This was originally posted on the SCCM and OpsMgr Arabic blog.  If you ever have the need to monitor a text or log file for new entries then this should do the trick.

You may wish to monitor any new entry in a log/text file and want to get an alert generated no matter what the entry is. Usually we want an alert to be generated once a word or expression is logged, but in this post I will be shedding lights on monitoring a log file and generate an alert when any new entry is logged in the log/text file.

• Open OpsMgr Console and go to Authoring—> Management Pack Objects—> Rules
• Click on “Scope“ button in the tool bar to narrow down our selection.
• I assume the file is located on a windows computer, so we will search for “Windows Computer”
• Select Windows Computer and then click Ok

• Right click on rules and select “Create a new rule”
• Expand Alert Generating Rules—>Event Based—>Generic Text Log(Alert)

• In the above window click new to create a new management pack to save this new rule in it. In my case I have created a management pack called “TestRuleMP”
• In the next screen, give a meaningful name to this rule.
• The Rule Target should be Windows Computer
• Make sure to to uncheck the option “Rule is enable” before you proceed

• In the next screen provide the pattern of the file. If the file name is fixed and not changing every time the file is created, then you may give the exact name of the log as LogName.txt  but if the log file name is changing every time is created (LogFileName01, LogFileName02, etc..) then you may put the log file name as the following: LogFileName*.txt and then click next

• Now it is time to set your event expression to generate the alert .
• Click Insert so a new line will be added.
• In the parameter name write: Params/Param[1]
• In the operator select "Match wildcard”
• In the value put “?” – without quotes

• Proceed to configure the alert as the following:

A new Entry was detect in the c:\log\bader.log

Logfile Directory : $Data/EventData/DataItem/LogFileDirectory$
Logfile name: $Data/EventData/DataItem/LogFileName$
String:  $Data/EventData/DataItem/Params/Param[1]$

• Once you are done with editing the alert, click create.
• We have not enabled the rule yet so we need to override the rule and just enable it for a specific computer on which the log is located

• To reproduce the alert, I opened the log file and I typed a new line in it and saved the changes. See the below screenshot

• Now the alert is generated

You can notice that the alert description includes the new entry which was logged in the log file.