Help banner

Consolidating Log Files

The Log Parser Instrumentation can harvest events from any text-based log files such as syslog, Apache error logs, and ZENworks® Application Launcher logs. Events are parsed and formatted in Novell® Audit event structure so the events can be processed by Novell Audit.

The log parser parses a text log file one line at a time. Each line must end in either a carriage return or line feed.

To configure log parsing, you must identify the servers where the text logs are located, identify the log files, and then identify the lines in the log files that you want included. These tasks are discussed in the following sections.

NOTE: The log parser does not currently handle multibyte characters. Additionally, it is not designed to consolidate information from multiple lines into a single event.

 

Managing Hosts

To configure log parsing, you must first create at least one host. A host is a server that contains a log file that you want included in the log parsing. A host can have multiple log files on it. The log parser examines the multiple log files from specified applications and creates a single log file in its database.

To create a host:

  1. On the Logging Server Options page, click the Log Applications tab.

  2. Click Logfile Parser.

  3. On the Configuration tab, click Instrumentation.

  4. Create the host logging server:

    1. On the Hosts page, click New.

      The New Host page opens.

    2. In the Address field, enter the IP address or DNS name of the server where the log file resides.

    3. In the Description field, enter a description of the host server, such as the server name.

    4. Click OK.

    The new host appears in the Hosts page.

To edit or delete a host, select the box next to the host, then select Edit or Delete.

 

Managing Logfiles

A log file is a file on a server that logs specified events. To create a logfile tag, you must first select the host, or server, that contains the log file. Each logfile tag has its own thread for scheduling and parsing the log.

To create a log file:

  1. On the Hosts page, click the host where you want to create the log file.

    The Logfiles page opens.

  2. Click New.

    The New Logfile page opens.

  3. Configure the log file attributes.

    Item

    Description

    Logfile Configuration

     

     

    Identifier

    A user-defined name for the log file.

    This field is not for the filename of the log file, so you can enter any name that you want.

     

     

    Location

    The directory location of the log file on the target system. For example, the path to the syslog file on Red Hat* and SUSE® is generally /var/log/messages.

    You cannot enter wildcard characters, such as * or !.

     

     

    Description

    A description of the log file, such as Application 1 Log File.

     

    Logfile Harvest Options

     

     

    Read log daily at

    Specifies the hour of each day at which the log parser reads the log file.

    00 is midnight.

     

     

    Read log interval every

    Specifies the interval in hours, minutes, or seconds of each day in which the log parser reads the log file.

    Select the number of hours, minutes, or seconds from the drop-down lists.

  4. Click OK.

    The new log file appears in the Logfiles page.

 

To edit or delete a log file, select the box next to the log file and select Edit or Delete.

 

To import a log file:

  1. Click Import.

  2. Select the XML configuration file that contains the log file configuration.

  3. Click OK.

When the XML file is imported, the name of the imported log file is compared against the names of all currently defined log files. If a match is found, the log file being imported automatically replaces the existing log file with the same name.

 

To export a log file:

  1. Select the box next to the log file, then click Export.

  2. Specify a filename for the exported file without a file extension.

    The .xml extension is automatically added to the file.

  3. Click OK.

The selected log file is exported to the default location specified by the browser you are using to access iManager. The export process creates an XML file from the log file and line reader configurations.

 

Managing Line Readers

A line reader is a tag that you configure to identify a line of a log file and what to do with the line, such as discard or log it.

To create a line reader:

  1. On the Logfiles page, click the log file where you want to create the line reader.

    The Line Readers page opens.

  2. Click New.

  3. Complete the Line Reader Configuration Wizard; click Next after you complete each page.

    Item

    Description

    Line Reader Configuration

     

     

    Parse Type

    Select one of the following:

    • Discard: Designates that all matching lines are to be discarded without sending an event to the host.

    • Tokenizer: Parses the line with a modified string tokenizer. Select this type if the start and end of each log line varies.

    • Fixed Position: Designates a fixed position parser, with each section defined by a fixed start and end position in the line. Select this type if the start and end of each log line are constant.

     

     

    Description

    Textual information about the line reader, such as Warning Line Reader.

     

     

    Event ID (Conditional)

    A hexadecimal event number that uniquely identifies each type of logged event. For more information, see Event Structure.

    Use this field only for Tokenizer and Fixed Position parse types.

