Windows event log monitoring definition file (fluentd_@@trapname@@_wevt.conf.template)
- Organization of this page
Format
<worker 0>
## [Metric Settings]
<source>
@type exec
command "echo {}"
<parse>
@type json
</parse>
run_interval 60s
tag jpc_ima_metrics.wevt.Log Monitoring Name
</source>
<filter jpc_ima_metrics.wevt.Log Monitoring Name>
@type record_transformer
enable_ruby true
auto_typecast false
<record>
__name__ fluentd_logtrap_running
instance host name
jp1_pc_nodelabel IM Management Node Label Name
jp1_pc_category Category ID
jp1_pc_logtrap_defname Log Monitoring Name_wevt
jp1_pc_trendname fluentd
job jpc_fluentd
jp1_pc_nodelabel_fluentd Log trapper(Fluentd)
jp1_pc_addon_program JPC Fluentd
</record>
</filter>
</worker>
<worker worker-id>
## [Input Settings]
<source>
@type windows_eventlog2
tag wevt.Log Monitoring Name
channels Log type
read_interval 2s
<storage>
@type local
path ../data/fluentd/wevt/Log Monitoring Name
mode 0600
dir_mode 0700
pretty_print false
</storage>
read_existing_events false
render_as_xml false
rate_limit -1
preserve_qualifiers_on_hash true
read_all_channels false
event_query *
</source>
## [Attributes Settings]
<filter wevt.Log Monitoring Name>
@type record_transformer
enable_ruby true
auto_typecast false
renew_record false
<record>
ID Event ID
JP1_SOURCEHOST hostname
JPC_NODELABEL IM Management Node Label Name
JP1_TRAP_NAME Log Monitoring Name
# OS_VERSION OS Version
</record>
</filter>
## [Inclusion Settings]
#<filter wevt.Log Monitoring Name>
# @type grep
# <regexp>
# key OS Version
# pattern /Regular expressions for logs to monitor/
# </regexp>
#</filter>
## [Exclusion Settings]
#<filter wevt.Log Monitoring Name>
# @type grep
# <exclude>
# key Attribute name of JP1 event
# pattern /Regular expression for logs not to monitor/
# </exclude>
#</filter>
## [Forward Settings]
<match wevt.Log Monitoring Name>
@type rewrite_tag_filter
<rule>
key Attribute name of JP1 event
pattern /Regular expression for logs that emit JP1 events/
tag ${tag}.jp1event
</rule>
<rule>
key MESSAGE
pattern /.+/
tag ${tag}.outputlog
</rule>
</match>
<filter /wevt\.Log-Monitoring-Name\.(jp1event|outputlog)/>
@type record_transformer
enable_ruby true
auto_typecast true
renew_record true
<record>
eventId ${record['ID']}
xsystem true
message ${record['MESSAGE']}
attrs ${record}
</record>
remove_keys $.attrs.ID
remove_keys $.attrs.MESSAGE
</filter>
</worker>
File
fluentd_@@trapname@@_wevt.conf.template
fluentd_@@trapname@@_wevt.conf.template.model (model file)
Storage directory
- ■Integrated agent host
-
-
For a physical host (Definition file and model file)
Agent-path\conf\
-
For a logical host (Definition file)
shared-folder\jp1ima\conf\
-
Description
Definition File for monitoring Windows event logs.
Copy the template (fluentd_@@trapname@@_wevt.conf.template) and change File designation of Copy destination to "fluentd_log monitoring name_wevt.conf" to use it. For details on the location of "fluentd_log monitoring name_wevt.conf", see Appendix A.4(3) Integrated agent host (Windows) and Appendix A.4(4) Integrated agent host (Linux) in the manual "JP1/Integrated Management 3 - Manager Overview and System Design Guide". File name must be unique within the monitoring agent host. The characters that can be used for log monitoring name are alphanumeric characters, hyphens, and underscores, and the length of the character string is 1 to 30 characters. Create this File for each application you want to monitor.
JP1/IM - Agent creates a IM managed node for Setup SID of monitoring target according to Value specified in the Label Name of the managed node in the monitoring definition File. If IM management node labelname is the same even if it is another monitor-definition File, only one IM management node is created.
Windows Event Log Monitor feature reads this File and analyzes the log information that the application has written to Windows Event Log. If conditions are specified for the analyzed information and the conditions are met, you can Setup the information to be converted to JP1 events or output to Fluentd logging File. For JP1 event to be issued, see 3.2.3(3) JP1 event to be issued by monitoring Windows event log in JP1/IM-Agent "product plugin" in the manual JP1/Integrated Management 3 - Manager Overview and System Design Guide.
Lines that begin with a "#" are treated as Comment and do not affect programming behavior.
Character code
UTF-8 (without BOM)
Line feed code
In Windows: CR+LF
When the definitions are applied
This information is reflected in Fluentd operation when Fluentd serviceis Restart.
If Add, Delete of a definition file, or value in [Metric Settings] section is changed, the change is reflected in integrated operation viewer tree.
For details about Application method, see 1.21.2(10) Creating and importing IM management node tree data (Windows) (mandatory) in the manual JP1/Integrated Management 3 - Manager Configuration Guide.
Information that is specified
- <worker> directive
-
Same as <worker> directive of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- worker id (Optional)
-
Description
Changeability
What You Setup in Your JP1/IM - Agent
JP1/IM - Agent Defaults Value
Same as worker-id of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
Can be changed
Same as worker-id of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
2
- [Metric Settings] Section
-
See the description of the [Metric Settings] section in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- [Input Settings] Section
-
Specifies the event Log type to monitor.
- Logging Log file trap name (mandatory)
-
Same as the logging Log file trap name in the [Metric Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- Log type (mandatory)
-
Specifies the event Log type to be monitored as a comma-separated string. It is 256 bytes or less. The default Value for JP1/IM - Agent is "application.system".
For details about Log type that can be specified, see 9.5.4(4)(a) Log type that can be monitored in the manual JP1/Integrated Management 3 - Manager Overview and System Design Guide.
- [Attributes Settings] Section
-
Setup Attributes and Attribute value of JP1 events to be issued.
- Logging Log file trap name (mandatory)
-
Same as the logging Log file trap name in the [Metric Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- Event ID (optional)
-
Same as the Event ID in the [Attributes Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- Host name (optional)
-
Same as the Host name in the [Attributes Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- Label-name of IM management node (optional)
-
Same as the Label-name of IM management node in the [Attributes Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- OS Version (optional)
-
Specifies the number of the Major Version for Windows if you want JP1 event to Add the attributes of OS_VERSION. In the default Setup, "#" is specified at the beginning of the line, and it is handled as Comment, so when specifying it, delete "#".
- [Inclusion Settings] Section
-
See the description of the [Inclusion Settings] section in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- [Exclusion Settings] Section
-
See the description of the [Exclusion Settings] section in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- [Forward Settings] Section
-
See the description of the [Forward Settings] section in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
Example definition
In the following example, monitoring is performed when the log type is "application" and the source is "JP1/IM-Manager", and a JP1 event is issued when Event level is "Warning" or higher.
<worker 0>
## [Metric Settings]
<source>
@type exec
command "echo {}"
<parse>
@type json
</parse>
run_interval 60s
tag jpc_ima_metrics.wevt.user_app_log
</source>
<filter jpc_ima_metrics.wevt.user_app_log>
@type record_transformer
enable_ruby true
<record>
__name__ fluentd_logtrap_running
instance hostA
jp1_pc_nodelabel UserApplication
jp1_pc_category applicationServer
jp1_pc_logtrap_defname user_app_log_wevt
jp1_pc_trendname fluentd
job jpc_fluentd
jp1_pc_nodelabel_fluentd Log trapper(Fluentd)
jp1_pc_addon_program JPC Fluentd
</record>
</filter>
</worker>
<worker 2>
## [Input Settings]
<source>
@type windows_eventlog2
tag wevt.user_app_log
channels application
read_interval 2
preserve_qualifiers_on_hash true
<storage>
@type local
path ../data/jp1ima/data/fluentd/wevt/user_app_log
</storage>
read_from_head false
render_as_xml false
rate_limit -1
preserve_qualifiers_on_hash true
event_query *
</source>
## [Attributes Settings]
<filter wevt.user_app_log>
@type record_transformer
enable_ruby true
renew_record false
<record>
ID 00007602
JP1_SOURCEHOST hostA
JPC_NODELABEL UserApplication
OS_VERSION 10
</record>
</filter>
## [Inclusion Settings]
<filter wevt.user_app_log>
@type grep
<regexp>
key PRODUCT_NAME
pattern /JP1\/IM-M$/
</regexp>
</filter>
## [Exclusion Settings]
#<filter wevt.user_app_log>
# @type grep
# <exclude>
# key
# pattern //
# </exclude>
#</filter>
## [Forward Settings]
<match wevt.user_app_log>
@type rewrite_tag_filter
<rule>
key SEVERITY
pattern /Warning|Error|Critical|Alert|Emergency/
tag ${tag}.jp1event
</rule>
<rule>
key SEVERITY
pattern /.*/
tag ${tag}.outputlog
</rule>
</match>
<filter /wevt\.user_app_log\.(jp1event|outputlog)/>
@type record_transformer
enable_ruby true
auto_typecast true
renew_record true
<record>
eventId ${record['ID']}
xsystem true
message ${record['MESSAGE']}
attrs ${record}
</record>
remove_keys $.attrs.ID
remove_keys $.attrs.MESSAGE
</filter>
</worker>