|
Objective
The aim of this powerful File Monitoring tool is to instantly detect and alert if any files go missing, if a file is growing at a steady speed, if it is being regularly updated, if its security settings have changed, etc.
The File Analysis tool is one of the most important monitoring tools as most applications deal with files and many of them are critical. Monitoring Studio allows you:
| • | To monitor the main characteristics of these files such as: presence, size, growth & security |
| • | Parse file content to retrieve useful data (including strings that should be present or not and numeric values to build graphs). |
The most typical usage of file monitoring is parsing a LOG file. Most applications use LOG files to trace their operations and notify operators when failures occur.
 | The difference between flat files and LOG files: As opposed to the LOG files, so-called "flat files" are always entirely parsed when you specify strings or numeric values to search in the file. In LOG files, only the new lines will be scanned when searching for strings or numeric values. |
Method (summary)
In order to monitor a file, you must first:
| 1. | Specify whether it is a flat file or a LOG file |
| 2. | (Flat files are entirely updated and therefore need to be parsed entirely as opposed to LOG files where new lines are appended at the end of the file and therefore only these new lines need to be analyzed). |
| 3. | Indicate the path to the file |
| 4. | Select the characteristics to be monitored. |
| 5. | If required, create string search and numeric value extraction objects |
| 6. | If you have large multi-line records, or XML files or complex LOG files, you can first transform the content with the text pre-processing tool, and then run string and numeric value searches on it. |
Result
Once the file monitoring is set up and string searches/numeric value searches/text preprocessing, and file security objects are set up for the monitored file, the objects hierarchy in the PATROL Console will be as illustrated in the image below:
Create or edit a file monitoring
To create a new file monitoring and analysis, right-click the Application/Container icon in the PATROL Console > KM Commands > New > File monitoring and analysis...
Step 1: Selecting the type of file to monitor
File Monitoring and Analysis Wizard — Welcome Page
To edit an existing file monitoring, right-click the file icon in the PATROL Console > KM Commands > Edit.
To monitor the security settings of this file, right-click the file icon (once it has been created) in the PATROL Console > KM Commands > New > File Security check…
See section on "File security monitoring" for more information about this feature.
To specify strings to search in this file:
| 1. | Right-click the file icon (once it has been created) in the PATROL Console |
| 2. | Select KM Commands > New > String search... |
See section on "Searching for strings" for more information about this feature.
To specify numeric values to extract from this file:
| 1. | Right-click the file icon (once it has been created) in the PATROL Console |
| 2. | Select KM Commands > New > Numeric Value extraction… |
See chapter "Searching for numeric values" for more information about this feature.
Step 2: Identifying the file to monitor
Identify the file you wish to monitor
File Monitoring and Analysis Wizard — File Name and Parameters Page
File name and path: Path and name of the file to be monitored.
 | Wildcards can be used in the path or file name. In this case, the most recently modified or created file matching the criteria will be monitored. The wildcard characters that can be used are: |
| • | '?': replaces one character, |
| • | '*': replaces one or more characters. |
| • | It is also possible to use a format Menu Command to dynamically assign the current date or time in the file name or path. Simply insert the following string in the "File name and path" field, replacing the three dots by date format symbols: %{ASCTIME:…}. For the complete list of format symbols, meaning and some examples, please see Format Symbols in the Reference section. |
Example
| • | Monitor: /opt/myApplication/log/myApp*.log |
| • | Behavior: Monitoring Studio will look for the most recent file that matches the mask (/opt/myApplication/log/myApp_20030807_1711 e.g.) and start the monitoring of this file. |
When the application stops writing in this LOG file and creates a new one (/opt/myApplication/log/myApp_20030808_0512 e.g.), Monitoring Studio analyses the current file for changes and searches for strings and numbers, and then switch to this new file. This way, no information is lost when switching from the previous file to the new one.
|
Select the parameters you want to monitor: Select only those relevant to this file monitoring and deselect the others. See SW_FILES for parameter details.
 When you set or edit thresholds, the thresholds dialogue box displays only those parameters selected at this stage. At a later stage, if you wish to monitor more parameters of this file (or less), click on the instance > KM commands > Edit and select or de-select the parameters.
Click Next. You arrive at the last panel of the file monitoring set-up process.
A warning panel will appear if the file does not actually exist/if the path entered is incorrect.
Step 3: Monitoring Studio settings
File Monitoring and Analysis Wizard — Settings Page
Object display name: Label displayed in the PATROL Console
Object internal identifier (ID): PATROL internal identifier of this monitored object. Although modifiable, it is strongly recommended not to change the default ID.
What thresholds do you want to set for the newly created instance? A drop-down list allows you to select the mode of setting alert thresholds:
| • | Use default thresholds: Uses the default thresholds set by Monitoring Studio |
| • | Set custom thresholds: Allows you to customize the thresholds for all parameters of the instance |
| • | Use default thresholds and customize them: Sets the default Monitoring Studio thresholds on certain parameters (see list of parameters with default thresholds) and then allows you to customize any/all of them. This is mainly intended to help save time if you wish to customize the thresholds of just one of many parameters for the instance, and leave the default settings for the others. |
| If you select Use default thresholds and customize them; on clicking Finish, the Set Thresholds panel will appear, and certain parameters for the instance may appear with an asterisk symbol - indicating that they already have thresholds. You can then customize (any/all) the thresholds of the parameters as per your specific needs. |
| • | Do not set any thresholds for now: No thresholds will be set on any parameter of the instance, and as a result no alerts will be triggered. Monitoring Studio will poll the object and return the output of the polling – but will not raise any alerts until you set thresholds. |
Thresholds can be set or modified at anytime by right-clicking on the instance > KM commands > Set Thresholds.
File monitoring objects are instances of the SW_FILES class.
See Also
Can I search for Windows Events whose description match a regular expression?
What is the meaning of the "Argument1, 2..." fields in the Windows Event monitoring wizard?
Windows EventLog Reader tool
SW_NTEVENTS
| 
