Sample file of system log information monitoring definition file for SAP system (fluentd_sap_syslog_tail.conf)
- Organization of this page
Format
This is similar to the format of Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
A definition example for monitoring system log information of an SAP system using the monitor function of a log file in text format under the following conditions is provided as a sample file.
- Conditions
-
Monitored log file
-
Monitors the log file of the command that extracts the system log information of SAP system.
-
The language setting for the command execution environment is Japanese, and the character encoding is SJIS. If the character code of the log file to be monitored is not SJIS, change the character encoding specified in the from encoding of [Input Settings] (when operating in a Linux environment, it is necessary to change the character code specified to UTF-8).
-
-
Monitoring name
It is called "sap_syslog".
-
Example log messages
Monitor the logs output in the system log message record with the default layout.
The default layout is as follows. For details about the extractable fields and specifications of the command, see jr3slget.
<TIME><INSTANCE><USER><PROGRAM><MSGNO><MSGTEXT>
The following is an example of the log message that is output.
13:58:04o246bci_SD5_00 SAPSYS SAPMSSY1D01 Transaction canceled 00 152 ( ) (omitted)
# The length of <MSGTEXT> is 255 bytes.
The above log message is structured for each field as follows.
Fielding ID
Field
Value
<TIME>
Message recording time
13:58:04
<INSTANCE>
Server that recorded the message
o246bci_SD5_00
<USER>
User who recorded the message
SAPSYS
<PROGRAM>
Program that recorded the message
SAPMSSY1
<MSGNO>
Message number
D01
<MSGTEXT>
Message text
Transaction canceled 00 152 ( )
-
Log messages to monitor
Monitor all logs. The message records in the system log are cut out for each field, and each is set as an attribute of the JP1 event. The correspondence between each field and the name when cropped by the regular expression named capture function and the extended attribute of the JP1 event is as follows.
Field ID
Name to cut with regular expression
JP1 event attributes
What to set
<TIME>
sap_time
Not specified.
--
<INSTANCE>
instance
<USER>
user
<PROGRAM>
program
<MSGNO>
msgno
<MSGTEXT>
message
MESSAGE
Stores the value of the field as is.
-
Value to set for SEVERITY
Set "Notice".
-
Log data to convert to JP1 events
Matches when SEVERITY is greater than or equal to "Warning". Because "Notice" is specified for SEVERITY, JP1 event is not issued and is output only to Fluentd logging.
-
Label name of IM management node
SAP Syslog
- Definition example
<worker 0> ## [Metric Settings] <source> @type exec command "echo {}" <parse> @type json </parse> run_interval 60s tag jpc_ima_metrics.tail.sap_syslog </source> <filter jpc_ima_metrics.tail.sap_syslog> @type record_transformer enable_ruby true auto_typecast false <record> __name__ fluentd_logtrap_running instance @@sap_instancename@@ jp1_pc_nodelabel SAP Syslog jp1_pc_category enterprise jp1_pc_logtrap_defname sap_syslog_tail jp1_pc_trendname fluentd job jpc_fluentd jp1_pc_nodelabel_fluentd Log trapper(Fluentd) jp1_pc_addon_program JPC Fluentd </record> </filter> </worker> <worker 3> ## [Input Settings] <source> @type tail tag tail.sap_syslog path @@sap_logpath@@ follow_inodes true refresh_interval 60 skip_refresh_on_startup false read_from_head false encoding "UTF-8" from_encoding "Shift_JIS" read_lines_limit 1000 read_bytes_limit_per_second -1 pos_file ../data/fluentd/tail/sap_syslog.pos path_key tailed_path rotate_wait 5s enable_watch_timer false enable_stat_watcher true open_on_every_update false emit_unmatched_lines false ignore_repeated_permission_error false <parse> @type regexp expression /^(?<sap_time>.{8})(?<instance>.{20})(?<user>.{12})(?<program>.{8})(?<msgno>.{3})(?<message>.*)$/ time_key time null_empty_string false estimate_current_event true keep_time_key false localtime true utc false </parse> </source> ## [Attributes Settings] <filter tail.sap_syslog> @type record_transformer enable_ruby true auto_typecast false renew_record true <record> ID 00007601 MESSAGE ${record["message"]} JP1_SOURCEHOST @@sap_instancename@@ JPC_LOG_TIME ${time.utc.to_i} PRODUCT_NAME /HITACHI/JP1/JPCCS2/LOGTRAP/SAP Syslog PPNAME /HITACHI/JP1/JPCCS2 SEVERITY Notice PLATFORM ${ if RUBY_PLATFORM.downcase =~ /mswin(?!ce)|mingw|cygwin|bccwin/; 'NT'; else 'UNIX'; end } OBJECT_TYPE LOGFILE OBJECT_NAME ${record['tailed_path']} ROOT_OBJECT_TYPE LOGFILE ROOT_OBJECT_NAME ${record['tailed_path']} JP1_TRAP_NAME ${tag_parts[1]} JPC_NODELABEL SAP Syslog </record> </filter> ## [Inclusion Settings] #<filter tail.sap_syslog> # @type grep # <regexp> # key nil # pattern nil # </regexp> # </filter> ## [Exclusion Settings] # <filter tail.sap_syslog> # @type grep # <exclude> # key nil # pattern nil # </exclude> # </filter> ## [Forward Settings] <match tail.sap_syslog> @type rewrite_tag_filter <rule> key SEVERITY pattern /Warning|Error|Critical|Alert|Emergency/ tag ${tag}.jp1event </rule> <rule> key SEVERITY pattern /.*/ tag ${tag}.outputlog </rule> </match> <filter /tail\.sap_syslog\.(jp1event|outputlog)/> @type record_transformer enable_ruby true auto_typecast true renew_record true <record> eventId ${record['ID']} xsystem true message ${record['MESSAGE']} attrs ${record} </record> remove_keys $.attrs.ID remove_keys $.attrs.MESSAGE </filter> </worker>
File
fluentd_sap_syslog_tail.conf
Storage directory
- Integrated agent host
In Windows:
-
For a physical host
Agent-path\conf\sample\
In Linux:
-
For a physical host
/opt/jp1ima/conf/sample/
Description
Sample file of the definition file for monitoring system log information of SAP system.
Copy sample file (fluentd_sap_syslog_tail.conf) and change the file name of the copy destination to fluentd_log monitor name_tail.conf if required. For the location of the files, see Appendix A.4(3) Integrated agent host (Windows) and Appendix A.4(4) Integrated agent host (Linux) in the JP1/Integrated Management 3 - Manager Overview and System Design Guide. This definition file is created for each script specified by Script exporter configuration file (jpc_script_exporter.yml).
Lines that start with a "#" are treated as comments and do not affect program operation.
Character code
UTF-8 (without BOM)
Line feed code
In Windows: CR+LF
In Linux: LF
When the definitions are applied
When Fluentd service restarts, it is reflected in Fluentd operation.
When a definition file is added or deleted, or the value in the [Metric Settings] section is changed, the changes are reflected in integrated operation viewer tree view.
For details about how to import trees, see 1.21.2(16) Creation and import IM management node tree data (for Windows) (mandatory) in the JP1/Integrated Management 3 - Manager Configuration Guide.
Information that is specified
See the description of Information that is specified in Monitoring text-formatted log file definition file (fluentd_@@trapname@@_tail.conf.template).
If a user wants to use this sample file, the following settings must be changed according to the user environment.
Setting item |
Initial value |
Setting contents |
---|---|---|
Path of the monitored log file |
@@sap_logpath@@ |
Specify the path of the text file specified by the user in the environment parameters file to output the results of extracting the system log information of the SAP system. |
SAP instance name from which you want to extract system log information |
@@sap_instancename@@ |
Specify the name of the SAP instance to output the results of extracting system log information from the SAP system. |
In addition, JP1 event is issued when a match occurs when SEVERITY is greater than or equal to "Warning". In this sample, SEVERITY is always set to "Notice", so JP1 events are not emitted, but only output to the Fluentd log. When outputting log monitoring results as JP1 events, change the definition as shown in the underlined part below.
## [Forward Settings] <match tail.sap_syslog> @type rewrite_tag_filter <rule> key SEVERITY pattern /Notice|Warning|Error|Critical|Alert|Emergency/ tag ${tag}.jp1event </rule> <rule> key SEVERITY pattern /.*/ tag ${tag}.outputlog </rule> </match>