- DupDetectionKeyAttributes
- A comma-separated list of IBM® Tivoli® Monitoring attributes
that are used to determine which events are duplicates and which are
not. For more information about LogfileEvents attributes, see LogfileEvents attribute group. If all the named attributes are the same in two events, then those
two events are considered duplicates. This option applies only to IBM Tivoli Monitoring events. For more information, see Event filtering and summarization.
Note: - The attributes names are case-sensitive and so you must enter
the names exactly as described.
- If you do not provide a list of attributes, the values are defaulted
to Class and Logname.
- ENFORCE_STRICT_TEC_COMPATIBILITY
- Set this parameter to Y to have the Log File agent treat
white space characters in the same way as the Tivoli Enterprise Console® Log File Adapter. This means
that all white space characters in the log data are respected. For
example, when you use a format such as "%s %s" to
extract information from log messages, the Log File agent matches
not only a literal space but also any other white space characters
that are present such as tabs and carriage returns.
When this parameter is not set the default behavior of the Log File agent when it
matches a Tivoli Enterprise Console style format string is to match as much of the input text
as it can, while it processes the format from left-to-right.
For example, take the format string %s:%s and the input string one:two:three. The Log File agent by default
assigns one.two to the first parameter (corresponding
to the first %s) and it assigns three to the second parameter. The behavior of the Tivoli Enterprise Console Log File Adapter was the
opposite. Setting the ENFORCE_STRICT_TEC_COMPATIBILITY parameter to Y causes the Log File agent to behave
like the Tivoli Enterprise Console Log File Adapter in the way it matches formats.
Note: - This parameter applies only to format statements that use the Tivoli Enterprise
Console log file adapter syntax. It does not apply to format
statements that use the regular expression syntax.
- Setting this parameter has a performance impact. To give greater
control over the behavior and performance of matching, avoid setting
this parameter, and use regular expressions instead.
- EventSummaryInterval
- Specifies the number of seconds during which the agent searches
for duplicate events to suppress. Set to a positive integer. This
option applies only to IBM Tivoli Monitoring events. For
more information, see Event filtering and summarization.
- EventFloodThreshold
- Specifies which events are sent when duplicate events are detected.
Set to send_none, send_all, send_first, or a positive integer. This option applies only
to IBM Tivoli Monitoring events. For more information,
see Event filtering and summarization.
- EventMaxSize
- Specifies in bytes, the maximum size of a generated event. If
specified, this parameter is used in two places:
- The parameter can be used by the agent to set the size of a buffer
that is used to process events. If not set, this buffer defaults to
a size of 16384 bytes. If the buffer is set too small, events are
truncated and can be discarded.
- The parameter can be used by the EIF sender to set the size of
a buffer that is used to send events to an EIF receiver, such as the
OMNIbus EIF probe. If not set, this buffer defaults to a size of 4096
bytes. If the buffer is set too small, events are discarded.
- FileComparisonMode
- Specifies which log files are monitored when more than one matches
a wildcard pattern. The following values are available:
- CompareByAllMatches
- This value is the default behavior. All files that match the wildcard
pattern that is specified in LogSources are monitored.
- CompareByLastUpdate
- Of the files that match the wildcard pattern that is specified
in LogSources, the file with the most recent last
update timestamp is monitored.
- CompareBySize
- Of the two or more files that match the file name pattern criteria,
the bigger file is selected for monitoring. Do not use CompareBySize with multiple matching files that are being updated at the same
time and increasing their file sizes. If the largest file is subject
to frequent change, monitoring might continually restart at the beginning
of the newly selected file. Instead, use CompareBySize when there is a set of matching files, but only one is active and
being updated at any specific time.
- CompareByCreationTime
- Of the files that match the wildcard pattern that is specified
in LogSources, the file with the most recent creation
timestamp is monitored.
Tip: The CompareByLastUpdate, CompareBySize, and CompareByCreationTime values can all be used for rolling log files. CompareByLastUpdate is normally used for these files.
Restriction: The
CompareByCreationTime value:
- Is applicable only to Windows operating systems as UNIX and Linux operating systems do not store a true creation time for files.
