Linux log monitoring default checks and policies

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Linux Log Monitoring Default Checks and Policies

    The Agent Client Collector in ServiceNow provides policies for monitoring Linux log files, enabling users to track critical events and warnings effectively. This monitoring is essential for maintaining system integrity and ensuring timely responses to issues within log files owned by both regular and root users.

    Show full answer Show less

    Key Features

    • util.check-logs: Monitors log files owned by regular users.
    • util.check-logs-sudo: Monitors log files owned by root users.
    • Flexible Matching Options: Supports case insensitive matching, encoding options, and customizable patterns for searching logs.
    • File Pattern Checking: Allows for regex patterns to check multiple files, enhancing monitoring capabilities.
    • Return Options: Customizes the output by returning matched lines and controlling the number of returned log entries.

    Usage Examples

    For monitoring log files, you can use commands like:

    Regular User: check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

    This command checks for critical and warning levels in the specified log file.

    Root User: The usage is similar, allowing for tailored monitoring of root-owned log files.

    Key Outcomes

    By implementing these checks and policies, ServiceNow customers can:

    • Enhance visibility into log file issues, enabling proactive management of system health.
    • Receive critical alerts based on defined patterns, facilitating timely interventions.
    • Customize monitoring based on specific operational needs, improving overall IT operations management.

    Agent Client Collector provides the following policy for Linux log monitoring.

    Type Check Description Usage and Usage Example Output
    Event util.check-logs Enables monitoring log files owned by a regular user. Usage:
    • -i --icase: Run a case insensitive match.
    • -c, --crit N: Critical level (if pattern has a group).
    • --encode-utf16u: Encode line with utf16 before matching.
    • -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with.
    • -E, --exclude PAT: Pattern to exclude from matching.

    • -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX.

    • -f, --log-file FILE: Path to log file.
    • -l, --log-pattern PAT: Log format of each log entry:
    • -o, --warn-only Warn instead of critical on match.
    • -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(|) and put inside quotes (For example: "SEVERE|404").
    • -r, --return: Return matched line.
    • -L, --return-length N: Matched line length.
    • -M, --return-error-limit N: Max number of returned matched lines(log entries).
    • -n, --name NAME Set state file dir automatically using name.
    • -s, --state_dir DIR Dir to keep state files under.
    • -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group.

    Usage example: command: check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

    		 CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE|Exception in log file /var/log/servicenow/agent-client-collector/acc.log
    Event util.check-logs-sudo Enables monitoring log files owned by a root user. Usage:
    • -i --icase: Run a case insensitive match
    • -c, --crit N: Critical level (if pattern has a group)
    • --encode-utf16u: Encode line with utf16 before matching
    • -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with.
    • -E, --exclude PAT Pattern to exclude from matching

    • -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX.

    • -f, --log-file FILE: Path to log file.
    • -l, --log-pattern PAT: Log format of each log entry:
    • -o, --warn-only Warn instead of critical on match
    • -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(|) and put inside quotes (for example: "SEVERE|404")
    • -r, --return: Return matched line.
    • -L, --return-length N: Matched line length.
    • -M, --return-error-limit N: Max number of returned matched lines(log entries).
    • -n, --name NAME: Set state file dir automatically using name.
    • -s, --state_dir DIR: Dir to keep state files under
    • -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group.

    Usage example: command: check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

    		CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE|Exception in log file /var/log/servicenow/agent-client-collector/acc.log