PrimeAlert for Apache Web Server Logo

PrimeAlert® for Apache Web Server

Version 1.0.0

Contents
  1. Overview
  2. Loading PrimeAlert for Apache Web Server
  3. PrimeAlert for Apache Web Server Console
  4. Identification Section
  5. Configuration Section
  6. Server Processes Section
  7. Core File Section
  8. Server Performance Section
  9. Log Files Section
    • Log Files Monitoring Details
  

Log Files Monitoring Details

Each monitored log file is monitored for messages indicative of an error or other important event generated and logged by a server. The log files being monitored are preloaded with some common error messages which are desirable to catch.

However, for serious log file monitoring, it is recommended that the user add his own log file patterns that the user would like to be caught. This process is described in detail below.

Figure 19 - Log Files Monitoring Details

File Identification

This table displays basic information about the log file. The properties in this table are described below:

  • File Name - displays the full pathname of the log file being scanned for errors (e.g. /var/adm/messages)
  • File Scanning Mode - displays the mode used to scan the file (tail mode by default)
  • File Naming Mode - displays the mode used to specify the name of the file to be monitored. PrimeAlert for Apache Web Server always uses the Static mode.

File Statistics

This table displays statistical information related to file modification. The properties in this table are described below:

  • File Size (Bytes) - displays the size of the file in Bytes
  • File Size (Lines) - displays the number of lines in the file
  • Growth Rate (Lines/Min) - displays the number of lines added to the file per minute
  • Modification Time - displays the date and time the file was last modified
  • Idle Time - displays the time (in minutes) passed since last modification.

Patterns

This table displays the default patterns used to scan the log file for errors. Patterns may be edited, added, deleted and disabled by accessing the pop-up menu. The columns of this table are described below:

  • Description - displays the short description of the pattern
  • Pattern - displays the actual regular expression being used to scan the file
  • Matches - displays the number of pattern matches found in the file
  • Matches (Last Hour) - displays the number of pattern matches found during the last hour

Enabling and Disabling Patterns

Patterns listed in the Patterns Table may be enabled and disabled. Enabled patterns are used when scanning the file for matches. Disabled patterns are not used.

To disable a pattern:

  1. Right click on the row listing the pattern.
  2. Select "Disable Row".

To enable a pattern:

  1. Right click on the row listing the process.
  2. Select "Enable Row".

Adding, Editing and Deleting Patterns

Users may modify which patterns are used when scanning a file by adding, editing and deleting patterns from the table.

To add a pattern:

  1. Right click on any row in the Patterns Table.
  2. Select "Add Row". This will launch a Row Adder console
  3. Enter the following information in the Row Adder:

    Name: enter a user-defined instance for the pattern being added
    Description: enter a short description of the pattern to appear in the table
    Pattern: enter the pattern to be used when scanning the log file

Figure 20 - Patterns Table Row Adder

4. Click "OK" to add the pattern.

To edit a pattern:

  1. Right click on the row listing the pattern.
  2. Select "Edit Row".
  3. Enter the new information in any of the fields of the Row Editor.
  4. Click "OK"

To delete a pattern:

  1. Right click on the row listing the pattern.
  2. Select "Delete Row". The row will be removed from the table.

Setting Alarm Limits - The Matches Column

To set alarm limits on the number of matches for a given pattern, right-click on the Matches field for that pattern, and select 'Attribute Editor...'. When the Attribute Editor window appears, click on the Alarms tab, and refer to the figure below.

Alarm Thresholds: The first six editable fields are alarm thresholds. If a value is specified for an alarm threshold, an alarm will be triggered when the threshold is crossed. There are three types of alarms: the highest priority is the Critical alarm, the next is Alert, and the lowest priority is the Caution alarm.

Re-Alarm Every: This field controls how often the module will re-alarm after a given alarm threshold is crossed. For example, consider the situation where a table row has an Alert threshold of greater than 5 matches, and a Critical threshold of greater than 10 matches. Thus, when the number of matches reaches 6, a single Alert alarm will be generated. Now, if Re-Alarm Every is equal to zero, no additional alarms will be generated until the Critical threshold is attained. On the other hand, if Re-Alarm Every is equal to one (the default), a new Alert alarm will be generated each time the number of matches is incremented between 6 and 10. Finally, if Re-Alarm Every is equal to three, a new Alert alarm will be generated each time the number of matches is incremented by three between 6 and 10. In all cases, a new Critical alarm will be generated when the Critical threshold is reached.

Alarm Deadband: This value specifies the amount of time that new alarms of the same type are suppressed once an initial alarm of a given type (Critical/Alert/Caution) has been triggered. Note that a new alarm of a different type is not suppressed under any circumstances.

Consider an example where the Alarm Deadband is set to 5 seconds: If the Matches field becomes greater than the 'Alert Threshold (>)' alarm limit, the field goes into the Alert alarm state. If the number of Matches for the pattern are incremented again within the the next 5 seconds, a new Alert alarm will not be issued; a new 'Alert Threshold (>)' alarm for this pattern will only be issued if it occurs more than 5 seconds after the previous alarm. However, if the number of Matches has crossed the 'Critical Threshold (>)', a new alarm will be issued, even if this new alarm occurs within 5 seconds of the previous alarm.

