cancel
Showing results for 
Search instead for 
Did you mean: 

Log Parser (PowerShell)

Log Parser (PowerShell)

Configuring Windows Remote Management (WinRM)

  1. If not already done so, install PowerShell 2.0 and WinRM on the APM and target servers. Powershell 2.0 can be found here: http://support.microsoft.com/kb/968930.
  2. On the Orion SAM server, open a command prompt as an Administrator. To do this, perform the following step:

    Go to the Start menu and right-click the cmd.exe and then select Run as Administrator.
  3. Enter the following in the command prompt: 

       winrm quickconfig –q
       winrm set winrm/config/client @{TrustedHosts="*"}
  4. On the target server, open a command prompt as an Administrator and enter the following:

winrm quickconfig
winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}

   where IP address is the IP address of your SAM server.

The Log Parser template allows you to check a specified log file and determine the total number of lines that match your search criteria.

Prerequisites: WinRM must be installed and properly configured on the target server.

Credentials: Administrator on target server.

Component Monitors with Syntax

Each monitor uses the same PowerShell script. In some arguments the values may be different. Also, each monitor uses these four arguments in the following order:

LogFilePath,RegularExpression,Usage,Position

  1. Log file path – This is the path of the target log file on the target server. The path cannot contain any spaces.
  2. Regular Expression – This is used for regular expression searches to find a desired string in the log file. Searches are not case sensitive; however, a search cannot contain spaces.
  3. Using one of the “usage” arguments below determines the type of information the monitor should return. The arguments used to return certain values are as follows:
  • Total - Returns the total number of strings found.
  • New - Shows the number of newly found strings.
  • Match - Shows the position of the string found as well as the string itself. It uses the Position argument to determine which string to show.

   4.  Position – This value determines the position from the last string of the log file in the Found String in # Position monitor. For other monitors thic takes part in generating temp files.

Note: For the Total and New usage arguments: If you monitor the same file but different search strings, use random values in the Position argument to generate different temp files.

Below is an example using the Scripts Arguments field. This example returns the number of the second line from the end, as well as the line itself, starting with the word “error,” from the powertest.log file on the D drive.

d:\powertest.log,^error,match,2

Note: You must specify the correct arguments for each monitored component in the Script Arguments field. If you fail to do this, the monitor will return with a status error of "Undefined."


Components Monitors with Examples

Total number of strings found.

This monitor shows the total number of strings that match the search criteria. Additionally in the message field this monitor returns all strings that matches search criteria. In the returning message, this component returns all lines that match the search criteria divided by ";"

Below is an example using the Scripts Arguments field to search the number of strings that match the word “error” in the “powertest.log” file:

d:\powertest.log,^error,total,0

Number of newly found strings.

This monitor shows the number of newly found strings. Additionally, in the message field, this monitor returns all new strings that match search criteria.

Below is an example using the Scripts Arguments field to search for the number of newly found strings since the last script execution. In this case, just the new instances of the searched word, “error” is returned. In the returning message, this component returns all lines that match the search criteria divided by ";"

d:\powertest.log,^error,new,0

Found String in # Position.

This monitor shows the number position of the string found from the end that matches the search criteria, as well as the string itself. By default, this counter also shows the last string.

Below is an example using the Scripts Arguments field which searches for the position of the word, “error” in relation to the end of the log file.

d:\powertest.log,^error,match,1


Labels (1)
Attachments
Comments

What if you can't put powershell on the server?

PowerShell comes installed by default on all Windows 2008 and newer server operating systems.

this is an XP workstation that somehow migrated to be a high priority system....

smart  🙂


I would strongly encourage you to install PowerShell 2.0 for Windows XP. Without some remote execution ability like PowerShell provides each poll would require a full transfer the entire log file across the network for the local Orion server to search its contents. This should be possible using this application template by changing the PowerShell execution from remote to local, and specifying a UNC path to the file you want to monitor.

Hello aLTeReGo ,

thank you for this Tutorial.  But i have trouble with this. The Template run correctly of a Orion Host. Of the Server and the Client running the "winrm "Configs also correctly.

But the total Number of Strings in the "Components" Applet is allways 0

where exactly should the entry " \powertest.log,^error,new,0 " be entered

i have this in the " Scrpt Arguments " in the "total number of strings found  Component.

Can you please help me ?

