The Instrumentation settings in the Log Parser Application object are used to parse information out of an existing text log file, format it, and send it to a Secure Logging Server (SLS). Text log files are parsed one line at a time. Each line must end in either a carriage return or line feed.
IMPORTANT: You must restart the logging server to effect any changes in Application object configuration. For more information on restarting the logging server, refer to the Novell® Audit Administration Guide.
The following sections provide a description of each page in the Log Parser Instrumentation page.
A host is a server that contains a log file that you want included in the log parsing. A host can have multiple log files on it. The log parser examines the multiple log files from specified applications and creates a single log file in its database.
Item |
Description |
Address |
The IP address or DNS name of the server where the log file resides.
|
Total Log Files |
The total number of log files on that host that the log parser reads.
|
Description |
A description of the host server entered during the creation of the host.
|
New |
Click to create a new host. For information on host configuration settings, see New Host.
|
Edit |
To edit a host's configuration, select the box next to the host, then click Edit. For information on host configuration settings, see Edit Host.
|
Delete |
To delete a host, select the box next to the host, then click Delete.
|
Item |
Description |
Address |
The IP address or DNS name of the server where the log file resides.
|
Description |
A description of the host server, such as the server name.
|
A log file is a file on a server that logs specified events. Each logfile tag has its own thread for scheduling and parsing the log.
Item |
Description |
Identifier |
The user-defined name for the log file. This is not the filename of the log file.
|
Location |
The directory location and filename of the log file on the target system. For example, the location of the syslog file on Red Hat* and SUSE® is generally /var/log/messages.
|
Description |
A description of the log file entered during the creation of the log file.
|
New |
Click to create a new log file. For information on the log file configuration settings, see New Logfile.
|
Edit |
To edit a log file's configuration, select the box next to the log file, then click Edit. For information on the log file configuration settings, see Edit Logfile.
|
Delete |
To delete a log file, select the box next to the log file, then click Delete.
|
Import |
Click to import an existing log file and its associated line readers. For example, if you have created a syslog log file, such as syslog format1, that you want to use on another machine or share with an associate, you must first export the log file. You can then import the syslog format1 log file (or any other log file) as a new log file, or you can replace an existing log file with the same name. If you want to add a new log file or replace an existing log file, click Import and select the XML configuration file that contains the log file configuration. When the XML file is imported, the name of the imported log file is compared against the names of all currently defined log files. If a match is found, the log file being imported automatically replaces the existing log file with the same filename.
|
Export |
Click to export the selected log file to the default location specified by the browser you are using to access iManager. The export process creates an XML file from the log file and line reader configuration. NOTE: When you enter a filename for the exported file, do not enter a file extension. The .xml extension is automatically added to the file.
|
Item |
Description | |
---|---|---|
Logfile Configuration |
| |
|
Identifier |
A user-defined name for the log file. This field is not for the filename of the log file, so you can enter any name that you want.
|
|
Location |
The directory location of the log file on the target system. For example, the path to the syslog file on Red Hat and SUSE is generally /var/log/messages. You cannot enter wildcard characters, such as * or !.
|
|
Description |
A description of the log file, such as Application 1 Log File.
|
Logfile Harvest Options |
| |
|
Read log daily at |
Specifies the hour of each day at which the log parser reads the log file. 00 is midnight.
|
|
Read log interval every |
Specifies the interval in hours, minutes, or seconds of each day in which the log parser reads the log file. Select the number of hours, minutes, or seconds from the drop-down lists. |
A line reader is tag that you configure to identify a line of a log file and what to do with the line, such as discard or log it.
Item |
Description |
Event ID |
A unique value that identifies a specific type of logged event. Specify any number or hexadecimal value between 0 and 999.
|
Parse Type |
Specifies how this line is to be parsed:
|
Component |
Generally the filename. The information in this field is displayed in the Component field in the database.
|
Description |
A description of the line reader entered during the creation of the line reader.
|
New |
Click to create a new line reader. For information on line reader configuration settings, see Line Reader Wizard.
|
Edit |
To edit a line reader's configuration, select the box next to the line reader, then click Edit. For information on line reader configuration settings, see Line Reader Wizard.
|
Delete |
To delete a line reader, select the box next to the line reader, then click Delete.
|
The Line Reader Wizard has four pages: Line Reader Configuration, Hardcoded Fields, Section, and Summary.
Item |
Description | |
---|---|---|
Line Reader Configuration |
| |
|
Parse Type |
Select one of the following:
|
|
Description |
Textual information about the line reader, such as Warning Line Reader.
|
|
Event ID (Conditional) |
A hexadecimal event number that uniquely identifies each type of logged event. For more information, see Event Structure. Use this field only for Tokenizer and Fixed Position parse types.
|
|
Component (Conditional) |
A string formatted like a DOS pathname, with a backslash ( \ ) separating component parts, such as \eDirectory\Database\Lookup. Use this field only for Tokenizer and Fixed Position parse types.
|
|
Regular Expression |
Specifies the regular expression used to match a certain type of line. When a line is read, the line is applied against this field in each line reader until a match is found. The first matching line reader section is used to parse the line. If no matching regular expression is found, the line is ignored.
|
In this step, you can predefine event fields that appear in the database. However, the data in these fields can be overridden by information specified in the Section page. All hardcoded fields are optional. For more information on each of these fields, see Event Structure.
| ||
|
Severity |
The severity of the reported event.
|
|
Grouping |
An ID that can be used to identify related events.
|
|
Originator |
Who or what caused the event to happen.
|
|
Originator Type
|
The predefined format the target and originator are represented in. Defined values for this type are currently:
|
|
Target
|
The event target. All eDirectory events store the event's object in the Target field.
|
|
Target Type |
The predefined format the target and originator are represented in. Defined values for this type are currently:
|
|
Subtarget |
The event subtarget. All eDirectory events store the event's attribute in the Subtarget field.
|
|
Text1 |
The value of this field depends upon the event. It can contain any text string up to 255 characters. The Text1 field is vital to the function of the CVR driver. For more information, see CVR Channel.
|
|
Text2 |
The value of this field depends upon the event. It can contain any text string up to 255 characters. The Text2 field is vital to the function of the CVR driver. For more information, see CVR Channel.
|
|
Text3 |
The value of this field depends upon the event. It can contain any text string up to 255 characters.
|
|
Value1 |
The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
|
|
Value2 |
The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
|
|
Value3 |
The value of this field depends upon the event. It can contain any numeric value up to 32 bits.
|
|
Mime Hint |
Identifies the type of data contained in the Data field.
|
|
Data |
The value of this field depends upon the event. The default size of this field is 3072 characters.
|
In the Section page, you define a specific section in the line. To add more than one section, click the plus sign
To delete a section, click the minus sign
| ||
|
Separator |
The character that separates the data in the line, such as a space. To enter a space, press the space bar.
|
|
Separator Skip |
The number of characters that separate the data in a line, such as two spaces. Select a number from 0-10.
|
|
Event Field |
Specifies the Novell Audit event field in which you want to store this section of the line. You select any of the fields listed in the Hardcoded Fields page, or you can select Discard to not use this section.
|
|
Integer Syntax (Conditional) |
If you want to store this section data in one of the integer fields of Novell Audit, such as Severity or Grouping, you can enter information in this field to help the parser in the string to integer conversion.
|
The Summary page reviews the information that you entered during the Line Configuration Wizard. To modify any of the information, click Back to return to the applicable page and make the necessary modifications. When you have entered the correct information, click Finish.
|
A trademark symbol (®, , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For information on trademarks, see Legal Notices.