Windows event log monitoring definition file (fluentd_@@trapname@@_wevt.conf.template)
- Organization of this page
Format
<worker 0>
## [Metric Settings]
<source>
@type exec
command "echo {}"
<parse>
@type json
</parse>
run_interval 60s
tag jpc_ima_metrics.wevt.log-monitoring-name
</source>
<filter jpc_ima_metrics.wevt.log-monitoring-name>
@type record_transformer
enable_ruby true
auto_typecast false
<record>
__name__ fluentd_logtrap_running
instance host-name
jp1_pc_nodelabel IM-management-node-label-name
jp1_pc_category category-ID
jp1_pc_logtrap_defname log-monitoring-name_wevt
jp1_pc_trendname fluentd
job jpc_fluentd
jp1_pc_nodelabel_fluentd Log trapper(Fluentd)
jp1_pc_addon_program JPC Fluentd
</record>
</filter>
</worker>
<worker worker-id>
## [Input Settings]
<source>
@type windows_eventlog2
tag wevt.log-monitoring-name
channels log-type
read_interval 2s
<storage>
@type local
path ../data/fluentd/wevt/log-monitoring-name
mode 0600
dir_mode 0700
pretty_print false
</storage>
read_existing_events false
render_as_xml false
rate_limit -1
preserve_qualifiers_on_hash true
read_all_channels false
event_query *
</source>
## [Attributes Settings]
<filter wevt.log-monitoring-name>
@type record_transformer
enable_ruby true
auto_typecast false
renew_record false
<record>
ID event-ID
JP1_SOURCEHOST host-name
JPC_NODELABEL IM-management-node-label-name
JP1_TRAP_NAME log-monitoring-name
# OS_VERSION OS-version
</record>
</filter>
## [Inclusion Settings]
#<filter wevt.log-monitoring-name>
# @type grep
# <regexp>
# key attribute-name-of-JP1-event
# pattern /regular-expressions-for-logs-to-monitor/
# </regexp>
#</filter>
## [Exclusion Settings]
#<filter wevt.log-monitoring-name>
# @type grep
# <exclude>
# key attribute-name-of-JP1-event
# pattern /regular-expression-for-logs-not-to-monitor/
# </exclude>
#</filter>
## [Forward Settings]
<match wevt.log-monitoring-name>
@type rewrite_tag_filter
<rule>
key attribute-name-of-JP1-event
pattern /regular-expression-for-logs-that-emit-JP1-events/
tag ${tag}.jp1event
</rule>
<rule>
key MESSAGE
pattern /.+/
tag ${tag}.outputlog
</rule>
</match>
<filter /wevt\.log-monitoring-name\.(jp1event|outputlog)/>
@type record_transformer
enable_ruby true
auto_typecast true
renew_record true
<record>
eventId ${record['ID']}
xsystem true
message ${record['MESSAGE']}
attrs ${record}
</record>
remove_keys $.attrs.ID
remove_keys $.attrs.MESSAGE
</filter>
</worker>
File
fluentd_@@trapname@@_wevt.conf.template
fluentd_@@trapname@@_wevt.conf.template.model (model file)
Storage directory
- ■Integrated agent host
-
-
For a physical host (Definition file and model file)
Agent-path\conf\
-
For a logical host (Definition file)
shared-folder\jp1ima\conf\
-
Description
Definition file for monitoring Windows event logs.
Copy the template (fluentd_@@trapname@@_wevt.conf.template) and change file designation of Copy destination to fluentd_log-monitoring-name_wevt.conf to use it. For details on the location of fluentd_log-monitoring-name_wevt.conf, see Appendix A.4(3) Integrated agent host (Windows) and Appendix A.4(4) Integrated agent host (Linux) in the JP1/Integrated Management 3 - Manager Overview and System Design Guide. File name must be unique within the monitoring agent host. The characters that can be used for log-monitoring-name are alphanumeric characters, hyphens, and underscores, and the length of the character string is 1 to 30 characters. Create this file for each application you want to monitor.
JP1/IM - Agent creates a IM managed node for setup SID of monitoring target according to value specified in IM-management-node-label-name in the monitoring definition file. If IM-management-node-label-name is the same even if it is another monitoring definition file, only one IM management node is created.
Windows Event Log Monitor feature reads this File and analyzes the log information that the application has written to Windows Event Log. If conditions are specified for the analyzed information and the conditions are met, you can Setup the information to be converted to JP1 events or output to Fluentd logging File. For JP1 event to be issued, see 3.2.3(3) JP1 event to be issued by monitoring Windows event log.
Lines that begin with a "#" are treated as comments and do not affect programming behavior.
Character code
UTF-8 (without BOM)
Line feed code
In Windows: CR+LF
When the definitions are applied
This information is reflected in Fluentd operation when Fluentd serviceis Restart.
