|
LogWatch is the Chroniker Suite module that allows monitoring of log files. With its simple user interface, you can easily manage different log files of several applications. Once you specify the log events that are important to you, LogWatch agent will scan the log files and will alert you about those key events.
Back to top
Some common terms that are critical for using LogWatch are listed below:
LogWatch Agent
A LogWatch agent is the agent that needs to be installed in each server that contains the log files to be monitored. This agent scans the log files for the key events you specify and sends the results back to the Chroniker server.
Dashboard
A Dashboard is a view that displays log files monitoring information in a logical manner that YOU define. You can define multiple dashboards so each person accesses the views that mean the most to him or her.
Facility
A Facility is a set of one or more log files that you specify which share the following characteristics: agent, scan frequency, filters, and events. You can define multiple Facilities per agent. An example of how a Facility may be used is to group all the log files of a certain application.
Filters
A filter identifies the regular expression, a string pattern, that the agent will use to scan the log files for the key events that you determine. For example, the expression "error.*" will return any line in the log file that contains the key word "error". If no regular expression is specified, then all lines from a log file will be matched for this filter.
Events
Events are assigned to Facilities and will launch your predefined reactions when conditions you define are met. An Event is primarily defined by its event (alert) level: Error, Warning or Information. For each alert level, you specify a filter and up to two reactions that will be triggered when a log message containing that filter is detected.
Template
A Template is the same as a filter, but it offers the flexibility to be applied to different Facilities.
Back to top
LogWatch Agent Installation
For Windows Servers:
To run LogWatch, you need to install LogWatch agents in every Windows server containing the log files you want to monitor. LogWatch agent will monitor and filter the log files then report your specific log messages back to Chroniker.
Chroniker Suite comes with a local LogWatch Agent which can monitor Windows events and log files in the server where Chroniker is installed.
If you need more Windows agents, please refer to the following link to download the LogWatch agent that is appropriate to your platform: http://www.nrgglobal.com/downloads/logwatch_agent_downloads.php
Follow the installer program. Specify the installation path and agent listener port when prompted.
For All other servers and network devices:
LogWatch will receive Syslog messages from all your other servers and syslog enabled devices. Therefore, you need to enable Syslog in the devices containing the log files you want to monitor. For detailed instructions on how to setup Syslog configuration, please refer to "Configuring Syslog Enabled Devices" section.
LogWatch Configuration
After LogWatch Agents are installed, you need to set up the log files to be monitored in the Chroniker LogWatch module by:
- Defining the LogWatch agent to enable Chroniker base to connect to the agent
- Creating a dashboard that will allow you to view log files monitoring information in a logical manner that YOU define.
- Organizing your logs from all the agents into Facilities. A Facility is a set of one or more log files that share the following characteristics: agent, scan frequency, filters, and events. You can define multiple Facilities per agent. An example of how a Facility may be used is to group all the log files of a certain application.
1. Define the LogWatch Agent:
- In the Chroniker LogWatch Tools menu , click on “Log Agents”
- Once in the LogWatch Agents page, click on “Add New Agent” button
- Specify the agent type, hostname, IP address and port number.
2. Create a Dashboard:
- Select the Add New Dashboard icon by clicking the menu which is located
 on the top right corner of the LogWatch home page. (it is the first icon on the right)
- Once on the Add/Edit Dashboards window:
- Enter the name of the dashboard
- Select the accessibility rights:
- None: only the person that created the dashboard can access it
- Group: only the user group of the person that created the dashboard can access it
- All: all Chroniker users can access the dashboard
- Type in a quick description of what the dashboard will be monitoring
- Check "Set as Default" if you want to set this dashboard as your default dashboard
- If you need to clear the Add/Edit Dashboards window, press the Reset button.
- If you wish to cancel the creation of the dashboard, click on the Cancel button.
- Press the Add button to finish.
3. Add a Facility:
A Facility is a logical grouping of multiple log files on one agent. A Facility can have more than one log file, and an agent can have more than one Facility. The purpose of a Facility is for simplicity in monitoring: so you can view all log messages in one place, apply the same filters and reactions to all the logs in the Facility, etc. An example of how a Facility may be used is to group all the log files of a certain application.
-
Click the Add Facility icon which is the plus icon to the right of the Dashboard name.
- Once in Add Facility page, fill out the form:
- Specify a name for the Facility
- Select the agent from the drop-down list
- If the Agent is running on Windows, then you will see a list of Windows events (Application, Security, and System). Select the ones you want to monitor
- Enter a quick description
- Define the different events by:
- selecting the appropriate filter from the drop-down list for each filter type.
- Filter identifies the regular expression, a string pattern, that the agent will use to scan the log files for the key events that you determine.
