Creating Log Monitors for Alerting
CHAPTER 9
Viewing and Adding Log Monitors
XpoLog uses its log monitoring engine to allow users to create log monitors, which scans for specific events in log streams.
When matching events are detected, the monitor sends an alert to one or more recipients.
- Read More about XpoLogs’ log monitoring tool.
Log Monitors – Adding Notification Channels
XpoLog can send messages to mail addresses, SNMP clients, Slack channels, Microsoft Teams, and PagerDuty endpoints.
To add any of these endpoints as a notification channel:
- Select “SETTINGS” > “System Settings”, and then “Notifications” from the XpoLog Manager navigation menu.
- The Notifications tab allows you to configure mail server connectivity, SNMP, Slack, Microsoft Teams and PagerDuty webhooks:
- Each channel will require different configuration parameters. The image below shows the fields necessary for configuring a Slack channel to receive XpoLog alerts:
After configuring a notification channel, it is possible to use the channel to:
- Receive system alerts (for XpoLog Admins)
- Send XpoLog monitor alerts
- Share search results from the XpoLog Search console
Adding Log Monitors
Access the log monitors console – from the XpoLog Manager navigation menu, select “MONITORS AND TASKS” and then “Monitors”:
The Monitors console shows the currently defined monitors in the system. There are some sample monitors that already ship with XpoLog.
A monitor with a clock icon on its left means it is scheduled. From the Monitors screen:
The Last Status column shows the monitor’s last execution status.
- A green-colored message means the search did not yield any result in the last monitor run
- A red-colored message means the search yielded matching records in the last monitor run and alerts were sent.
Right-clicking on any monitor allows it to be edited, deleted, duplicated, run again or display its last execution status:
- It is possible to manually run, delete and export a monitor’s definition to XML format, or suspend one or more monitors from the monitor console.
- To perform any of these actions, select one or more monitors, and choose the action from the “ACTIONS” menu:
Adding a New Log Monitor
To add a new log monitor:
- Click the “ADD MONITOR” button and select “New Search Monitor” from the Monitors
- Give a name to the new monitor and define the search criteria. The image below shows the monitor will search for the string “404” in the Apache access log in a folder called “Apache HTTP Logs”:
- Next, specify the schedule for the monitor. The image below shows the monitor will run every fifteen minutes daily:
- Next, specify the failure alert policy, which controls when the alert is triggered and what happens when that happens. In the image below shows the alert should fire every time there is an instance of the string “404” found in the access log.
- For each matching event, the monitor to trigger the alert. Once triggered, the monitor will not send an alert for the next five minutes:
- In the same section, specify the method of alerting:
- Different alerting methods will need setting different configuration parameters. Choosing the E-mail alert, for example, will open the following dialog box:
- Like the failure alert policy, you can specify the condition for a positive alert policy. By default, positive alerts are triggered with the first monitor success after a monitor failure.
- Specify the groups or users who can edit or view the monitor definition. The image below shows the XpoLog admin and the admin group has this privilege:
- Finally, add one or more App Tags to the monitor:
- Once all the sections have been configured, click “SAVE” on the upper right corner of the wizard to create the monitor.
Conclusion
Monitoring automates the manual process of searching through logs for error.
Creating and configuring log monitors and their alerts ensure no errors are missed.
Administrators need to carefully consider the types of errors and warnings they want to look for and design the monitors accordingly.
Need our help?
All chapters: