locked
Unix Log file Monitoring creating in multiple Alert RRS feed

  • Question

  • Hi Team,

    Create below two rules, issue is here when any new entry write in the log SCOM monitoring capture the previous rule condition and alerts. result we getting two or more alerts. old alerts written on few hours back, log file rule read the entry as new entry and alerts it.

    This is Known issue? Please see the below rule configuration.

    <Rule ID="Test.Alert.Rules" Enabled="true" Target="Application.Class" Priority="Normal" ConfirmDelivery="true" Remotable="true">
            <Category>EventCollection</Category>
            <DataSources>
              <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.VarPriv.DataSource">
                <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>
                <LogFile>/var/log/message</LogFile>
                <UserName>$RunAs[Name="Unix!Microsoft.Unix.PrivilegedAccount"]/UserName$</UserName>
                <Password>$RunAs[Name="Unix!Microsoft.Unix.PrivilegedAccount"]/Password$</Password>
                <RegExpFilter>"AppName":"xyz","state":"Error"</RegExpFilter>
                <IndividualAlerts>false</IndividualAlerts>
              </DataSource>
            </DataSources>
            <WriteActions>
              <WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
                <Priority>1</Priority>
                <Severity>2</Severity>
               
                <AlertName>Alert name</AlertName>
                <AlertDescription>$Data/EventDescription$</AlertDescription>
                <Suppression>
                  <SuppressionValue>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</SuppressionValue>
                  <SuppressionValue>$Data/EventDescription$</SuppressionValue>
                </Suppression>
              </WriteAction>
            </WriteActions>
          </Rule>
      
         
          <Rule ID="Test.HalfAlert.Rules" Enabled="true" Target="Application.Class" Priority="Normal" ConfirmDelivery="true" Remotable="true">
            <Category>EventCollection</Category>
            <DataSources>
              <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.VarPriv.DataSource">
                <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</Host>
                <LogFile>/var/log/message</LogFile>
                <UserName>$RunAs[Name="Unix!Microsoft.Unix.PrivilegedAccount"]/UserName$</UserName>
                <Password>$RunAs[Name="Unix!Microsoft.Unix.PrivilegedAccount"]/Password$</Password>
                <RegExpFilter>"AppName":"ABCD","state":"Error</RegExpFilter>
                <IndividualAlerts>false</IndividualAlerts>
              </DataSource>
            </DataSources>
            <WriteActions>
              <WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
                <Priority>1</Priority>
                <Severity>2</Severity>
                <AlertName> Alert</AlertName>
                <AlertDescription>$Data/EventDescription$</AlertDescription>
                <Suppression>
                  <SuppressionValue>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</SuppressionValue>
                  <SuppressionValue>$Data/EventDescription$</SuppressionValue>
                </Suppression>
              </WriteAction>
            </WriteActions>
          </Rule>


    • Edited by RatheeshAV Friday, July 3, 2020 4:39 PM
    Friday, July 3, 2020 3:00 PM

All replies

  • Hi,

    Is there a double quotes missing?

    "AppName":"ABCD","state":"Error



    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, July 6, 2020 2:45 AM
  • No, different application creating the error on same log file and planning to implement different rule for different pattern. The issue here is every new log file error entry creating the alerts for old entry which already alerted and closed.

    This is normal behaviour Microsoft.Unix.SCXLog.VarPriv.DataSource. 

    Do I need to add any other SuppressionValue

    Thursday, July 9, 2020 4:46 PM
  • In theory the SCOM agent keeps a "pointer" so it knows what was the last line it read, so it doesn't alert again on old lines.

    You can follow Steve Weber's instructions to checl if it's working properly on that post : https://social.technet.microsoft.com/Forums/ie/en-US/6332ab70-a04a-49ef-a353-b39fd895e535/scom-2012-linux-logfile-monitoring-not-working?forum=operationsmanagerunixandlinux

    Friday, July 10, 2020 8:54 AM