I recommend copying the script from the template and running it outside of SAM to troubleshoot any issues you are having with the template. The arguments are fairly straightforward and listed below. From your example above the only recommendation I would suggest is adding the full path to the log file location instead of using a relative path.


LogFilePath,RegularExpression,Usage,Position

  1. Log file path – This is the path of the target log file on the target server. The path cannot contain any spaces.
  2. Regular Expression – This is used for regular expression searches to find a desired string in the log file. Searches are not case sensitive; however, a search cannot contain spaces.
  3. Using one of the “usage” arguments below determines the type of information the monitor should return. The arguments used to return certain values are as follows:
  • Total - Returns the total number of strings found.
  • New - Shows the number of newly found strings.
  • Match - Shows the position of the string found as well as the string itself. It uses the Position argument to determine which string to show.

   4.  Position – This value determines the position from the last string of the log file in the Found String in # Position monitor. For other monitors thic takes part in generating temp files.

Nice tutorial.  Bookmarking this one.

How would you monitor a file that when it is full creates a new file?  file1.log, file2.log etc.

Hi,

While monitoring a logfile, I want to exclude specific strings being captured from the script.

Can anyone suggest.

Thanks

Hi,

Thanks for the Wonderful tutorial...

What you said is proving good if the log file monitoring is in Orion instance installed machine... What should we do if the log monitoring machine is a remote host... What i did was, in script arguments, I entered the argument as "\\10.0.8.225\d$\test\logs\test_batch_0.log,^running_status"

When I do this, I either get "file not found" error OR "Not Defined" Error... I checked the winrm services and made the orion serves trusted...

Our main aim is to make Log parser alert us when a batch file executes and enters a log "running_status" in its file... Filepath I specified is the log file path...

Do I need to change the script also?

Let me know please...

Thanks!

Very strange issue here...

When

When I run this from within SolarWinds, I get:

Output: ==============================================

Message: File "C:\ProgramData\<morepathstuff>\ArchiveReceiverLog.txt" not found.

When I run this in a remote PS session from the appropriate polling engine, all works as expected.

I have also tried commenting out the initial Test-Path, but then I get an error that "drive C: does not exist".

Any idea why this would be occurring, or how I can go about seeing a log as to what SolarWinds is actully running on the remote server?

Thanks!

Jack

I am having the same issue....  I have opened a support case, I'll let you know if I get mine fixed  🙂

Here is the response I got:  (I havnt tried yet)

More likely than not its a permissions issue - have you check the credentials you using  against the file security?  ensure it has "full control" - is that file local to the Orion server?  I have seen case where the \\machinename\c$  format had to be used for pathing.
Here's are some guides which might  help also


https://support.solarwinds.com/Success_Center/Server_Application_Monitor_(SAM)/SAM_6.2.4_Administrat...

https://support.solarwinds.com/Success_Center/Server_Application_Monitor_(SAM)/SAM_6.2.4_Administrat...

Relevant section:

The following sections provide information and guidance to help you create some of the more complicated types of component monitors.

For general information about the settings for each component monitor, click the More Information help link in the SolarWinds SAM component monitor description.

  SolarWinds fully supports scripts written and provided by the company; however, we do not provide customer support for custom scripts written by outside sources. SolarWinds does provide sample scripts that we do support located at: C:\Program Files\SolarWinds\Orion\APM\Sample-Script Monitors

Your issue is similar to my issue... this is what I tried...

I have tried them... Nothing worked... I checked the permissions issue, I created the folder and also I am administrator on the machine... So, I have full permissions on the folder and the file. I tried to place this in the Orion server as a Network path and try it, then tried to WRM the Remote machine using the HTTPS and HTTP. Nothing worked...

I too opened the support case, they say, we must change the script according to our environment... When they say that, I got think, what, why should I change the script according to my environment and I am not a good script editor, so how can i change? I took help of a member here and did created a script, but, you know what, No Luck!

Let me know if it works out for you... I shall try it again...

Srini

Im prepping for a large SAM deployment, not having any experience with WinRM I have a few questions for the community.

1. It appears that if the target server has a SLW agent on it WinRM is not required ?  I did some testing with this template and it appeared to work on the target that had an agent.  The servers that do not have agents clearly state they cannot connect to the remote device.

2. If I was to go the WinRM agentless route, would I need to define each of my pollers with SAM on them as a trusted host ?

Version history
Revision #:
1 of 1
Last update:
‎06-29-2011 12:00 AM
Updated by: