Defining a Log Monitor
XpoLog log monitor runs automatically by the system at scheduled intervals on a selected log and filter rule(s).Â
The following is a step by step flow to add a monitor with alerts on a log:
1. From The Monitors console (Manager > Log Actions > Monitors) - select Add Log Monitor.
2. Name the Monitor, and select the log that you wish to monitor from the existing logs in XpoLog, or define a new log.
3. Rules - select the rule(s) you wish to monitor from the existing rules on the selected log or define new rules (rules can be also regular expressions).
4. Alerts - Add new Alert. If this is the first time XpoLog is configured to send alerts then you will be asked to enter details that XpoLog can use to send the requested alert. Create the alert and save it.
5. Schedule - configure the frequency that you wish for this monitor - based on the configured frequency the monitor will scan the log.
6. Save it. It will run automatically based on the frequency you configured and it is also possible to execute a monitor manually if needed by selecting the monitor and click the execute button.
Note:Â
- On each execution, the monitor scans only new records and not the entire log.
- It is also possible to configure the alerts to include the entire result or selected information from the matched log events:
- Under the Advanced Section of the email alert you can attach data:
Append event to end of email body - matched log events will be included in the email body.
Attach matched events as a compressed Tab Delimited / CSV / XML file. - It is possible to add selected log fields to monitor alerts by placing the following place holders:
[COLUMN_NAME] = the name of the column which its content will be included
[MONITOR_ID] =Â the unique id of the monitor
[MONITOR_NAME]Â =Â the name of the monitor
[MONITOR_STATUS]Â = the monitor status : 1 = failure , 0 = success
[LOG_NAME]Â = the log name that the included event is originated from
[LOG_ID] =Â the log name that the included event is originated from
[MERGE_SOURCE_NAME] = the log name which triggers the alert will be included (relevant for merged logs)
- Under the Advanced Section of the email alert you can attach data:
Â
Advanced section:
Â
- Scan log from last scan point - determines whether the monitor will scan only new records in the log on each execution or the entire log either way. By default this option is selected.
- Failure - determines the fail criteria of a monitor. By default if a single record was found matched to the configured rule, it will be considered as a failure and the alerts will be triggered.Â
- Once failed, execute failure actions only after - after a failure, alerts will be sent again only after a specified number of additional failure without a success between.
- Once failed, execute failure actions for - by default the monitor executes the alerts on the latest record that was matched per each execution. This is the recommended option - the last event only. None of the events - no alerts will be sent, the first event only - a single alert on the first record that was matched per each execution, each event - the alerts will be triggered on each log record that was matched per each execution (not recommended since the number of records that may be found matched is not limited and the alert will be sent per each one).
In case each event is selected, it is recommended to limit the total number of alerts that may be sent per each execution (Maximum number of alerts to send). - Positive Alerts - execute a positive alert as an indication that a specified time has passed since last failure.