- If you want to create a new filter, click the "Add" button and refer to "Create New Filter" section below.
- selecting the reactions from the drop-down list you want to assign to each alert type.
- Reactions are enacted when the events they are assigned to are triggered. You can assign up to two reactions to every Event (Error, Warning, Information). Reactions types include: E-mail, SNMP Trap, Numerical Page or Custom Reaction (a script).
- If you want to create a new reaction , click the "Add" button and refer to "Add New Reaction " section below.
- Check "Save Event Management parameters as a template", if you want to save these parameters for future use.
Note: The template name will be automatically selected as <Facility Name>_template.
- Click "Add" and you will see the Facility created and displayed under the dashboard list in the left pane.
Create New Filter:
Filter identifies the regular expression, a string pattern, that the agent will use to scan the log files for the key events that you specify.
To create a new filter:
- In the Chroniker LogWatch Tools menu, click on “Filters”
- Once in the Filters page, click on “Add New Filter” button
- Fill out the form:
- Create a filter alias
- Select the filter category from the drop-down list
- Enter the regular expression for this filter.
- Regular expression is a way to specify a set of possible string patterns that you want to match in the log file. For example, the expression "error.*" will return any line in the log file that contains the key word "error".
Note: If this field is left blank then all lines from the log file will be matched for this filter.
- Enter a quick description about the filter.
- Click "Add"
- If you want to assign this filter to an existing Facility, you can edit the Facility :
- Click on the icon
 next to the Facility you want to edit to display the edit form
- Make the necessary changes
- Click on Update button
Add New Reaction:
Reactions are launched when an event they are assigned to occurs. Reactions can alert you through email or numerical page. They can also execute a custom command or an SNMP trap when they are triggered.
To add a new reaction:
- Click on “Reactions” in the Tools menu of the Chroniker window.
- Click on “Add New Reaction”
- Click on the type of the reaction you want to create: Email, Custom, Numerical Page, or SNMP trap.
- Fill out the form and click “Add”.
- If you want to assign this reaction to an existing Facility, you can edit the Facility :
- Click on the icon next to the Facility you want to edit to display the edit form
- Make the necessary changes
- Click on Update button
Click here for a detailed help about Reactions
Back to top
Logwatch receives syslog messages from network devices and displays them in real-time.
Configuring Syslog in:
Unix / Linux Host
Cisco Router
Cisco PIX
DLink DL-840V Router
DLink DFL-700 Firewall
FREESCO Router / Firewall
HP JetDirect Printer
LinkSys Wireless VPN Router
Netgear / ZyXEL RT311 / RT314
SonicWALL Firewall
Symantec Firewall / VPN 200
WatchGuard SOHO Firewall
Configuring a Unix / Linux host
With a Unix host, you will need super user privileges to:
- Modify the files
- /etc/syslog.conf
- /etc/hosts
- Restart (HUP) the Syslog Daemon on the Unix server.
- Add Chroniker hostname in the /etc/hosts file
A sample hosts file (etc/hosts)
#
# Internet host table
#
127.0.0.1 localhost
10.0.0.31 chroniker
A sample syslog.conf file (/etc/syslog.conf)
# Syslog configuration file.
#
*.err;kern.notice;auth.notice /dev/console
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
*.emerg @chroniker
Back to top
Configuring a Cisco Router
To configure Cisco router to send syslog messages to Chroniker Base, please follow the instructions below:
• Telnet to the router or connect via the console and enter into enable mode.
• Enter the following commands from the enable prompt on the router:
Config term
Logging on
Logging Facility Local7 (or any other facility you want to allocate for this router.)
