Creating Log Monitors for Alerting

CHAPTER 9

scan logs for alerts.

Viewing and Adding Log Monitors

XpoLog uses its log monitoring engine to allow users to create log monitors, which scans for specific events in log streams.

When matching events are detected, the monitor sends an alert to one or more recipients.

Log Monitors – Adding Notification Channels

XpoLog can send messages to mail addresses, SNMP clients, Slack channels, Microsoft Teams, and PagerDuty endpoints.

To add any of these endpoints as a notification channel:

  • Select “SETTINGS” > “System Settings”, and then “Notifications” from the XpoLog Manager navigation menu.

set up notification channels for your log monitors

  • The Notifications tab allows you to configure mail server connectivity, SNMP, Slack, Microsoft Teams and PagerDuty webhooks:

adding log monitoring channels - receive alerts via email, slack, pager duty, MS Teams, more

  • Each channel will require different configuration parameters. The image below shows the fields necessary for configuring a Slack channel to receive XpoLog alerts:

Slack settings - monitoring configurations

After configuring a notification channel, it is possible to use the channel to:

  • Receive system alerts (for XpoLog Admins)
  • Send XpoLog monitor alerts
  • Share search results from the XpoLog Search console

Adding Log Monitors

Access the log monitors console – from the XpoLog Manager navigation menu, select “MONITORS AND TASKS” and then “Monitors”:

accessing the log monitor console

The Monitors console shows the currently defined monitors in the system. There are some sample monitors that already ship with XpoLog.

A monitor with a clock icon on its left means it is scheduled. From the Monitors screen:

The Last Status column shows the monitor’s last execution status.

  • A green-colored message means the search did not yield any result in the last monitor run
  • A red-colored message means the search yielded matching records in the last monitor run and alerts were sent.

The Monitors console shows the currently defined monitors in the system

Right-clicking on any monitor allows it to be edited, deleted, duplicated, run again or display its last execution status:

Right-clicking on any monitor allows it to be edited, deleted, duplicated, run again or display its last execution status

  • It is possible to manually run, delete and export a monitor’s definition to XML format, or suspend one or more monitors from the monitor console.
  • To perform any of these actions, select one or more monitors, and choose the action from the “ACTIONS” menu:

manually run, delete and export a monitor’s definition to XML format, or suspend one or more monitors from the monitor console

Adding a New Log Monitor

To add a new log monitor:

  • Click the “ADD MONITOR” button and select “New Search Monitor” from the Monitors

Creating log monitor

  • Give a name to the new monitor and define the search criteria. The image below shows the monitor will search for the string “404” in the Apache access log in a folder called “Apache HTTP Logs”:

apache access log monitor - error 404 page not found

  • Next, specify the schedule for the monitor. The image below shows the monitor will run every fifteen minutes daily:

schedule a log monitor

  • Next, specify the failure alert policy, which controls when the alert is triggered and what happens when that happens. In the image below shows the alert should fire every time there is an instance of the string “404” found in the access log.
  • For each matching event, the monitor to trigger the alert. Once triggered, the monitor will not send an alert for the next five minutes:

specify the failure alert policy, which controls when the alert is triggered and what happens when that happens.

  • In the same section, specify the method of alerting:

specify the method of alerting

  • Different alerting methods will need setting different configuration parameters. Choosing the E-mail alert, for example, will open the following dialog box:

setting a new email alert

  • Like the failure alert policy, you can specify the condition for a positive alert policy. By default, positive alerts are triggered with the first monitor success after a monitor failure.

specify the condition for a positive alert policy. By default, positive alerts are triggered with the first monitor success after a monitor failure

  • Specify the groups or users who can edit or view the monitor definition. The image below shows the XpoLog admin and the admin group has this privilege:

Specify the groups or users who can edit or view the monitor definition

  • Finally, add one or more App Tags to the monitor:

Specify the groups or users who can edit or view the monitor definition

  • Once all the sections have been configured, click “SAVE” on the upper right corner of the wizard to create the monitor.

Conclusion

Monitoring automates the manual process of searching through logs for error.

Creating and configuring log monitors and their alerts ensure no errors are missed.

Administrators need to carefully consider the types of errors and warnings they want to look for and design the monitors accordingly. 

Need our help? 

All chapters: