Difference between revisions of "UM:Log Monitoring"

UM:Log Monitoring (view source)

Revision as of 11:11, 2 April 2012

390 bytes removed , 11:11, 2 April 2012

→‎Examples of Parser Definition File

Victor

AutoPatrol, Bureaucrats, Administrators

683

edits

@@ Line 501: / Line 501: @@
 == Examples of Parser Definition File ==
-# Generate event with code 100000 if line in the log file /var/log/messages contains word '''error''':
+. Generate event with code 100000 if line in the log file /var/log/messages contains word '''error''':
-<nowiki><parser></nowiki>
+<source lang="xml">
+<parser>
+<file>/var/log/messages</file>
+<rules>
+<rule>
+<match>error</match>
+<event>100000</event>
+</rule>
+</rules>
+</parser>
+</source>
-<nowiki><file>/var/log/messages</file></nowiki>
+. Generate event with code 200000 if line in the log file '''C:\demo.log''' contains word '''process:''' and is immediatelly following line containing text '''process startup failed'''; everything after word '''process:''' will be sent as event's parameter.
-<nowiki><rules></nowiki>
+<source lang="xml>
+<parser>
-<nowiki><rule></nowiki>
+<file>C:\demo.log</file>
+<rules>
-<nowiki><match>error</match></nowiki>
+<rule>
+<match>process startup failed</match>
-<nowiki><event>100000</event></nowiki>
+<context action="set" reset="auto">STARTUP_FAILED</context>
+</rule>
-<nowiki></rule></nowiki>
+<rule context="STARTUP_FAILED">
+<match>process:(.*)</match>
-<nowiki></rules></nowiki>
+<event params="1">200000</event>
+</rule>
-<nowiki></parser></nowiki>
+</rules>
+</parser>
+</source>
-# Generate event with code 200000 if line in the log file [../demo.log C:\demo.log] contains word '''process:''' and is immediatelly following line containing text '''process startup failed'''<nowiki>; everything after word </nowiki>'''process:''' will be sent as event's parameter.
-<nowiki><parser></nowiki>
-<nowiki><file></nowiki>[../demo.log C:\demo.log]<nowiki></file></nowiki>
-<nowiki><rules></nowiki>
-<nowiki><rule></nowiki>
-<nowiki><match>process startup failed</match></nowiki>
-<nowiki><context action="set" reset="auto">STARTUP_FAILED</context></nowiki>
-<nowiki></rule></nowiki>
-<nowiki><rule context="STARTUP_FAILED"></nowiki>
-<nowiki><match>process:(.*)</match></nowiki>
-<nowiki><event params="1">200000</event></nowiki>
-<nowiki></rule></nowiki>
-<nowiki></rules></nowiki>
-<nowiki></parser></nowiki>