Logging [Chroniker Base's IP Address or Hostname ]
End
For more information on Cisco logging commands, please refer to the Cisco web site at:
www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/cs/csprtf/csprtf4/cstroubl.htm
Back to top
Configuring a Cisco PIX
To enable the sending of Syslog messages from Cisco PIX Firewall to Chroniker Base, please refer to:
• Cisco web site: www.cisco.com/warp/public/110/pixsyslog.html
• PIX log messages information links:
www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm
www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemsgs.htm
www.cisco.com/cgi-bin/Support/Errordecoder/home.pl
www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm
• Sending Syslog messages from your PIX via a secure VPN tunnel information:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094469.shtml
Back to top
Configuring a DLink DL -840V Router
To configure DLink DL-840V to send syslog messages to Chroniker Base, please follow the instructions below:
- The router must be installed and working
- Open a web browser to the configuration panel: http://192.168.0.1
- Click on the "Advanced Settings" tab from the top navigation bar
- Select "Administration Settings" from the left side navigation bar
- Under "SYSTEM Log" click on "Enable System Log Function"
- Enter the IP Address of the computer where Chroniker Base is installed
Back to top
Configuring a D-Link DFL -700 Firewall
To configure DLink DFL-700 to send syslog messages to Chroniker Base, please follow the instructions below:
- The firewall must be installed and working
- Open a web browser to the configuration panel: http://192.168.0.1
- Click on the "System" tab from the top navigation bar
- Select "Logging" from the left side navigation bar
- Click the Syslog check box
- In the box named "Syslog Server 1", enter the IP address of the computer where Chroniker Base is installed
- Choose a Syslog facility to use. (Local0 to Local7 is recommended)
For more information, please refer to: http://support.dlink.com/products/view.asp?productid=DFL%2D700
Back to top
Configuring a FREESCO Router/Firewall
To configure FREESCO to send syslog messages to Chroniker Base, please follow the instructions below:
- Login to Freesco PC as root
- At the prompt, type:
edit /boot/etc/syslog.cfg
- Once the syslog.cfg file is open, add the following entry on a new line at the bottom of the file:
*.*<press tab key>@<Chroniker Base IP Address>
Example:
*.* @10.0.0.99
Note: do not include any space between @ and the IP Address
- Press the Enter key at the end of the entry to ensure there is a blank line at the bottom of the file
- Press Alt-S to save the file
- Press Alt-X to exit the editor
- Reboot the Freesco computer for the new settings to take affect
Back to top
Configuring a HP JetDirect Printer
To configure HP JetDirect Printer to send syslog messages to Chroniker Base, please follow the instructions below:
- In your web browser, go to: http://<printer_server_address>:8000
Example: http://10.0.0.99:8000
- Once the page is loaded, click on the HP logo to enter the main menu
- Select the printer you want to configure from the list of available devices
- Click on the Configuration link
- In the left side menu, click on the Network link
- In the System Log Server field, enter the IP address of the machine where Chroniker Base is hosted
- Click the Apply button to save these settings
Back to top
Configuring a LinkSys Wireless VPN Router
To configure Linksys Wireless-G VPN broadband router to send syslog messages to Chroniker Base, please follow the instructions below:
- Login to LinkSys router using a web browser
- Click on the Administration tab
- Click on the Log sub-tab
- Under the Syslog Notification section, set the option to Enabled
- Enter a unique device name to identify log message or leave the option set to "LinkSys"
- Enter the IP address of the machine hosting Chroniker Base
- Set the types of syslog messages you would like sent to Chroniker Base.
Informational is the default. For all messages, set the priority to debug
- Under the Alert Log section, check the alerts you would like to be notified about
- Under the General Log section, check the messages you would like to be notified about
- Click the Save Settings to save your changes
Back to top
Configuring a Netgear/ZyXEL RT311/RT314
The syslog configuration is not available from the web interface and can only be done from the telnet command line interface.
Menu 24.3.2 - System Maintenance - UNIX Syslog
Syslog:
Active= Yes
Syslog IP Address= xxx.xxx.xxx.xxx <---- ip address of the syslog
Log Facility= Local 1 <------ Make sure you set it as the same group in your syslog
Types:
CDR= Yes
Packet triggered= Yes
Filter log= Yes
PPP log= Yes
The information above is from: www.netgear.org
Back to top
Configuring a SonicWALL Firewall
To configure SonicWALL Firewall Appliances to send syslog messages to Chroniker Base, please follow the instructions below:
- Connect to the SonicWALL Management Interface using a web browser
- Login using your username and password
- In the left side menu, click the Log button
- A window will open in the main display
- Click the Log Settings tab
- Under the Sending the Log heading, enter the IP address of the machine hosting Chroniker Base in the "Syslog Server 1" field
- If the listener is not in the default port 514, enter the port value in the "Syslog Server Port 1" field
- Under the Automation heading, set the Syslog Format to Webtrends
- Under the Categories heading, Log subheading, check all the types of events that you would like to receive syslog messages for
- Click the Update button
- Reboot SonicWALL for the new settings to take effect
Back to top
Configuring a Symantec Firewall/VPN 200
To configure Symantec Firewall/VPN 200 to send syslog messages to Chroniker Base, please follow the instructions below:
- Connect to the management console using a web browser
- Under the Advanced section , on the left side, click on the Log Settings link
- In the Syslog Server field, enter the IP Address of the machine hosting Chroniker Base
- Check the different message types you want sent to Chroniker Base, such as System, Debug, Blocked, Dropped, and Attack.
- Check on the Save button to save your changes
Back to top
Configuring a WatchGuard SOHO Firewall
To configure SOHO to send syslog messages to Chroniker Base, please follow the instructions below:
- Open the configuration interface of SOHO
- Click on System Administration
- Click on System Logging
- Check Enable Syslog Output box
- Enter the IP address of the machine hosting Chroniker Base
- Click Submit for your changes to take effect
- SOHO will now reboot
Back to top
Access the LogWatch home page by clicking LogWatch link on Chroniker main page. The LogWatch home page defaults to display log data messages of the default dashboard.
