Linux log monitoring default checks and policies

Xanadu IT Operations Management

Release

xanadu

ft:locale

en-US

ft:publication_title

Xanadu IT Operations Management

ft:clusterId

itom

bundleId

itom

workflow

Technology

Linux log monitoring default checks and policies

Release version: Xanadu

Updated August 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Linux log monitoring default checks and policies

The Agent Client Collector offers built-in policies specifically designed for Linux log monitoring. These policies enable ServiceNow customers to monitor log files owned by regular users or root users effectively. They help identify critical and warning events within log files by searching for specified patterns, supporting case sensitivity, encoding options, and file pattern matching.

Show full answer Show less

Key Features

Monitoring Log Files: Two main event types are provided—util.check-logs for logs owned by regular users, and util.check-logs-sudo for logs owned by root users.
Pattern Matching: Supports searching for multiple patterns separated by pipes (e.g., "SEVERE|404") with options for case-insensitive matching.
File and Encoding Options: Allows specifying the log file or patterns of files to monitor, with support for different encoding pages and UTF-16 encoding.
Exclusion and Log Format: Patterns to exclude from matching can be defined, as well as custom log entry formats.
Alert Levels: Critical and warning levels can be set based on matched patterns, with an option to warn instead of marking critical on match.
Return Options: Configurable return of matched lines, including limits on the number and length of returned log entries.
State Management: Supports specifying directories to store state files automatically or manually, ensuring proper tracking of monitoring progress.

Usage and Practical Application

ServiceNow customers can leverage these policies by running the check-log.rb command with appropriate flags to tailor monitoring to their environment. For instance, monitoring the ServiceNow Agent Client Collector log for severe errors can be done with:

check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

This command sets critical and warning thresholds, specifies the search pattern, state directory, and target log file, enabling automated detection of important log events.

Benefits for ServiceNow Customers

Ensures continuous monitoring of critical Linux log files owned by users and root, enhancing system reliability and security.
Flexible and configurable pattern matching supports diverse use cases and log formats.
Automated state management helps maintain consistent monitoring without manual intervention.
Clear output indicating warning and critical counts facilitates rapid identification and response to issues.

Agent Client Collector provides the following policy for Linux log monitoring.


Type	Check	Description	Usage and Usage Example	Output
Event	util.check-logs	Enables monitoring log files owned by a regular user.	Usage: -i --icase: Run a case insensitive match. -c, --crit N: Critical level (if pattern has a group). --encode-utf16u: Encode line with utf16 before matching. -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with. -E, --exclude PAT: Pattern to exclude from matching. -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX. -f, --log-file FILE: Path to log file. -l, --log-pattern PAT: Log format of each log entry: -o, --warn-only Warn instead of critical on match. -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(\|) and put inside quotes (For example: "SEVERE\|404"). -r, --return: Return matched line. -L, --return-length N: Matched line length. -M, --return-error-limit N: Max number of returned matched lines(log entries). -n, --name NAME Set state file dir automatically using name. -s, --state_dir DIR Dir to keep state files under. -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group. Usage example: `command: check-log.rb -c 2 -w 1 -q "SEVERE\|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log`	CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE\|Exception in log file /var/log/servicenow/agent-client-collector/acc.log
Event	util.check-logs-sudo	Enables monitoring log files owned by a root user.	Usage: -i --icase: Run a case insensitive match -c, --crit N: Critical level (if pattern has a group) --encode-utf16u: Encode line with utf16 before matching -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with. -E, --exclude PAT Pattern to exclude from matching -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX. -f, --log-file FILE: Path to log file. -l, --log-pattern PAT: Log format of each log entry: -o, --warn-only Warn instead of critical on match -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(\|) and put inside quotes (for example: "SEVERE\|404") -r, --return: Return matched line. -L, --return-length N: Matched line length. -M, --return-error-limit N: Max number of returned matched lines(log entries). -n, --name NAME: Set state file dir automatically using name. -s, --state_dir DIR: Dir to keep state files under -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group. Usage example: `command: check-log.rb -c 2 -w 1 -q "SEVERE\|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log`	CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE\|Exception in log file /var/log/servicenow/agent-client-collector/acc.log