UIM - Considerations on logmon Match On Every Run while using Full mode
search cancel

UIM - Considerations on logmon Match On Every Run while using Full mode

book

Article ID: 144053

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Documentation Background:

Logmon's Match on Every Run option enables the probe to match values for the specified format rule each time a log file is scanned.

For example, some applications write heartbeat messages to a log. If a match is found, the probes generates alarms as configured in Message to Send on Match. If the match is not found the probe generates the alarm that is configured in the Standard tab.

Logmon Modes:

full: indicates the probe to scan the log file from beginning to the end, only when the file is modified. A file is considered as modified when the content of the file is updated.
full_time: indicates the probe to scan the log file from beginning to the end, only when the file is modified. A file is considered as modified when the modification time of the file is updated
cat: indicates the probe to always scan the log file from beginning until the end.

 

 

Issue:

While using Match on Every Run option on a Watcher Rule of a "full" or "full_time" mode profile unexpected/inverted alarms are observed. 

With the combination of Match on Every Run and full mode the probe will no longer send alarms as described in the documentation, but it may invert the alarm or send unexpected alarms. 

 

 

 

 

 

Environment

Release : 8.x, 9.x

Component : UIM LOGMON 4.x

Cause

Use of this combination is not recommended:

•  When match on every run is enabled the probe scans the file at every "check interval" regardless of the mode used. So there is no use case for using full or full_time mode if using Match on every run.

• The Match-on-every-run essentially takes precedence over the mode selected.

•  If mode Full or Full_time is enabled, the probe will scan the file at every check even if the file is not being updated or timestamp changed. Essentially it turns the profile into a CAT mode profile.

•  The same applies to the update mode. When Match-on-every-run is enabled the probe scans the file at every check interval, regardless whether the file is being updated or not. It will scan from the last updated point within the file, but it will do that at every check, and it won't wait for the file to be updated in order to send or not the "standard tab" alarm which signifies that a certain match did not occur. 

Resolution

Use of the combination of full, and full_time mode and Match on every run is not recommended.

Instead, use CAT mode as the result would be the same as the combination of full and full time and match on every run. 

Using CAT mode and Match on Every run works fine. 

Powered by Wolken Software