I almost always use rules. Something in a log = alert.
I would only ever us e a monitor if I needed to represent a state change, AND I have a good and reliable “healthy” event in the log to change it with. From: [email protected] [mailto:[email protected]] On Behalf Of Steve Olvera Sent: Tuesday, April 7, 2015 10:26 AM To: [email protected] Subject: RE: [msmom] Log file monitor So that goes for both monitors and rules? Is it best to setup log monitoring as rules? steve On Apr 7, 2015 9:53 AM, "Kevin Holman" <[email protected]<mailto:[email protected]>> wrote: When you create a log file monitor in SCOM, it will read the file size, and start reading new lines in the log only. It should not read and generate alerts on old entries, unless the log file is edited in such a way that we have to re-read the entire file and see all lines as “new”. One way this happens is when the application grooms old lines from the top of the file, but attempts to leave the reast of the file intact. In this case, we notice the number of lines has changes, so SCOM re-reads all lines in the file. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Steve Olvera Sent: Tuesday, April 7, 2015 9:21 AM To: [email protected]<mailto:[email protected]> Subject: [msmom] Log file monitor Hi all, I have to monitor several log files some dating back to mar 2014. The app owners are not willing to create new log files so they have several months of errors and success entries. I setup a log rule to alert for key words in the log, but had several alerts on old error entries. How can I get scom to only alert on error entries that are recent? Thanks steve
