2 Replies Latest reply on Apr 16, 2012 6:25 AM by Gordon James

    Using Log KM for Solaris Syslog Monitoring

    Jason Hughes



      Is anyone using the Patrol log KM for monitoring Solaris system logs, in particular the /var/adm/messages file?  I was wondering if anyone has managed to sort out the issues around the monitoring of multiline messages in this log?


      The following is a block from the messages file - this shows as five lines in the log file, but is really a single message relating to a SCSI error


      Mar 11 02:28:40 ssu1l673 scsi: [ID 107833 kern.warning] WARNING: /pci@0/pci@0/pci@8/pci@0/pci@1/SUNW,emlxs@0/fp@0,0/ssd@w5006048c52a57ce8,e8 (ssd3):$

      Mar 11 02:28:40 ssu1l673 ^IError for Command: read(10)                Error Level: Retryable$

      Mar 11 02:28:40 ssu1l673 scsi: [ID 107833 kern.notice] ^IRequested Block: 65792                     Error Block: 65792$

      Mar 11 02:28:40 ssu1l673 scsi: [ID 107833 kern.notice] ^IVendor: EMC                                Serial Number: 239CD008W   $

      Mar 11 02:28:40 ssu1l673 scsi: [ID 107833 kern.notice] ^ISense Key: Unit Attention$

      Mar 11 02:28:40 ssu1l673 scsi: [ID 107833 kern.notice] ^IASC: 0x29 (power on, reset, or bus reset occurred), ASCQ: 0x0, FRU: 0x0$


      The log KM does not understand the formatting of the messages file out of the box, so will just read the above as five different entries (and therefore miss certain information needed if you configure an alert).  Has anyone worked out how to configure the log KM to recognise the multiline messages and monitor them correctly?


      Thanks in advance.




        • 1. Using Log KM for Solaris Syslog Monitoring
          Rastislav Danis

          if there is no exact match of start and stop of multiline message you have to create own attitude:

          - either use some script to consolidate input from log into one line output and configure log km to use script's output instead of log scan

          - write own log scan km


          another question is if all these lines are required for event creation, maybe information you need for notification is only in single line

          • 2. Using Log KM for Solaris Syslog Monitoring
            Gordon James

            Hi Jason,


            Still in Sheffers ?


            I've gone down the same road as you for this. First of all you can configure the LOG KM to send you more than one line once its found the string you're searching for. I search for the strings "scsi:" and "Warning". I'm using version 2.6 (from memory).


            This will send the no. of  lines into the IM as one event. Cool.


            I actually have a IM rule that correlates these noisy scsi alerts into one event. What I've done is to use the STD:11 event to say I've found an error and then take all the resulting LOG:General events and populate the STD:11 (LOGErrorLvl) event with all the acutal lines (%1-) that caused the error. (Using new rules and a timing trigger)


            This results in just one event ( and one INC) thats populated with all the lines the UNIX SA needs to resolve the issue.


            Defo have a poke around the LOG km. This allows you to send more than one line.


            Hope that makes sense.