     

     

    Component (Conditional)

    A string formatted like a DOS pathname, with a backslash ( \ ) separating component parts, such as \eDirectory\Database\Lookup.

    Use this field only for Tokenizer and Fixed Position parse types.

     

     

    Regular Expression

    Specifies the regular expression used to match a certain type of line.

    When a line is read, the line is applied against this field in each line reader until a match is found. The first matching line reader section is used to parse the line. If no matching regular expression is found, the line is ignored.

     

    Hardcoded Fields

    In this step, you can predefine event fields that appear in the database. However, the data in these fields can be overridden by information specified in the Section page.

    All hardcoded fields are optional. For more information on each of these fields, see Event Structure.

     

     

    Severity

    The severity of the reported event.

    • Emergency events cause the system to shut down.

    • Alert events require immediate attention.

    • Critical events might cause parts of the system to malfunction.

    • Error events are errors that can be handled by the system.

    • Warnings are negative events that do not represent a problem.

    • Notices are positive or negative events that an administrator can use to understand or improve the use and operation of the current system.

    • Info represents positive events of any importance.

    • Debug events are used by support technicians or engineers to debug the current system.

     

     

    Grouping

    An ID that can be used to identify related events.

     

     

    Originator

    Who or what caused the event to happen.

     

     

    Originator Type

     

    The predefined format the target and originator are represented in. Defined values for this type are currently:

    • 0: None

    • 1: Slash Notation

    • 2: Dot Notation

    • 3: LDAP Notation

     

     

    Target

     

    The event target.

    All eDirectory™ events store the event's object in the Target field.

     

     

    Target Type

    The predefined format the target and originator are represented in. Defined values for this type are currently:

    • 0: None

    • 1: Slash Notation

    • 2: Dot Notation

    • 3: LDAP Notation

     

     

    Subtarget

    The event subtarget.

    All eDirectory events store the event's attribute in the Subtarget field.

     

     

    Text1

    The value of this field depends upon the event. It can contain any text string up to 255 characters.

    The Text1 field is vital to the function of the CVR driver. For more information, see CVR Channel.

     

     

    Text2

    The value of this field depends upon the event. It can contain any text string up to 255 characters.

    The Text2 field is vital to the function of the CVR driver. For more information, see CVR Channel.

     

     

    Text3

    The value of this field depends upon the event. It can contain any text string up to 255 characters.

     

     

    Value1

    The value of this field depends upon the event. It can contain any numeric value up to 32 bits.

     

     

    Value2

    The value of this field depends upon the event. It can contain any numeric value up to 32 bits.

     

     

    Value3

    The value of this field depends upon the event. It can contain any numeric value up to 32 bits.

     

     

    Mime Hint

    Identifies the type of data contained in the Data field.

     

     

    Data

    The value of this field depends upon the event. The default size of this field is 3072 characters.

     

    Section

    In the Section page, you define a specific section in the line.

    To add more than one section, click the plus sign at the end of a section.

    To delete a section, click the minus sign at the end of the section.

     

     

    Separator

    The character that separates the data in the line, such as a space.

    To enter a space, press the Spacebar.

     

     

    Separator Skip

    The number of characters that separate the data in a line, such as two spaces. Select a number from 0-10.

     

     

    Event Field

    Specifies the Novell Audit event field in which you want to store this section of the line.

    You select any of the fields listed in the Hardcoded Fields page, or you can select Discard to not use this section.

     

     

    Integer Syntax (Conditional)

    If you want to store this section data in one of the integer fields of Novell Audit, such as Severity or Grouping, you can enter information in this field to help the parser in the string to integer conversion.

    • Number 32bit (signed)

    • Number 32bit (unsigned)

    • Hexadecimal Number

    • RFC822 format date/time

    • IPv4 Internet Address (network order)

    • IPv4 Internet Address (host order)

    • Boolean (Yes/No)

    • Boolean (True/False)

     

    Summary

    The Summary page reviews the information that you entered during the Line Configuration Wizard.

    To modify any of the information, click Back to return to the applicable page and make the necessary modifications.

    When you have entered the correct information, click Finish.

To edit or delete a line reader, select the box next to the log file and select Edit or Delete.

Related Topics

Log Application Configuration

Novell Audit Help

A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For information on trademarks, see Legal Notices.

Close