I have issues with SCOM event log and text log monitoring and was wondering if anyone had any input as I haven't seen this addressed anywhere.

Basically:

Setting up monitoring as described above (and everywhere else on the net) seems to go against the "purpose" of SCOM monitoring and I'm wondering if all the trouble to set it up this way will cause issues down the road when one is monitoring hundreds of logs (and/or many log entries).  Let me explain....

Most posts recommend this:

Create an event log or text log monitor, target it to "Windows Computer",disable it, then enable it against a group or computer instance you want the monitoring to execute against.  Simple and effective....

But:

AS soon as you load the pack in SCOM with the disabled monitor in it, the monitor shows up under "Windows Computer" on all servers (server classes)in SCOM's health models. This is because you've targeted it against "Windows Computer".  If you watch a lot of application logs and event logs you have a lot of monitors which will show up as white circles on all health models under the computer class. In addition, you end up with many configuration overrides to enable the monitoring on xyz server or group that has to be maintained as you add/remove systems (using groups is better, but you still have to maintain a group of *some configuration*)...

If you look how Microsoft designs their packs, you load the pack and the pack *discovers* the application and components it was designed to monitor on the servers that the component exists on.  THEN the log monitors kick in as xyz component exists on a box and abc log monitor specifically looks for the logs/strings that component is going to generate.  Done this way the health model is "clean" across all servers and there is no "maintenance" having to track all the places you've enabled/disabled the individual monitors.

In short:

SCOM is designed to discover application components, THEN watch logs (etc) once it discivers the component as it's driven by health models.

My issue is:

All tutorials don't address this and instead use the methods in the above post.  I understand this is just to "get it done".  I am looking for any input as to if anyone knows of any detrimental effects of cluttering up the health models with (possibly hundreds of) "empty monitors" by using the "quick method" of log monitoring vs the "long and painful method" of discovering application components that all vendor packs use.

For a single "disabled" montior that was enabled ona single server to watch a log

I could see the agent/RMS/database needing to track all the "empty/not enabled" monitors created. Besides having to tell people "All those empty circles...well, it's that way on purpose" it seems there might be a performance or storage hit keeping up with all the "junk" in the models.

Question:

Is there any issues with this or am I just making up problems that don't need to be solved?  I've found a few ways around this that are really ugly and don't want to commit to using them as no one else seems to worry about this.

i don't allow the disable and override process, we do script based discovery using the filesystem object, i believe authormp.com had a tutorial on this complete with examples

Thanks for the info (Link in #3 above-> checking it out right now)! Does having "a laundry list of disabled monitors showing up in Health Explorer" cause any problems anyone knows about (or, in theory could cause issues if taken to the extreme)?  I ask this because some vendor packs we've loaded do this...

I've noticed something interesting about this log monitor: If there isn't a carriage return at the end of the line, the monitor won't pick it up. Using our sample monitor above, the log file has these 2 entries at the bottom:

My disk has failed(CR)

Another disk has failed (no CR)

The first line will get picked up but the second one doesn't. Most log writers will put a CR at the end, but I was doing manual testing (putting stuff in with notepad) and noticed this "bug"

I created a couple of these monitors but am receiving: Application Log Module Failed Execution warning alerts:

FindNextChangeNotification failed Directory ..... Error Code = 0x38 One or more workflows were affected by this. Workflow name ...

Will the monitor work in this case ? How to I address this warning alert ?

Hi,

This post is really useful. However, i am planning to use SCOM to monitor any changes in our DHCP leased file. Meaning i have to constantly log the IPs that are leased out and when a new IP is being leased out, i will log the new IP. Any idea how can i do that?

This rule basically alert on a parameter being detected, so basically, i need to change the alerting from detecting a paramenter to detecting a change in the parameter and logging it. Thanks.

Has a solution been found for using Params/Param[1] for alert suppression when the string included a timestamp at the beginning?

I'm trying to monitor a log file which is on a NAS share. The scom action account has read only permissions on the log file but the agent is not able to read that file as it runs on local system. Shouldn't the "run as" option work over here when the SCOM infrastructure has been configured to make use of scom action account as a "run as" account for all the SCOM agents?

Is there any way that the log file can be monitored with restricted permissions? Do i need to use the set action account utlity on the agent?

Adhok

I'm trying to monitor a log file which is on a NAS share. The scom action account has read only permissions on the log file but the agent is not able to read that file as it runs on local system. Shouldn't the "run as" option work over here when the SCOM infrastructure has been configured to make use of scom action account as a "run as" account for all the SCOM agents?

Is there any way that the log file can be monitored with restricted permissions? Do i need to use the set action account utlity on the agent?

Adhok

Kevin,

Can SCOM log-file monitor, monitor a text with a “variable” in it? For example - I need to monitor the following text “Global User 'xxxx' created successfully from Active Dir. Account” (where “xxxx” will be the newly created AD user account) in the name.log file can this be accomplished?

thx

Hi Kevin,

I'm one of your biggest fans since I started my adventure with SCOM 2 years ago. Have you ever think to write a book? Ideally in CHM format already :-)

Yesterday I was on MS workshops regarding SCOM, they mentioned your blog and your name almost all the time :D - it means something!

Question:

It’s great another job as always with this monitor. I managed easy my log monitoring with word ERROR base on your example, but I'm getting only one line in alert description. There is a chance to get more lines in alert description? Let say 10 more? Sometimes one is not enough.

Thanks for your great work. Keep going!

Sorry for a long Post, But I am not sure what I am doing wrong. Looking for an assistance from Kevin on this.

Log File Monitoring in SCOM:

 I created a test Rule targeted against windows Server Operating System to monitor \\Test-SCOM-DV3\Logfiles folder.

 This rule monitors all the Txt files (*.TXT) in the above said folder. And whenever SCOM detects the word “FATAL” a critical alert will be triggered

 This rule is disabled by default and enabled only against the “Watcher Node” (System that does remote logfile monitoring)

Scenarios I tested:

 Created a Logfile with name ErrorLog.Txt and inserted a phrase “Testing FATAL Error”

 For the first line/word (FATAL) SCOM doesn’t alert, from the second line/FATAL error SCOM start alerting.

 Without closing the first alert in SCOM console and if you insert the same phrase third time “Testing FATAL Error” the repeat count increases to 1.  

 If you insert a new phrase like “Fatal Error Testing” a new alert will be generated. Till here things works as expected.

First Scenario:

 When we rename the logfile from ErrorLog.Txt to ErrorLog.TXT20120118 and create a new logfile with the name ErrorLog.TXT

 Insert the same Phrase “Testing FATAL Error” twice we get the new alert with repeat count of 3 (The monitor is looking in all the log files though the name of the first logfile is changed) we get the repeat count increased for all the similar phrases.  This should not work this way.

Second Scenario:

 Modified the Rule to monitor specific logfile by changing the pattern from *.TXT to ErrorLog.TXT

 Insert the word/Phrase “Testing FATAL Error” you get the alerts normally.

 Once you rename the text file from ErrorLog.Txt to ErrorLog.TXT20120118 and create a new file with the same name ErrorLog.Txt and insert the word/Phrase as “Testing FATAL Error”, we stop getting alerts.  When I diagnosed this, we see an information event on watcher node stating the monitored logfile disappeared from the specified location.