The Log Parser Instrumentation can harvest events from any text-based log files such as syslog, Apache error logs, and ZENworks® Application Launcher logs. Events are parsed and formatted in Novell® Audit event structure so the events can be processed by Novell Audit.
The log parser parses a text log file one line at a time. Each line must end in either a carriage return or line feed.
To configure log parsing, you must identify the servers where the text logs are located, identify the log files, and then identify the lines in the log files that you want included. These tasks are discussed in the following sections.
NOTE: The log parser does not currently handle multibyte characters. Additionally, it is not designed to consolidate information from multiple lines into a single event.
To configure log parsing, you must first create at least one host. A host is a server that contains a log file that you want included in the log parsing. A host can have multiple log files on it. The log parser examines the multiple log files from specified applications and creates a single log file in its database.
To create a host:
On the Logging Server Options page, click the Log Applications tab.
Click Logfile Parser.
On the Configuration tab, click Instrumentation.
Create the host logging server:
On the Hosts page, click New.
The New Host page opens.
In the Address field, enter the IP address or DNS name of the server where the log file resides.
In the Description field, enter a description of the host server, such as the server name.
Click OK.
The new host appears in the Hosts page.
To edit or delete a host, select the box next to the host, then select Edit or Delete.
A log file is a file on a server that logs specified events. To create a logfile tag, you must first select the host, or server, that contains the log file. Each logfile tag has its own thread for scheduling and parsing the log.
To create a log file:
On the Hosts page, click the host where you want to create the log file.
The Logfiles page opens.
Click New.
The New Logfile page opens.
Configure the log file attributes.
Item |
Description | |
---|---|---|
Logfile Configuration |
| |
|
Identifier |
A user-defined name for the log file. This field is not for the filename of the log file, so you can enter any name that you want.
|
|
Location |
The directory location of the log file on the target system. For example, the path to the syslog file on Red Hat* and SUSE® is generally /var/log/messages. You cannot enter wildcard characters, such as * or !.
|
|
Description |
A description of the log file, such as Application 1 Log File.
|
Logfile Harvest Options |
| |
|
Read log daily at |
Specifies the hour of each day at which the log parser reads the log file. 00 is midnight.
|
|
Read log interval every |
Specifies the interval in hours, minutes, or seconds of each day in which the log parser reads the log file. Select the number of hours, minutes, or seconds from the drop-down lists. |
Click OK.
The new log file appears in the Logfiles page.
To edit or delete a log file, select the box next to the log file and select Edit or Delete.
To import a log file:
Click Import.
Select the XML configuration file that contains the log file configuration.
Click OK.
When the XML file is imported, the name of the imported log file is compared against the names of all currently defined log files. If a match is found, the log file being imported automatically replaces the existing log file with the same name.
To export a log file:
Select the box next to the log file, then click Export.
Specify a filename for the exported file without a file extension.
The .xml extension is automatically added to the file.
Click OK.
The selected log file is exported to the default location specified by the browser you are using to access iManager. The export process creates an XML file from the log file and line reader configurations.
A line reader is a tag that you configure to identify a line of a log file and what to do with the line, such as discard or log it.
To create a line reader:
On the Logfiles page, click the log file where you want to create the line reader.
The Line Readers page opens.
Click New.
Complete the Line Reader Configuration Wizard; click Next after you complete each page.
Item |
Description | |
---|---|---|
| ||
|
Parse Type |
Select one of the following:
|
|
Description |
Textual information about the line reader, such as Warning Line Reader.
|
|
Event ID (Conditional) |
A hexadecimal event number that uniquely identifies each type of logged event. For more information, see Event Structure. Use this field only for Tokenizer and Fixed Position parse types.
|
|
Component (Conditional) |
A string formatted like a DOS pathname, with a backslash ( \ ) separating component parts, such as \eDirectory\Database\Lookup. Use this field only for Tokenizer and Fixed Position parse types.
|
|
Regular Expression |
Specifies the regular expression used to match a certain type of line. When a line is read, the line is applied against this field in each line reader until a match is found. The first matching line reader section is used to parse the line. If no matching regular expression is found, the line is ignored.
|
In this step, you can predefine event fields that appear in the database. However, the data in these fields can be overridden by information specified in the Section page. All hardcoded fields are optional. For more information on each of these fields, see Event Structure.
| ||
|
Severity |
The severity of the reported event.
|
|
Grouping |
An ID that can be used to identify related events.
|
|
Originator |
Who or what caused the event to happen.
|
|
Originator Type
|
The predefined format the target and originator are represented in. Defined values for this type are currently:
|
|
Target
|
The event target. All eDirectory events store the event's object in the Target field.
|
|
Target Type |
The predefined format the target and originator are represented in. Defined values for this type are currently:
|
|
Subtarget |
The event subtarget. All eDirectory events store the event's attribute in the Subtarget field.
|
|
Text1 |
The value of this field depends upon the event. It can contain any text string up to 255 characters. The Text1 field is vital to the function of the CVR driver. For more information, see CVR Channel.
|
|
Text2 |
The value of this field depends upon the event. It can contain any text string up to 255 characters. The Text2 field is vital to the function of the CVR driver. For more information, see CVR Channel.
|
|
Text3 |
The value of this field depends upon the event. It can contain any text string up to 255 characters.
|
|
Value1 |
The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
|
|
Value2 |
The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
|
|
Value3 |
The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
|
|
Mime Hint |
Identifies the type of data contained in the Data field.
|
|
Data |
The value of this field depends upon the event. The default size of this field is 3072 characters.
|
In the Section page, you define a specific section in the line. To add more than one section, click the plus sign To delete a section, click the minus sign
| ||
|
Separator |
The character that separates the data in the line, such as a space. To enter a space, press the Spacebar.
|
|
Separator Skip |
The number of characters that separate the data in a line, such as two spaces. Select a number from 0-10.
|
|
Event Field |
Specifies the Novell Audit event field in which you want to store this section of the line. You select any of the fields listed in the Hardcoded Fields page, or you can select Discard to not use this section.
|
|
Integer Syntax (Conditional) |
If you want to store this section data in one of the integer fields of Novell Audit, such as Severity or Grouping, you can enter information in this field to help the parser in the string to integer conversion.
|
The Summary page reviews the information that you entered during the Line Configuration Wizard. To modify any of the information, click Back to return to the applicable page and make the necessary modifications. When you have entered the correct information, click Finish.
|
To edit or delete a line reader, select the box next to the log file and select Edit or Delete.
A trademark symbol (®, , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For information on trademarks, see Legal Notices.