] search for [desired text]
    Polling interval:  300 seconds
    Data type:  Numeric
    Use:
    Command line:  type [path to desired log file] | find /c "[desired text to search for]"
    Line:
    Parsed lines: 0
    Return value column:  0
      
  2. Create a new rule which references this new Command metric with a condition of "Is equal to or greater than 1". Any lines which match the desired text will increment the numeric metric value, therefore if any lines are met the metric value will be 1 or greater. If no lines match, the metric value will be 0.



Article URL http://www.symantec.com/docs/TECH153760


Terms of use for this information are found in Legal Notices