PATROL LOG KM Examples - Part 4: A not so simple case of multiple-line search

Last week I discussed a simple case of multiple-line search in PATROL LOG KM to include additional lines after the line that matches your search string pattern. But what if the additional lines you want to include are before the line that matches the search string pattern?  We will need to use an advanced feature of PATROL LOG KM called 'Multiline Search'.

For example, if you want to capture the following two lines in your log file and send out an alert message like "User: root password will expire in 3 days."

root 21292 c Mon Oct 28 08:00:00 2013
! Your password will expire in 3 days.

Before activating multiline search feature, configure LOG KM normally as shown in 'PATROL LOG KM Examples - Part 1' post..  Let's set up a log instance called 'Test_Log'.  The threshold#1 for State Change Options would be set to "1", and state would be set as "ALARM". The search pattern in this example would be "! Your password will expire in 3 days".

Now we are going to activate multiline search for LOG KM.  From PATROL console, right click on <host> -> OS KM -> LOG -> Test_Log -> KM Commands -> Advanced Feature -> Multiline Search

In the pop-up box, enter : in Start Delimiter, and enter password in End Delimiter.  Regular expressions don't work here. This defines the start and the end of the block that LOG KM will capture. 

Now we need to configure recovery action.  Let's create a file called LOGKM_RecoveryAction_multiline.cfg as follows:

PATROL_CONFIG

"/AS/EVENTSPRING/LOGMON/Test_LogPN0/LOGErrorLvl/arsAction" = { REPLACE = "6" },

"/AS/EVENTSPRING/LOGMON/Test_LogPN0/LOGErrorLvl/arsCmdType" = { REPLACE = "PSL"},

"/AS/EVENTSPRING/LOGMON/Test_LogPN0/LOGErrorLvl/arsCommand" = {REPLACE=     "/opt/bmc/LOGKM_RecoveryAction_multiline.psl" }

Then create /opt/bmc/LOGKM_RecoveryAction_multiline.psl as follows:

sleep(1);

match_str = get("/LOGMON/". __instance__."/LOGMatchString/value");

expire_line = grep("! Your password will expire in 3 days.", match_str, "n");

account_list = "";

foreach lin (expire_line) {

  line_num = nthargf(lin, 1, ":");

  account_line = nthlinef(match_str, line_num-1);

  account = nthargf(account_line, 1);

  account_list = account_list." ".account;

}

msg = "User:".account_list." password will expire in 3 days";

status = get("/LOGMON/".__instance__."/LOGErrorLvl/status");

origin = "LOGMON.".__instance__.".PasswordExpire";

event_trigger2(origin, "STD", "41", status, "4", msg);

set("/LOGMON/".__instance__."/LOGErrorLvl/value", 1);

Run 'pconfig LOGKM_RecoveryAction_multiline.cfg' to push the configuration and then restart PATROL agent.