Dashboard (Left Side Pane)
In the left side pane, you will see:
 The current dashboard name
A list of Facilities belonging to this dashboard
Control buttons at the top here
Dashboard Buttons
Dashboard buttons, which allow you to manage dashboards, are listed next to the Dashboard Name. From left to right, they are:
Switch Dashboard
Click  icon to left of Dashboard Name to view a list of other existing dashboards. You can only see the dashboards you have permissions to access.
Add Facility
Click  to add a new Facility to the current dashboard.
Edit Dashboard
Click  to edit the current dashboard.
Del. Dashboard
Click  to remove the current dashboard
** For details about Dashboards, please refer to "Managing Dashboards" section
Facility Buttons
Next to each facility, there are buttons that will allow you to manage that specific facility. From left to right, they are:
Alert Status Icons
The highest alert status (most urgent or critical) of the log messages belonging to the Facility is shown next to the Facility name.
 Error - the highest alert status (most critical one). You can assign up to 2 reactions to this level.
 Warning - the second highest alert status. You can assign up to 2 reactions to this level.
 Information - the least critical alerts. You can assign up to 2 reactions to this level.
 Display - for the log messages that you want displayed in Chroniker without triggering an alert. No reactions assigned for this level.
 No alert which means there are no log messages in this facility or all the log messages had been acknowledged.
Facility Name
Clicking on the facility name will display the log messages of this facility in the right pane
Edit Facility
Click
to edit this Facility
Del. Facility
Click
to remove this Facility
** For details about Facilities, please refer to "Managing Facilities" section
Control Buttons
There are control buttons in the top right corner of the LogWatch home page. From top to bottom, they are:
Add New Dashboard
Click the Add New Dashboard button  to define a new dashboard.
Switch Dashboard
Click  to Switch Dashboard button to switch to another dashboard. You can only see the dashboards you have permissions to access.
Active Alerts
Click the Active Alerts button  to display the Facilities whose current alert status is Error, Warning, Information, or Display.
Historical View
Click the Historical View button  to switch from current view to historical view that displays historical log messages belonging to the current dashboard.
Click the button again  to switch from historical view to current view.
Note: Log messages are moved from the current view to the historical view after the number of days specified in LogWatch Archiving Options. The default value is 15 days.
Agents
Click the Agents button  to view LogWatch Agents page
Filters
Click the Filters button  to view Filters page
Launch Wizard
Click on the Launch Wizard button  to open LogWatch wizard which will walk you through the necessary steps to set up log file monitoring
Refresh
Click  to refresh the Facilities on the left pane to be able to view their latest status and latest log messages on the right pane
Back to top
Right Side Pane
The right side pane shows the information details of the options you choose from the left pane. It can display:
Log messages table of the current dashboard (by default)
Log messages table of a specific facility that you had selected from the left pane
Historical view of log messages
Active alerts list
The form information when you create or edit dashboards, facilities, templates, agents, and filters...
Log Messages Table Columns
Table columns starting from left:
 Acknowledge shows a  icon to acknowledge the log message or a green check  for the messages that are previously acknowledged.
Click on the icon next to a log message to acknowledge that specific message. The icon will change to the green check mark.
Hover over the check mark to see who and when the message was acknowledged.
To acknowledge all the messages displayed in the table, click on the icon in the table header.
Status displays color coded icons reflecting the log message status.
Log Message Status Color Code:
Error - the error log messages will be shown in red
Warning - the warning messages will be shown in orange
Information - the information event messages will be displayed in blue
Display - the display event messages will be shown in green
Timestamp displays the date and time of the log message.
Facility shows the Facility name which the log message belongs to.
Agent lists the agent hostname or IP address in which the log message was generated.
Message displays the actual log message.
Click on the little blue triangle to expand the row and view the rest of the message
Sorting the Log Messages Table
The Log Messages table can be sorted by clicking on one of the following table headings: Status, Timestamp, Facility, Agent, and Messages. An arrow in the column heading indicates how the table is currently sorted, ascending or descending.
Log Messages Table Options
Below the log messages table, you will find the following options:
Results per page: Select from the drop-down list the number of log messages that will be displayed per page.
Page Refresh Interval (sec): Select from the drop-down list the number of seconds after which the page will refresh to the latest log messages
Show Logs: Select the date range you want the table to cover.
Filter Messages: Select the type of filter you want to apply to the log messages.
Back to top
A LogWatch agent is the agent that needs to be installed in each server that contains the log files to be monitored. This agent scans the log files for the key events you specify and sends the results back to the Chroniker server.