- Is not supported for remote files that you monitor
by using the Secure Shell (SSH) File Transfer Protocol.
- FQDomain
- Specifies how and if the agent sets a domain name.
- If set to yes, the agent determines the system
domain name itself.
- If set to no, the agent does not set a domain
name. The fqhostname attribute is assigned a blank
string.
- If set so that it does not contain a yes or no value, the domain name is accepted as the value and it
is appended to the host name.
For more information, see Format file.
- IncludeEIFEventAttr
- The agent includes a large attribute that is called EIFEvent, which is a representation of the event that would
be sent through the Event Integration Facility if that feature is
enabled. The information that is contained in the EIFEvent attribute can also be found in other attributes. Its large size
made it problematic, thus it was disabled in version 6.2.3 and no
value is shown if viewed on the Tivoli Enterprise Portal. Setting this
value to y, re-enables the EIFEvent attribute in Tivoli Monitoring.
Note: Using this attribute might cause situations to fail
if you have large events. A large event in this context is an event
where the total number of bytes necessary to contain all of the values,
for all attributes, and their names, results in a string longer than
3600 bytes.
- LognameIsBasename
- When set to y, the value of the Logname attribute in IBM Tivoli Monitoring is the base name of the
log file in which the event was found. This option applies only to IBM Tivoli Monitoring events. The path is removed. For example, /data/logs/mylog.log becomes mylog.log.
If this value is set to n, then you get the full
path. However, because the attribute is limited to 64 characters,
setting it to n means that the name is truncated
if it is longer. For this reason, the default value is y. To see the full path name in a longer attribute, you can specify
it in the mappings section of a format in the .fmt file, for example, filename FILENAME CustomSlot1. The mapping completes the slot named filename with
the full path of the file in which the event was found and maps it
into CustomSlot1 that is 256 characters long.
- LogSources
- Specifies the text log files to poll for messages. The complete
path to each file must be specified, and file names must be separated
by commas. Within each file name, you can also use an asterisk (*) to represent any sequence of characters, or a question
mark (?) to represent any single character. For example, mylog* results in polling all log files whose names begin
with mylog, whereas mylog??? results
in polling all log files whose names consist of mylog followed by exactly three characters. These wildcard characters
are supported only within the file name; the path must be explicitly
specified.
If you want to use regular expressions
or pattern matching in the path, see the RegexLogSources description.
A log file source is not required to exist when the agent
is started; the log file is polled when it is created.
- NewFilePollInterval
- Specifies the frequency, in seconds, that the agent checks for
new files to monitor. For example, if a file name specified by the LogSources or RegexLogSources configuration
file settings does not yet exist, when the agent starts it checks
again for the files existence after this interval.
- NumEventsToCatchUp
- Specifies the event in the log that the agent starts with. This
option provides some flexibility if the source that is being monitored
is new or the agent is stopped for an extended time. Valid values
are as follows:
Note: For text files, values 0 and -1 apply. For Windows event log, values 0, -1, and n apply.
- 0
- Start with the next event in the logs. This value is the default.
- -1
- When set to -1, the agent saves its place in
the file that is being monitored. It saves its place so that when
the agent is stopped and later restarted, it can process any events
that are written to the log while it was stopped. The agent otherwise
ignores events that arrived while it was stopped and restarts from
the end of the file. This setting does not apply to pipes, or syslog
monitoring on UNIX and Linux.
- n
- Set to a positive integer. Starts with the nth event from the most current event in the logs; that is, start n events back from the most current event in the logs.
If n is greater than the number of events that
are available, all the events that are available are processed.
Note: You can use the n value only for Windows Event Log. The n value is ignored when UseNewEventLogAPI is set to y.
- PollInterval
- Specifies the frequency, in seconds, to poll each log file that
is listed in the LogSources option for new messages.
The default value is 5 seconds
If you upgraded
a Windows event log adapter
from a previous release and you have a value that is set for PollingInterval in the Windows registry, you must specify the PollInterval option in the agent configuration file with the same value used
in the Windows registry.