For almost every log file, it is not necessary to change the Alarm Deadband from 0. In fact, the recommended and default value for the Alarm Deadband is 0. However, when monitoring the log files described below, the Alarm Deadband must be greater than 5 seconds in order to prevent a tight monitoring loop:

  • User files that are written to upon alarm: Alarm Actions can be specified for the Matches field in the Actions tab of the Attribute Editor. Upon detecting a pattern match in the file, if the Alarm Action instructs the module to write to the monitored file, this in turn will trigger the alarm again, beginning a tight monitoring loop as described above. This condition may be prevented by setting the Alarm Deadband to greater than 5 seconds, causing LogFileMonitor to wait this period of time after the first alarm, before issuing another alarm of the same type.

Status Message Pattern: This field modifies the status message that is displayed in the Alarms tab when an alarm is generated. The specified custom message is appended to the standard alarm message:

<Instance Description> PrimeAlert LogFileMonitor
<Description Field in Patterns Table> Pattern Matches

In addition to employing generic message text, a number of variable parameters are available for constructing a custom status message:

  • %param - Either '>' or '<', depending upon alarm type
  • %limit - The alarm threshold value that is responsible for the alarm
  • %value - The value of the match counter when the alarm was generated
  • %message - The match string that corresponds to the pattern
  • %1 - If substrings are specified in the pattern regular expression, the value of the first matching substring
  • %2 - If substrings are specified in the pattern regular expression, the value of the second matching substring
  • %3 - If substrings are specified in the pattern regular expression, the value of the third matching substring

NOTES:

  1. In order to use the '%' symbol in a custom status message, and have it interpreted as plain text (not part of a variable parameter name), use the string '%%' instead.
  2. If more than three substrings are used in a regular expression, only the first three can be explicitly given in a custom status message (using the %1, %2, and %3 variable parameters).

The default status message pattern is:

%param %limit [%value] %message

Alarm Window: This field is used to specify the time window within which alarms are triggered . If any alarm thresholds are surpassed at a time outside of this window, an alarm will not be triggered. The default value for this field is blank, specifying that alarms may be triggered at any time.

Attribute Editor

Figure 21 - Attribute Editor (Alarms Tab) for the Matches column of the Patterns table

Resetting the Matches Column

The number of matches displayed in the Matches column of the Patterns table can be reset to zero at any time by doing the following:

  1. Right-click on the Matches field for the desired pattern, and select 'Attribute Editor...'. When the Attribute Editor window appears, click on the Reset tab (see the figure below).
  2. The Reset tab presents five different options for resetting the Matches column:
    • Reset Counter - this resets the counter for the row in the Patterns table that was used to launch the Attribute editor. If the Attribute editor is launched from the table heading row, the Matches counter will be reset for all rows in the Patterns table.
    • Reset Counters (All Rows) - this resets the Matches counter for all rows in the Patterns table
    • Reset When Acknowleged - for the row in the Patterns table that was used to launch the Attribute editor, the Matches counter will be reset after an alarm is acknowledged for the row. If the Attribute editor is launched from the table heading row, the behavior will apply to all rows currently in the Patterns table.
    • Reset Schedule - the user can specify a time window during which the Matches counter will be automatically reset to zero. If the Attribute editor is launched from the table heading row, this schedule will apply to all rows currently in the Patterns table.
    • Reset Schedule (All Rows) - the user can specify a time window during which the Matches counter will be automatically reset to zero, for all rows in the Patterns table.
  3. Click the OK or Apply button to have the specified action(s) take effect.

Note that the 'Last Reset Time' field shows the time at which the Matches column was last reset to zero. The timestamp format is YYYY-MM-DD HH:MM:SS.

Setting Alarm Limits - The Matches (Last ...) Column

To set alarm limits on the number of matches (in a given time span) for a given pattern, right-click on the 'Matches (Last ...)' field for that pattern, and select 'Attribute Editor...'. When the Attribute Editor window appears, click on the Alarms tab, and refer to the figure below.

Alarm Thresholds: The first three editable fields are alarm thresholds. If a value is specified for an alarm threshold, an alarm will be triggered when the threshold is crossed. There are three types of alarms: the highest priority is the Critical alarm, the next is Alert, and the lowest priority is the Caution alarm.

Clear Threshold: The Clear Threshold can be used to set a threshold that will clear all alarms when the match-rate drops below the specified value. The clear threshold should be set to NOT overlap with the value of the lowest-severity alarm threshold. For example, if there is a caution threshold of '> 5', then the value inserted into the clear threshold field should be less than or equal to 6.

Status Message Pattern: This field has already been described above. The default status message pattern is:

> %limit [%value]

Alarm Window: This field is used to specify the time window within which alarms are triggered . If any alarm thresholds are surpassed at a time outside of this window, an alarm will not be triggered. The default value for this field is blank, specifying that alarms may be triggered at any time.

Attribute Editor

Figure 22 - Attribute Editor (Alarms Tab) for the Matches (Last ...) column of the Patterns t able

Browsing the Log File

To browse the Log File, the PrimeAlert FileBrowser must be loaded in the same agent as the PrimeAlert for Apache Web Server module. Once loaded, users will be able to launch the FileBrowser from any table within the Logfiles Section. To launch the FileBrowser:

  1. Right click on the row of any table.
  2. Select "Browse File" from the pop-up menu to launch the FileBrowser.

Figure 23 - PrimeAlert FileBrowser displaying a logfile with error patterns

The FileBrowser will automatically load the patterns in the Patterns Table and highlight lines matching any of those patterns.

Top Previous
Copyright © 1996-2001 Halcyon Monitoring Solutions, Inc. All rights reserved. http://www.HalcyonInc.com