Linux log monitoring default checks and policies

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Linux log monitoring default checks and policies

Agent Client Collector in the Yokohama release provides default policies for monitoring Linux log files. These policies enable ServiceNow customers to track log entries for both regular user-owned and root-owned log files, helping identify critical or warning events based on specified patterns.

Show full answer Show less

Key Features

Log Monitoring for Regular User Files (util.check-logs): Allows monitoring of log files owned by regular users with flexible options to specify patterns, encodings, case sensitivity, file patterns (using regex), and result limits.
Log Monitoring for Root User Files (util.check-logs-sudo): Similar to the above but designed for root-owned log files, supporting the same parameters and usage options.
Pattern Matching and Severity Levels: Supports searching for multiple patterns separated by pipes (|) with the ability to assign warning and critical thresholds based on pattern grouping.
Encoding and Format Options: Supports UTF-16 encoding, specific encoding pages, and custom log entry formats to accurately parse various log file types.
State Management: Allows specifying directories for state files to maintain monitoring status across checks.

Usage and Practical Application

Customers can configure the check-log.rb command with parameters such as:

-c and -w to set critical and warning levels
-q to define search patterns (e.g., "SEVERE|Exception")
-f to specify the log file path
-s to set the directory for state files
-F to apply regex file pattern matching for multiple log files

Example command:

check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

This command will report critical or warning alerts based on the defined patterns found in the specified log file.

Key Outcomes

Enables proactive detection of critical and warning events in Linux logs through customizable pattern matching.
Supports monitoring across different user permissions (regular and root), ensuring comprehensive log coverage.
Facilitates integration into ServiceNow monitoring workflows by providing structured output for alerts.
Helps maintain log monitoring state to avoid duplicate alerts and improve accuracy over time.

Agent Client Collector provides the following policy for Linux log monitoring.


Type	Check	Description	Usage and Usage Example	Output
Event	util.check-logs	Enables monitoring log files owned by a regular user.	Usage: -i --icase: Run a case insensitive match. -c, --crit N: Critical level (if pattern has a group). --encode-utf16u: Encode line with utf16 before matching. -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with. -E, --exclude PAT: Pattern to exclude from matching. -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX. -f, --log-file FILE: Path to log file. -l, --log-pattern PAT: Log format of each log entry: -o, --warn-only Warn instead of critical on match. -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(\|) and put inside quotes (For example: "SEVERE\|404"). -r, --return: Return matched line. -L, --return-length N: Matched line length. -M, --return-error-limit N: Max number of returned matched lines(log entries). -n, --name NAME Set state file dir automatically using name. -s, --state_dir DIR Dir to keep state files under. -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group. Usage example: `command: check-log.rb -c 2 -w 1 -q "SEVERE\|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log`	CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE\|Exception in log file /var/log/servicenow/agent-client-collector/acc.log
Event	util.check-logs-sudo	Enables monitoring log files owned by a root user.	Usage: -i --icase: Run a case insensitive match -c, --crit N: Critical level (if pattern has a group) --encode-utf16u: Encode line with utf16 before matching -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with. -E, --exclude PAT Pattern to exclude from matching -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX. -f, --log-file FILE: Path to log file. -l, --log-pattern PAT: Log format of each log entry: -o, --warn-only Warn instead of critical on match -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(\|) and put inside quotes (for example: "SEVERE\|404") -r, --return: Return matched line. -L, --return-length N: Matched line length. -M, --return-error-limit N: Max number of returned matched lines(log entries). -n, --name NAME: Set state file dir automatically using name. -s, --state_dir DIR: Dir to keep state files under -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group. Usage example: `command: check-log.rb -c 2 -w 1 -q "SEVERE\|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log`	CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE\|Exception in log file /var/log/servicenow/agent-client-collector/acc.log