This rule applies only if you are replacing a Tivoli Enterprise Console log file agent that had values in the registry.
- ProcessPriorityClass
- Specifies the process priority for the agent. You can adjust
this value to improve system performance if the agent processes large
volumes of events and is using too many processor resources. The possible
values are:
- A - Very low priority
- B - Low priority
- C - Typical priority
- D - Above typical priority
- E - High priority
- F - Very high priority
- USE_CONF_FILE_VALUE -
Use the value that is specified in the configuration file (This value
is the default)
Note: The value of this setting is global. If
you implement monitoring profiles by using subnodes this value applies
to all monitoring profiles. Its value cannot be different in different
configuration files for the same agent.
- RegexLogSources
- Specifies the text log files to poll for messages. It differs
from the LogSources option in that regular expression meta characters
can be used in the base name portion of the file name and at most
one subdirectory of the file name. This difference provides greater
flexibility to describe multiple files to monitor in multiple directories
than the LogSources option.
For example, specifying /var/log/mylog* for the LogSources statement is identical to using the dot (.) meta character followed by an asterisk (*) meta character to form /var/log/mylog.* in the
RegexLogSources statement. This type of qualifier results in polling
all log files in the /var/log directory whose base
names begin with mylog and are followed by zero
or more characters. A /var/log/mylog.+ qualifier
results in polling all log files in the /var/log directory
whose names begin with mylog and are followed
by one or more characters.
Similar to LogSources,
the complete path to each file must be specified and the file names
must be separated by commas. However, the comma is also a valid character
inside a regular expression. In order to distinguish between a comma
that is used as part of a regular expression and one used to separate
file names, commas that are used as part of a regular expression must
be escaped with the backslash (\) character.
For example, if you want to search for logs that match
either of the following regular expressions: /logs/.*\.log and /other/logs/[a-z]{0,3}\.log, you must escape
the comma in the {0,3} clause of the second expression,
so that the agent does not mistake it for the beginning of a new expression: RegexLogSources=/logs/.*\.log,/other/logs/[a-z]{0\,3}\.log
If meta characters are used in the path name, the
meta characters can be used in only one subdirectory of the path.
For example, you can specify /var/log/[0-9\.]*/mylog.* to have meta characters in one subdirectory. The [0-9\.]* results in matching any subdirectory of /var/log that consists solely of numbers and dots (.).
The mylog.* results in matching any file names in
those/var/log subdirectories that begin with mylog and are followed by zero or more characters.
Because some operating systems use the backslash (\) as a directory separator it can be confused with a regular expression
escape meta character. Because of this confusion forward slashes must
always be used to indicate directories. For example, Windows files that are specified as C:\temp\mylog.* might mean the \t is
a shorthand tab character. Therefore, always use forward slashes (/) on all operating systems for directory separators. The C:/temp/mylog.* example represents all files in the C:/temp directory that start with mylog.
If more than one subdirectory contains meta characters, a
trace message is also issued. For example, c:/[0-9\.]*/temp.files/mylog.* has two subdirectories with meta characters. [0-9\.]* is the first subdirectory with meta characters and temp.files is the second subdirectory that used a dot (.) meta
character. In this case, the agent assumes that the first subdirectory
with the meta character is used and the subsequent directories with
meta characters are ignored. For more information about troubleshooting
issues with regular expressions, see Agent troubleshooting.
- SubnodeName
- A string value that can be used to override the default name that
is assigned to a monitoring profile subnode. By default the subnode
name that is assigned to a monitoring profile corresponds to the base
name of the configuration file that is used for that profile. Using
this setting a different subnode name can be assigned.
- SubnodeDescription
- A string value that can be used to assign a value to the Subnode Description attribute of the LFAProfiles workspace.
- UnmatchLog
- Specifies a file to log discarded events that cannot be parsed
into an event class by the agent. The discarded events can then be
analyzed to determine whether modifications are needed to the agent
format file. Events that match a pattern that uses *DISCARD* do not
appear in the unmatch log because they did match a pattern.
This
option is generally used in a test environment to validate the filters
in the format file. This option fills up your file system if you leave
it on for extended periods