|
<< Click to Display Table of Contents >> Navigation: ELM Console (MMC) > Monitoring and Management > Agents and Monitors Library > All Monitors > File Monitor |
File Monitor monitors a log file, ASCII file, or text file (or a directory of ASCII or text files). File Monitors parse non-circular <%Z_NON_CIRCULAR%> text files for words or strings, and notify when the search criteria is found.
Note
Only Service Agents can run a File Monitor, and only local file paths are supported. Virtual Agents, UNC paths and mapped drives are unsupported.
Unicode big endian format is not supported. An explanation of endian architecture can be found here.
If a new copy of a monitored file is created, the File Monitor will detect this and read it as a new file even though the file name has not changed. Windows file system tunneling can mask this change. See Microsoft Knowledge Base Article 172190 for more details.
On 64bit operating systems the File Monitor will use sysnative to access the System32 directory
When it gets to the end of the file, the File Monitor sets a bookmark. At the next Scheduled Interval it will begin reading new lines in the file after the bookmark. Since the File Monitor reads in a line-by-line fashion, a line that has additional text added to it after being bookmarked will have these characters skipped, and monitoring will begin on the line after the bookmark.
By default, when the File Monitor is first created, it skips to the end of each file it monitors and sets a bookmark. It then starts watching for character string matches in new lines added to the file(s). To force File Monitor to search each file for matches from the beginning, add a checkmark next to Do Actions on First Run.
Each File Monitor supports one or more search paths. A search path can be a single file or, by using wildcards, a group of files. For example, to search all Internet Information Server logs, use a search path of C:\WINDOWS\SYSTEM32\LOGFILES\*.LOG, and check the Search Subfolders checkbox. This will cause all log files (HTTP, SMTP, NNTP, and FTP) in all of the sub-directories to be searched for the strings specified.
Important
The File Monitor path must include a filename, or a wildcard pattern. For example:
C:\Windows\windowsupdate.log
C:\Windows\kb*.log
A path without a file name or pattern will cause the File Monitor to not do anything.
Each File Monitor supports one or more search paths. To add another file path, click the Add button.
Enter one or more character strings for the File Monitor search. Use the Add button to add a match, and use the Delete button to remove the selected match. Double-click any listed match string to edit it.
Note
There is an implied OR-operator between each line of the character strings. For example, given the following list of matches:
*error*
*root*
*paycheck*
A line added to a monitored file and containing the string root will be found by the File Monitor.
Enter the word or string you want to search for. You can click the Insert Variable button to insert a variable in the search string.
You can use the asterisk (*) as a wildcard character, a pipe (|) as an OR operator, and an ampersand (&) as an AND operator. For example, to search a flat file for the word error OR the word failed, use the following syntax: *error*|*failed*. Be sure to surround the character string with asterisks.
Click OK to save the match criteria.
Note
It is not possible to search for strings across multiple lines because the File Monitor reads in a line-by-line fashion. For example, searching for *failed logon* will work if the text is all on one line but if the failed text is on one line, then there is a carriage return in the file with the text logon in the next line, then the File Monitor won't detect it.
Each string match added to the Matches tab will add a corresponding sub-tab to the Actions tab. So File Monitor Actions can be customized for each string found.
•Custom Action (Warning) 5532 - A custom action is added to the Actions list for each search string entered in the Match list (see Add Match above).
Displays the Monitoring Categories to which the Monitor item is assigned. Click to select or deselect Monitoring Categories. Click New to create or Properties to Edit Monitoring Categories.
Displays the Agents to which the Monitor item is assigned. Click to select or deselect individual agents. Click New to deploy an agent or Properties to View/Edit an existing agent.
Displays the Scheduled Interval and Scheduled Hours settings which control the frequency for the Monitor Item.
Specify the interval at which the monitoring, polling or action is to occur. Depending on the Monitor Item type, Items can be scheduled in interval increments of Seconds, Minutes, Hours and Days. The Scheduled Interval is relative to the top of the hour or top of the minute. For example, if a Scheduled Interval is configured for 10 minutes, the Monitor Item will execute at hh:10:00, hh:20:00, hh:30:00, hh:40:00, hh:50:00, h1:00:00, etc. If a Scheduled Interval is configured for 15 seconds, the Monitor Item will execute at hh:00:15, hh:00:30, hh:00:45, hh:01:00, hh:01:15, etc.
Select the days and/or hours this item is active. By default, the schedule is set to ON for all hours and all days. Mouse clicks toggle squares between ON and OFF. Clicking on an individual square will toggle the active schedule for that hour. Clicking on an hour at the top of the grid, or on a day of the week at the left of the grid will toggle the corresponding column or row. Keyboard equivalents are the arrow keys and the space bar.