See the link below for instructions on how to create a Simple Event Detection monitor for a plain text (non-delimited) log file in System Center Operations Manager 2007 and 2007 R2:
NOTE This information should also apply to System Center 2012 Operations Manager
Follow the procedure at the link above to create a monitor for a delimited (CSV) log file with the following exceptions:
Step 7: In the Create Monitor Wizard, on the Select a Monitor Type page, expand Log Files, expand Text Log (CSV), expand Simple Event Detection, click Event Reset, and then click Next.
Step 10: The separator must also be entered on the Application Log Data Source page. The separator does not have to be a comma, but it must be a printable character.
Step 12: When entering a parameter name, the number in Params/Param[x] represents the field on which the operation will take place. For example, Params/Param is the first field of the delimited file; Params/Param is the second field of the delimited file, and so forth.
Steps for creating a rule to monitor a log file
The following steps illustrate how to create a rule that targets the Windows Computer class and monitors a log file in System Center Operations Manager 2007 and 2007 R2. For more information on selecting a target for a workflow (which includes rules and monitors) see Selecting a Target for a Workflow.
2. In the Operations console, click the Authoring button.
3. In the Authoring pane, expand Authoring, expand Management Pack Objects, and then click Rules.
4. In the toolbar, click Scope.
5. In the Scope Management Packs Objects dialog box, in the Find text box, type Windows Computer, select the Windows Computer target check box, and then click OK.
6. In the Rules pane, right-click Windows Computer and then click Create a New Rule
7. In the Create Rule Wizard, on the Select the type of rule to create page, expand Collection Rules, expand Event Based, and select Generic Text Log or Generic CSV Text Log
NOTE If an alert will be configured, choose Alert Generating Rules, expand Event Based, and select Generic Text Log or Generic CSV Text Log
8. Select a management pack from the Select destination management pack list (in System Center Operations Manager 2012, this list picker is labeled Select Management Pack) or create a new unsealed management pack by clicking New. By default, when creating a management pack object, an override, or disabling a rule or monitor, Operations Manager saves the setting to the Default Management Pack. As a best practice, create a separate management pack for each sealed management pack to be , rather than saving customized settings to the Default Management Pack. For more information, see Default Management Pack.
9. Click Next
10. On the General page, in the Name box, type a name for the rule, and then as an option, you can type a description.
11. Click the Rule Category arrow, select the appropriate category, and then click Next.
12. On the Application Log Data Source page under Define the application log data source, in the Directory text box, type a path to where the log files are located, for example, C:\logfiles
13. In the Pattern text box, type a pattern string to select log files. For example, application??.log will find any log file that starts with ‘application’ followed by zero to two characters with an extension of ‘.log’ (e.g. application.log, application1.log, application01.log, etc.).
14. For CSV log types, enter the separator. The separator does not have to be a comma, but it must be a printable character
15. Select UTF8 if applicable, and then click Next
16. On the Build Event Expression page (for the Build First Expression),click Insert and then do the following:
b. Under Operator, click the pull down menu and select an operator, for example Contains
c. Under Value enter the text that this monitor should trigger on as found in the log file, for example error
After the rule is created, edit the properties of the new rule to generate an alert when the rule is triggered. See How to Edit Properties of a Rule in Operations Manager 2007 for more information on editing the properties of a rule.
Steps for creating a text log alert rule on System Center 2012 Operations Manager can be found under the section To create a delimited text log alert rule at http://technet.microsoft.com/en-us/library/hh457567.aspx.
To reference the fields that were read from the log when the rule is triggered in an alert, use the Params/Param[x] syntax.
For more information on the various settings available in the Create a unit monitor and Create Rule Wizard wizards, see the section Text Log Wizard Options at http://technet.microsoft.com/en-us/library/hh457567.aspx
Each line of a log file must end with a new line (0x0A0x0A hex sequence) before it will be read and processed by Operations Manager.
If a rule or monitor is configured to match a pattern for log file names (e.g. using the ? or * wildcard characters), it is important that only ONE log that matches the pattern is written. If multiple logs that match the pattern are being written to, the high water mark is reset to the beginning of the file with each write to a different file. The result is that all previous log entries will be reprocessed.
The log file name pattern is generic_csv??.txt
Starting with Operations Manager 2012 Service Pack 1, if a log file is cleared or renamed/deleted and then recreated, Operations Manager will read the file from the first line. Prior versions of Operations Manager behave as follows:
When monitoring a log file, Operations Manager remembers the last line read within the file (a 'high water mark'). It will not re-read data before this point unless the file is deleted and recreated, or renamed and recreated, which will reset the high water mark.
If a logfile is deleted and recreated with the same name within the same minute, the high water mark will not be reset, and log entries will be ignored until the high water mark is exceeded.
An implication of this is that log files that are cleared periodically without being renamed and recreated, or deleted and recreated, will not have entries in them processed until the high water mark from before the log is cleared is exceeded.
Operations Manager cannot monitor 'circular log files' (i.e. log files that get to a certain size or line count, then start writing the newest entries at the beginning of the log) for the same reason. The log file must be deleted or renamed and then recreated, or the application configured to write to a new log once the current log is filled.
Article ID: 2691973 - Last Review: 03/09/2016 08:26:00 - Revision: 8.0