How “Log File Name” patterns works with Symantec Security Information Manager Event Collector Log File Sensor
search cancel

How “Log File Name” patterns works with Symantec Security Information Manager Event Collector Log File Sensor


Article ID: 152810


Updated On:


Security Information Manager


The log file that you want to monitor always change name. For example some product might add a date string to the file name. You want theses files to be read in a sequential order.


Different products produce and name logs in different ways.  The Log file sensor type has been created to deal with these different logging methods in as flexible a manner as possible.
The value of the “Log File Name” property, and the setting of the “Reading Mode” property for the Log file sensor type will determine how the sensor will deal with the logs it is intended to read:

  • If “Reading Mode” is set to MonitorSingleFileLog, the “Log File Name” property must contain the exact name of a single file to read.  This implies the program generates a single log file, with an unchanging name, which will be read.  Using wildcards with this setting is not recommended, as the sensor will attempt to read every log that meets the filename mask simultaneously.
  •  If “Reading Mode” is set to MonitorDynamicLog, the “Log File Name” property must contain a pattern that represents multiple files.  The patterns are described below.  This implies the program being monitored generates multiple log files.
  • The “Log File Name” property can contain comma-separated list of log file names. This option was designed to handle logs from products like Microsoft DHCP Server, which at some point can have multiple log files with equal modification dates.
  • If the “Log File Name” property does not contain commas (“,”) or single quote characters (“’”) , the property indicates the common part of the names of all log files the Log File sensor should to read. The sensor uses the property in this way to distinguish log files from other files that may be in Log Path directory.  (The property can be set to empty string if the Log Path will only contain log files.  However, care should be taken if the property is set to an empty string, as with wildcards, all log files present in the directory will be read simultaneously.)


Used in combination with the "MonitorDynamicLog" setting for the "Reading Mode" sensor property, the “Log File Name” property can contain a pattern for log file names.  The sensor determines if the value entered in the “Log File Name” property is a pattern by the presence of single quote characters in it.
A Pattern value should be used if the names of all the log files generated by the product follow same pattern, and the order in which they have to be processed cannot be determined by the last modification time of the files.  To determine the order in which to read the log files, the sensor analyses one or more numeric fields in the pattern. Each pattern must have at least one numeric field.
When specifying a “Log File Name” pattern:
- Static parts of the file name must be put in single quotes. (If the static part of the log file name actually contains single quote characters, you can specify these quotes by using two single quote characters.) Use digits as placeholders for numeric fields.
- Values of the digits used for fields in a pattern determine the  order in which they have to be analyzed. Smaller digits denote less significant fields.
For example, MS ISA log file names look like ISALOG_20070929_WEB_001.w3c.  So, they follow a pattern ‘text'YYYYMMDD'text'NNN'text'.  In this pattern, YYYYMMDD stands for the year, month, and day on which the log file was generated, and NNN stands for sequential number of the log file.
To read the MS ISA logs sequentially, pattern specified in the “Log to Monitor” property should look like: 'ISALOG_'33332211'_WEB_'000'.w3c'
This pattern, combined with the “Reading Mode” property set to “MonitorDynamicLog”, will cause the MS ISA logs to be read sequentially, from oldest to newest.  As new logs are written to the Log Path directory, they would automatically be picked up.

Applies To

This feature only apply to Log File Sensor Collector. The minimum version to use this feature is 2.37. If you don't have this version, please run LiveUpdate.