I have a multi-line log file that I am trying to parse but I am having some issues with the parser template. Here is an example of the log file:
2012-01-15 @ 04:22 SQL Error encountered.Application: BRMServiceError State: S1T00Vendor: MicrosoftDriver: ODBC SQL Server DriverError: Timeout expiredLast SQL String: SELECT COUNT(*) FROM master.dbo.sysdatabases WHERE name = 'BusRuleMonitor'Last ODBC Command: Function: SQLDriverConnect 2012-01-27 @ 23:10 SQL Error encountered.Application: BRMServiceError State: 08001Vendor: MicrosoftDriver: SQL Server Native Client 10.0Error: Named Pipes Provider: Could not open a connection to SQL Server [2]. Last ODBC Command: Function: SQLDriverConnect
The only thing I am interested in monitoring is the Error State. I will monitor that error state and if it matches a certain value the alarm will be raised. I am struggling with creating a template for this parser. I was thinking that just Error State: $errorstate$ would do the trick, but i can't seem to get it to work. Any help would be appreciated.
Thanks
Hi jsnair
I think you'll need to set up your Log Parser to read the format of the log file at least up to the portion that you're interested in. It's extra work but the Log Parser is dumb and it's unable to guess which portion of the log file you're interested in unless you do it that way. For example, in the log file you posted you'd want something like:
#DateVariable#
Application: #ServiceVariable#
Error State: #StateVariable#
That's the minimum you'd need to get you the info you're looking for - in this case the state variable.
Needless to say, the Help file is pretty basic and useless. It took some digging but I did find this document which is far more helpful when working with Log Parsers.
help.kaseya.com/.../EN_LogParsers62.pdf
Try this :
I think I figured it out.. thanks!!
Simple stuff works..
IMPORTANT THING TO NOTE:
Part of the problem I was having with my XML file was, the log called <parameter> more than one time.. so the parse would never happen because there were too many instances of the same name.
I will post this as the answer... obviously more was added to the intial request.. but here it is:
#get last time the powershell script was run
$LastRunStamp = (Get-Item c:\test\lastRunStamp.txt).LastWriteTime.DateTime
#write current timestamp to file
Get-Date > c:\test\lastRunStamp.txt
foreach ($file in (Get-ChildItem c:\test\*.xml))
{
#calculate the time difference between file modified time and last time script was run
$span = new-timespan -start $file.LastWriteTime.DateTime -end $LastRunStamp
#if the file was modified since the last time the script run value will be less than 0
if($span.TotalSeconds -le 0)
#instantiate XML document object
$xdoc = new-object System.Xml.XmlDocument
#load up the XML contents into the object
$xdoc.load($file)
#check the value of the priority XML tag if it contains Major then write to event log
if ($xdoc.SelectSingleNode("//priorityname").innertext -eq 'Major')
#get the content of XML
$content = [string]([IO.File]::ReadAllText($file.FullName))
#mask the FQDN's
$content = $content.replace(".ngd.com",".censored").replace(".ad.local",".censored FQDN")
#regex pattern to detect IP Addresses
$pattern = "\b((25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b"
#use regex to mask IP addresses
$contentScrubbed = [regex]::replace($content, $pattern, "sensored IP Address")
Write-EventLog –LogName Application –Source “Verint Alert” `
–EntryType Information –EventID 1 `
-Message ("Triggered Alarm") + $contentScrubbed
}