If add, delete of a definition file, or value in [Metric Settings] section is changed, the change is reflected in tree view of the Integrated Operation Viewer windows.
For details about application method, see 1.21.2(16) Creation and import of IM management node tree data (for Windows) (mandatory) in the JP1/Integrated Management 3 - Manager Configuration Guide.
Information that is specified
- <worker> directive
-
Same as <worker> directive of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- worker-id (optional)
-
Description
Changeability
What You Setup in Your JP1/IM - Agent
JP1/IM - Agent Defaults Value
Same as worker-id of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
Can be changed
Same as worker-id of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
2
- [Metric Settings] section
-
See the description of the [Metric Settings] section in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- [Input Settings] section
-
Specifies the event log type to monitor.
- log-monitoring-name (mandatory)
-
Same as log-monitoring-name in the [Metric Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- log-type (mandatory)
-
Specifies the event log type to be monitored as a comma-separated string. It is 256 bytes or less. The default value for JP1/IM - Agent is "application, system".
For details about the log type that can be specified, see 3.15.3(4)(a) Types of logs that can be monitored in the JP1/Integrated Management 3 - Manager Overview and System Design Guide.
- [Attributes Settings] section
-
Setup attributes and attribute value of JP1 events to be issued.
- log-monitoring-name (mandatory)
-
Same as log-monitoring-name in the [Metric Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- event-ID (optional)
-
Same as the event ID in the [Attributes Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- host-name (optional)
-
Same as host-name in the [Attributes Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- IM-management-node-label-name (optional)
-
Same as IM-management-node-label-name in the [Attributes Settings] section of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- OS-version (optional)
-
Specifies the number of the major version for Windows if you want JP1 event to add the attributes of OS_VERSION. In the default setup, "#" is specified at the beginning of the line, and it is handled as comment, so when specifying it, delete "#".
- [Inclusion Settings] section
-
See the description of the [Inclusion Settings] section in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- [Exclusion Settings] section
-
See the description of the [Exclusion Settings] section in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
- [Forward Settings] section
-
See the description of the [Forward Settings] section in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
Example definition
In the following example, monitoring is performed when the log type is "application" and the source is "JP1/IM-Manager", and a JP1 event is issued when the event level is "Warning" or higher.
<worker 0>
## [Metric Settings]
<source>
@type exec
command "echo {}"
<parse>
@type json
</parse>
run_interval 60s
tag jpc_ima_metrics.wevt.user_app_log
</source>
<filter jpc_ima_metrics.wevt.user_app_log>
@type record_transformer
enable_ruby true
<record>
__name__ fluentd_logtrap_running
instance hostA
jp1_pc_nodelabel UserApplication
jp1_pc_category applicationServer
jp1_pc_logtrap_defname user_app_log_wevt
jp1_pc_trendname fluentd
job jpc_fluentd
jp1_pc_nodelabel_fluentd Log trapper(Fluentd)
jp1_pc_addon_program JPC Fluentd
</record>
</filter>
</worker>
<worker 2>
## [Input Settings]
<source>
@type windows_eventlog2
tag wevt.user_app_log
channels application
read_interval 2
preserve_qualifiers_on_hash true
<storage>
@type local
path ../data/jp1ima/data/fluentd/wevt/user_app_log
</storage>
read_from_head false
render_as_xml false
rate_limit -1
preserve_qualifiers_on_hash true
event_query *
</source>
## [Attributes Settings]
<filter wevt.user_app_log>
@type record_transformer
enable_ruby true
renew_record false
<record>
ID 00007602
JP1_SOURCEHOST hostA
JPC_NODELABEL UserApplication
OS_VERSION 10
</record>
</filter>
## [Inclusion Settings]
<filter wevt.user_app_log>
@type grep
<regexp>
key PRODUCT_NAME
pattern /JP1\/IM-M$/
</regexp>
</filter>
## [Exclusion Settings]
#<filter wevt.user_app_log>
# @type grep
# <exclude>
# key
# pattern //
# </exclude>
#</filter>
## [Forward Settings]
<match wevt.user_app_log>
@type rewrite_tag_filter
<rule>
key SEVERITY
pattern /Warning|Error|Critical|Alert|Emergency/
tag ${tag}.jp1event
</rule>
<rule>
key SEVERITY
pattern /.*/
tag ${tag}.outputlog
</rule>
</match>
<filter /wevt\.user_app_log\.(jp1event|outputlog)/>
@type record_transformer
enable_ruby true
auto_typecast true
renew_record true
<record>
eventId ${record['ID']}
xsystem true
message ${record['MESSAGE']}
attrs ${record}
</record>
remove_keys $.attrs.ID
remove_keys $.attrs.MESSAGE
</filter>
</worker>