LogWatch Agent Installation
For Windows Servers:
To run LogWatch, you need to install LogWatch agents in every Windows server containing the log files you want to monitor. LogWatch agent will monitor and filter the log files then report your specific log messages back to Chroniker.
Chroniker Suite comes with a local LogWatch Agent which can monitor Windows events and log files in the server where Chroniker is installed.
If you need more Windows agents, please refer to the following link to download the LogWatch agent that is appropriate to your platform: http://www.nrgglobal.com/downloads/logwatch_agent_downloads.php
Follow the installer program instructions. Specify the installation path and agent listener port when prompted.
For All other servers and network devices:
LogWatch will receive Syslog messages from all your other servers and syslog enabled devices. Therefore, you need to enable Syslog in the devices containing the log files you want to monitor. For detailed instructions on how to setup Syslog configuration, please refer to "Configuring Syslog Enabled Devices" section.
Define New Agent in Chroniker Base
• In the Chroniker LogWatch's Tools menu, click on “Log Agents”.
• Once in the LogWatch Agents page, click on “Add New Agent” button.
• Specify the agent type, hostname, IP address and port number.
• Click "Add" and you will see the new agent added to the agents table.
Back to top
Edit LogWatch Agent
• In the Chroniker LogWatch' Tools menu, click on “Log Agents”.
• Once in the LogWatch Agents page, find the agent you wish to edit .
• Click the Edit icon corresponding to the agent. This brings up the Edit Agent page.
• Make your modifications
• Click "Update"
Delete LogWatch Agent
• In the Chroniker LogWatch's Tools menu, click on “Log Agents”.
• Once in the LogWatch Agents page, find the agent you wish to delete.
• Click the Trash can icon corresponding to the agent you wish to delete. Click OK to confirm.
Back to top
A Dashboard is a view that displays log files monitoring information in a logical manner that YOU define. You can define multiple dashboards so each person accesses the views that mean the most to him or her.
To view Dashboard menu, click on the icon to the left of the dashboard name in the left pane of LogWatch page. A menu will be displayed with the following options:
Switch Dashboard
Click icon to left of Dashboard Name to view a list of other existing dashboards. You can only see the dashboards you have permissions to access.
Add Facility
Click to add a new Facility to the current dashboard.
Edit Dashboard
Click to edit the current dashboard
Del. Dashboard
Click to remove the current dashboard
Back to top
Create a Dashboard
• Click the Add New Dashboard icon which is located near the top left corner of the LogWatch home page (it is the first icon on the right).
• Once on the Add/Edit Dashboards window:
Enter the name of the dashboard
Select the accessibility rights:
• None: only the person that created the dashboard can access it
• Group: only the user group of the person that created the dashboard can access it
• All: all Chroniker users can access the dashboard
Type in a quick description of what the dashboard will be monitoring
Check "Set as Default" if you want to set this dashboard as your default dashboard
• If you need to clear the Add/Edit Dashboards window, press the Reset button.
• If you wish to cancel the creation of the dashboard, click on the Cancel button.
• Press the Add button to finish.
Back to top
Dashboard Permissions
When creating a dashboard, you get to select the accessibility rights to your dashboard. which are:
None: only the person that created the dashboard can access it.
Group: only the user group of the person that created the dashboard can access it.
All: all Chroniker users can access the dashboard.
Back to top
Switch to Another Dashboard
• Click the  Switch Dashboard icon which is located on the dashboard tools of the LogWatch home page .
• Once on the Select Default Dashboard window, select the desired dashboard from the drop-down list
• Click on update.
Note: you can only see the dashboards you have permission to access.
Back to top
Edit Dashboard
• Click on the icon next to the current dashboard name
• The dashboard form will be displayed in the right pane
• Make the necessary changes
• Click on Update button
Delete Dashboard
• Click on the icon next to the current dashboard name
• Click OK to confirm
Back to top
A Facility is a logical grouping of multiple log files on one agent. A Facility can have more than one log file, and an agent can have more than one Facility. The purpose of a Facility is for simplicity in monitoring: so you can view all log messages in one place, apply the same filters and reactions to all the logs in the Facility, etc. An example of how a Facility may be used is to group all the log files of a certain application.
To view the Facility icons, look to the right of the Facility name in the left pane of LogWatch page. The icons are displayed with the following options:
Edit Facility to edit this Facility
Del. Facility to remove this Facility
Back to top
Create a Facility
• Click the Add Facility icon which is located to the right of the Dashboard name.
