7.6.3 Log information that can be monitored
The following describes log file trap information and Windows event log information that can be monitored.
- Organization of this subsection
(1) Output formats of log file trap information
The following shows the output formats of log file trap information that can be monitored by the remote-monitoring log file trap function. Note that if a new log file is output while another log file is being collected, the same log file might be trapped twice.
-
SEQ
In this format, log data is repeatedly added to a log file. When the log file reaches a certain size, a new log file with another file name is created and further log data is written to the new log file.
-
SEQ2
In this format, when a log file reaches a certain size, the log file is renamed as a backup file and saved in the same directory or under a subdirectory. Then a new log file is created with the same name as the old log file and further log data is written to the new log file.
The created backup file must not be deleted until the log file is trapped next time.
If the log file is switched during the monitoring interval, the data that was stored in the old log file since the last reading of the old log file is read from the most recently saved backup file. After that, data is read from the new log file. Other data is not read. Therefore, when you monitor a SEQ2-format log file, you need to set the monitoring interval appropriately so that the log file will not be switched twice or more during the monitoring interval.
To set the monitoring interval, specify the -t option in the jcfallogstart command or, in the Display/Edit Profiles window, specify the -t option in the Additional Options field for Startup Options.
-
WRAP2
In this format, when a log file reaches a certain size and is wrapped, the log data in the log file is all deleted first, and then log data is written from the beginning of the log file.
In the case of a WRAP2-format file, if the file is wrapped around and data is deleted before all data is read from the file, some data cannot be read from the file.
Because a long monitoring interval might increase the size of the data to be read at a time, the monitoring interval must be set carefully.
To set the monitoring interval, specify the -t option in the jcfallogstart command or, in the Display/Edit Profiles window, specify the -t option in the Additional Options field for Startup Options.
The following table describes the conditions for log files.
|
Item |
Conditions |
|---|---|
|
File name |
When the monitored host is a UNIX host, alphanumeric characters, hyphens (-), underscores (_), periods (.), and slashes (/) can be included in the path to the monitored files. A file path that includes a character other than above might not be normally monitored. |
|
File output destination |
If the monitored host is in a cluster configuration, and a logical name is specified for the monitored host, you can monitor the log files on a shared disk only. Network files cannot be monitored. You cannot monitor the files on a physical disk by using a logical host name because the information in the files on physical disks is managed by the executing host and the standby host. To monitor the files on a physical disk, specify the physical host names of the executing host and the standby host for the monitored host names. |
|
File size |
No more than 64 megabytes |
|
Character string |
|
|
Acquisition limit |
|
|
Monitoring start position at startup |
|
#: For details about the remote log trap environment definition file (jp1cf_remote_logtrap.conf), see Remote log trap environment definition file (jp1cf_remote_logtrap.conf) (Chapter 2. Definition Files) in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.
(2) Types of Windows event log information
The following are types of Windows event log information that can be monitored by the remote-monitoring event log trap function:
-
Application
-
Security
-
System
-
DNS Server
-
Directory Service
-
File Replication Service
-
DFS Replication
The log types Critical and Verbose, which were added in Windows Server 2008 R2, are not supported. A Critical or Verbose event log is collected as a JP1 event with an event level of Error or Information respectively.
If remote-monitoring event log traps are used, set the date and time on the manager host and on the monitored host to the correct current date and time.
If there is a difference between the date and time on the manager host and on the monitored host, monitoring might not be performed successfully. In addition, if the timestamp of an event log on the monitored host indicates a future time based on the time on the monitored host, monitoring might not be normally performed.
If the monitored host is in a cluster configuration and you specify a logical host name for the monitored host, Windows event log cannot be monitored.
The Windows event log is held by the executing host and the standby host. Therefore, specify a physical host name of the executing host and the standby host for the monitored host name.
The following table describes the conditions for Windows event logs.
|
Item |
Conditions |
|---|---|
|
Character string |
|
|
Acquisition limit |
|
|
Monitoring start position at startup |
|
#: For details about the remote log trap environment definition file (jp1cf_remote_logtrap.conf), see Remote log trap environment definition file (jp1cf_remote_logtrap.conf) (Chapter 2. Definition Files) in the manual JP1/Integrated Management 2 - Manager Command, Definition File and API Reference.