• Once in Add Facility page, fill out the form:
Specify a name for the Facility
Select the agent from the drop-down list
Enter the scan frequency in seconds for monitoring the log files in this Facility
If the Agent is running on Windows, then you will see a list of Windows events (Application, Security, and System). Check the ones you want to monitor
Type in the full path of the log file to be monitored on the server where the selected agent is installed
Note: If you want to monitor more than one log file in this Facility, click "Add another file" link.
You will see a new field added where you can enter the full path of another log file.
Repeat this step until all log files are added.
Enter a quick description
Define the different events by selecting the appropriate filter and reactions for each one of them (for details, refer to "Event Management" section below)
OR apply a pre-defined template from the drop-down list in the right.
Check "Save Event Management parameters as a template", if you want to save these parameters for future use.
Note: The template name will be automatically selected as <Facility name>_template.
To learn more about Templates, please refer to "Filter Template" section.
Click "Add" and you will see the Facility created and displayed under the dashboard list in the left pane.
Back to top
Event Management
LogWatch allows you to assign up to four events to each Facility. The four event types are:
Error Event - the error event messages will be shown in red
Warning Event - the warning event messages will be shown in orange
Information Event - the information event messages will be displayed in blue
Display Event - the display event messages will be displayed in green and have no reactions associated with them
Every event can be associated with one filter and up to two reactions:
- Select the appropriate filter from the drop-down list for each alert type.
- Filter identifies the regular expression, a string pattern, that the agent will use to scan the log files for the key events that you determine.
- If you want to create a new filter, select <New> from the drop-down-list and refer to "Create New Filter" section below.
- Select the reactions from the drop-down list you want to assign to each alert type.
- Reactions are enacted when the events they are assigned to are triggered. You can assign up to two reactions to every Event (Error, Warning, Information). Reactions types include: E-mail, SNMP Trap, Numerical Page or Custom Reaction (a script).
- If you want to create a new reaction , click the "Add" button and refer to "Add New Reaction " section below.
Create New Filter:
Filter identifies the regular expression, a string pattern, that the agent will use to scan the log files for the key events that you specify.
To create a new filter from the Facility form:
- In the Facility Form, Click on Filters.
- Click on Add New Filter
- Fill out the form:
- Create a filter alias
- Select the filter category from the drop-down list: Security, Critical, or Warning
- Enter the regular expression for this filter.
- Regular expression is a way to specify a set of possible string patterns that you want to match in the log file. For example, the expression "error.*" will return any line in the log file that contains the key word "error". To learn more, please refer to "Regular Expressions" section under the Filters chapter.
Note: If this field is left blank then all lines from the log file will be matched for this filter.
- Enter a quick description about the filter.
- Click "Add"
- You will be re-directed back to the Facility Form where you can finish setting up your facility.
Add New Reaction:
Reactions are launched when an event they are assigned to occurs. Reactions can alert you through email or numerical page. They can also execute a custom command or an SNMP trap when they are triggered.
To add a new reaction:
- Click on “Reactions” in the Tools menu.
- Click on “ Reactions”
- Click on “Add New Reaction”
- Click on the type of the reaction you want to create: Email, Custom, Numerical Page, or SNMP trap.
- Fill out the form and click “Add”.
- If you want to assign this reaction to an existing Facility, you can edit the Facility :
- Click on the edit icon next to the Facility you want to edit
- Click on “Edit Facility ”
- Make the necessary changes
- Click on Update button
Click here for detailed help about Reactions
Back to top
Edit Facility
• Click on the icon next to the Facility you want to edit
• The Facility form will be displayed in the right pane
• Make the necessary changes
• Click on Update button
Delete Facility
• Click on the icon next to the Facility you want to delete
• Click OK to confirm
Back to top
A filter identifies the regular expression, a string pattern, that the agent will use to scan the log files for the key events that you determine. For example, the expression "error.*" will return any line in the log file that contains the key word "error". If no regular expression is specified, then all lines from a log file will be matched for this filter.
Create New Filter
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the Filters page, click on “Add New Filter” button
• Fill out the form:
Create a filter alias
Select the filter category from the drop-down list: (Category is for user convenient grouping only; the regular expression alone decides the behavior of the Log Filter)
Enter the regular expression for this filter.
Regular expression is a way to specify a set of possible string patterns that you want to match in the log file. For example, the expression "error.*" will return any line in the log file that contains the key word "error". Learn more about regular expressions in the next section below: "Regular Expressions"
Note: If this field is left blank then all lines from the log file will be matched for this filter.
Enter a quick description about the filter.
• Click "Add"
• If you want to assign this filter to an existing Facility, you can edit the Facility :
Click on the icon next to the Facility you want to edit to display its menu
Click on “Edit Facility ”
Make the necessary changes
Click on Update button
Back to top
Regular Expressions
Regular expression is a way to specify a set of possible string patterns that you want to match in the log file. LogWatch follows the POSIX syntax for regular expressions. In this syntax, most characters match only themselves. For example, the expression "error" will match only the word "error" in the log file. The exceptions are called metacharacters which are described below:
. Matches any single character
[ ] Matches a single character that is contained within the brackets.
Example: [abc] matches "a", "b", or "c"
[a-z] matches the range from a to z (any lowercase letter)
[^ ] Matches a single character that is not contained within the brackets.
Example: [^abc] matches any character other than "a", "b", or "c"
[^a-z] matches any character that is not lower case letter
^ Matches the start of the line
$ Matches the end of the line
* Matches zero or more occurrences of the single character expression it follows.
Example: [abc]* matches "", "a", "b", "c", "ab", "abc", etc.
.* matches all characters. In this case, you will get all the lines of the log file.
+ Matches the single character expression it follows one or more times.
Example: ab+ matches "ab", "abb", "abbb", etc.
? Matches the single character expression it follows zero or one time.
Example: errors? matches "error" or "errors"
| Matches either the expression before or the expression after.
Example: error|warning matches "error" or "warning"
Note: Since these characters '(', ')' ,'[' ']', '.', '*', '+', '^', and '$' are symbols, you need to place '\' before the character if you want it to be part of the matched expression. For example, to match a.) the expression will be a\. \)
How Regular Expressions work (Examples):
Windows System Events:
The full message from Manager will be as follows:
[localevents,7035-SYSTEM-Information] Mon Feb 11 09:20:56 2008 :
id=7035;type=INFO;source=Service Control Manager;
user=NRGGLOBAL;message=The Automatic Updates service was successfully sent a start control.
id is the event id
type = (Error, Info, or warning)
source is the event source
user is the logged in user
message is the description
So, If you want to see, in your LogWatch, any system message with ID = 7035, Type = Information, and Source = Service Control Manager, then do the following:
- In your Chroniker click on Tools in the top menu then select Log Filters
- Check to see if the Filter already exist within the default filters
- If the filter does not exist, click on "Add New Filter"
- Enter a meaningful name for the Filter in the Filter Alias field
- Select Filter Category: In our example above it can be (Event Log, or Service Control Manager)
- Enter the Regular Expression: In this example would be: id=7035.*type=info.*source=Service.* This expression will match any message that has
ID = 7035, Type = Information, and Source = Service Control Manager
Back to top
Edit Filter
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the LogWatch Filters page, find the filter you wish to edit
• Click the Edit icon corresponding to the filter. This brings up the Edit Filter page.
• Make your modifications
• Click "Update"
Delete Filter
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the LogWatch Filters page, find the filter you wish to delete
• Click the Trash can icon corresponding to the filter you wish to delete. Click OK to confirm.
Back to top
A Template is the same as a filter, but it offers the flexibility to be applied to different Facilities.
Create New Filter Template
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the Filters page, click on “Templates” button
• In the Filter Templates page, click on “Add New Template” button
• Fill out the form:
Enter the Template Name
Type in a quick description about the template
Define the different events by selecting the appropriate predefined filters and reactions for each one of them
LogWatch allows you to assign up to four events to each Facility. Every event can be associated with one filter and up to two reactions. The four event types are:
Error Event - the error event messages will be shown in red
Warning Event - the warning event messages will be shown in orange
Information Event - the information event messages will be displayed in blue
Display Event - the display event messages will be displayed in green
Back to top
Edit Filter Template
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the Filters page, click on “Templates” button
• In the Filter Templates page, find the template you wish to edit
• Click the Edit icon corresponding to the template. This brings up the Edit Filter Template page.
• Make your modifications
• Click "Update"
Delete Filter Template
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the Filters page, click on “Templates” button
• In the Filter Templates page, find the template you wish to delete
• Click the Trash can icon corresponding to the filter you wish to delete. Click OK to confirm.
Back to top
Apply Filter Template to Facilities
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the Filters page, click on “Templates” button
• In the Filter Templates page, find the template you wish to apply
• Click the Apply icon corresponding to the template. This brings up the Apply Filter Template page.
• Select the Facilities you want this template to be applied.
Note : To select multiple Facilities, hold CTRL key and left-click on each Facility.
• Click "Apply"
Back to top
A filter category helps you organize your filters into groups to easily manage the filters and get a better presentation in the reports
Create New Filter Category
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the Filters page, click on “Categories” button
• In the Filter Categories page, click on “Add New Filter Category ” button
• Fill out the form:
Enter the Category Alias
Type in a quick description about the category
Click Add.
Back to top
Edit Filter Category
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the Filters page, click on “Categories” button
• In the Filter Categories page, find the Filter Category you wish to edit
• Click the Edit icon corresponding to the Filter Category. This brings up the Edit Filter Category page.
• Make your modifications
• Click "Update"
Delete Filter Template
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the Filters page, click on “Categories” button
• In the Filter Categories page, find the Category you wish to delete
• Click the Trash can icon corresponding to the Filter Category you wish to delete. Click OK to confirm.
Back to top
Apply Filter Category to an Existing Filter
• In the Chroniker LogWatch Tools menu, click on “Log Filters”
• Once in the LogWatch Filters page, find the filter you wish to apply the Filter Category to
• Click the Edit icon corresponding to the filter. This brings up the Edit Filter page.
• Under the Filter Category field, select the Filter Category you wanted to apply from the drop-down list
• Click "Update"
Back to top
View Active Alerts
• Be sure you are on the LogWatch home page.
• Click on the Active Alerts button located here . It is the third button counting from the top.
• The Active Alerts page is displayed in the right pane.
• For each alert, the table shows Alert Time, Facility alias, and Message.
Description of column headings
Alert
This is color coded for the level of alert:
 Blue - information alert
 Yellow - warning alert
 Red - error alert
Alert Time
When the alert started.
Alias
The name of the Facility.
Message
This is the message produced by the event associated with the Facility.
Reactions
Green Check sign means the reactions associated with the specific alert were successful
Red Cross sign means at least one of the reactions had failed
Back to top
Chroniker LogWatch provide pre-made templates for useful reports. It also gives you the option to schedule email reports.
Daily Messages by Type
This report provides a summary of the number of log messages that appeared under each event type in the selected report day. The report contains the following columns:
• Facility is the Facility name
• Error contains the number of log messages associated with the error event defined for this Facility
• Warning contains the number of log messages associated with the warning event defined for this Facility
• Information contains the number of log messages associated with the information event defined for this Facility
• Display contains the number of log messages associated with the display event defined for this Facility
Back to top
Messages by Filter Name For Last 7 Days
This report provides a summary of the number of messages that occurred daily under each filter name for the last 7 days starting from the report date selected.
Messages by Filter Name For Current Year
This report provides a summary of the number of messages that occurred monthly under each filter name for the current year.
Back to top
Daily/Monthly/Yearly Messages by Filter Name
This report provides a summary of the number of messages that occurred daily, weekly, and monthly under each filter name. It also allows you to compare Current to Previous for the Day, Week and Month.
Daily/Monthly/Yearly Messages by Facility
For each Facility, this report provides a summary of the number of messages that occurred under each event type (error, warning, information, and display) in three different time frames: daily, weekly, and monthly. It also allows you to compare Current to Previous for the Day, Week and Month.
Daily/Monthly/Yearly Messages by Agent
For each agent, this report provides a summary of the number of messages that occurred under each event type (error, warning, information, and display) in three different time frames: daily, weekly, and monthly. It also allows you to compare Current to Previous for the Day, Week and Month.
Back to top
LogWatch Alert Details
This report displays alert information in LogWatch. It provides Facility alias of the monitored data with alert duration, starting and ending date and time, and alert message
Alert
This shows the alert status of the Facility following the color code below:
Green - display alert
Blue - information alert
Orange - warning alert
Red - error alert
Alias
This is the name of the Facility that is in an alert state.
Alert Duration
The amount of time that the Facility is in the alert state
Alert Started
This is the actual time in which the Facility has first triggered the alert.
Alert Ended
This is the actual time in which the alert state of the Facility had ended.
Alert Message
displays the pre-defined event message which includes the Facility alias, alert status, and the matched filter. This is the same message you will get in the email body if you assigned an email reaction to this event.
Back to top
E-Mailing Reports
Reports generated from the Reports page can be e-mailed. Note that the recipient must have HTML enabled for their inbox. To e-mail a report:
• Go to the report you wish to email.
• Click the E-Mail this Report button.
• Type the Name and E-mail address of who will receive the report in the proper fields.
• Type your name and E-mail address in the proper fields.
• Type a message you wish to accompany the report in the body of the E-mail.
• Click the Send E-mail button.
Schedule Email Reports
Please refer to "Schedule Email Reports" section covered in "Chapter 2: Features Common to All Modules"
Back to top
LogWatch Archiving Options allow you to set the number of days after which the log messages will be archived to history and the number of days after which the log messages get purged from history.
• Go to the Chroniker LogWatch Setup menu,
• Click on "LogWatch Archiving setup " link
• Once in the LogWatch Archiving Options page, select from the first drop-down list the number of days after which the LogWatch Message Data will be archived to history. The default value is 15 days.
• From the second drop-down list, select the number of days after which LogWatch Message Data will be purged from history. The default value is 60 days.
• Click "Submit"
Back to top
| 
