How to monitor multiples files using Read Event from file ?

Support, Questions and Discussions on EventReporter

Moderator: alorbach

Google Ads


Re: How to monitor multiples files using Read Event from fil

Postby xfrsquad42 » Fri Mar 14, 2014 2:24 pm

OK....you're right, indeed I thaught that ER was able to process all files of the directory. But that would be a great possibility for the future ;-)

That's more clear now ! Yes I think we should be able to generate one log file/day/filer

Nevertheless, can you confirm that ER is not able to process a log file with this time pattern : YMDHMS ? It means that we would have to rename all our log file ...
xfrsquad42
Avarage
 
Posts: 14
Joined: Wed Mar 12, 2014 2:28 pm

Re: How to monitor multiples files using Read Event from fil

Postby xfrsquad42 » Fri Mar 14, 2014 4:57 pm

I have another question :

I added a second Event log Monitor to try another way to process multiples log files

Event Log Monitor 1 : Use filename path \\filer01\logs\access_audit.%Y%m%d%h.evtx

Event Log Monitor 2 : Use filename path \\filer02\logs\access_audit.%Y%m%d%h.evtx

Action : Forward to syslog

But only the first log file is sent via syslog

Does it means that only one Event Log monitor can Forward to syslog ?

Thx for your support
xfrsquad42
Avarage
 
Posts: 14
Joined: Wed Mar 12, 2014 2:28 pm

Re: How to monitor multiples files using Read Event from fil

Postby alorbach » Fri Mar 14, 2014 5:05 pm

EventReporter can process YMDHMS logfiles but it is unlikely to hit a valid file with such a search pattern. That is the problem why your tests always fail. If you had evtx files for each second in your directory, the date pattern would match. That's why I recommend to have a file pattern with only YMD in it.

Regarding your second question, you do not even need to configure new EventLog Monitors, you can create custom Eventlog channels in your existing one. Anyway if you have a file pattern, only the first file found will be processed. So if multiple files match the pattern, the other files won't be processed. You can change the filename generation by setting the offset parameter. For example if you want to generate filenames from the last hour in your second EventLog Monitor, use an offset of 3600.

best regards,
Andre Lorbach
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: How to monitor multiples files using Read Event from fil

Postby xfrsquad42 » Fri Mar 14, 2014 5:24 pm

OK, so date replacement just work "in real time" for minutes and second pattern that's right ?

And about the offset of 3600, it will work only if the target log file has one hour lag compared to actual system hour right ?
xfrsquad42
Avarage
 
Posts: 14
Joined: Wed Mar 12, 2014 2:28 pm

Re: How to monitor multiples files using Read Event from fil

Postby alorbach » Fri Mar 14, 2014 5:39 pm

Precisely yes.
alorbach
Site Admin
 
Posts: 1627
Joined: Thu Feb 13, 2003 11:55 am

Re: How to monitor multiples files using Read Event from fil

Postby xfrsquad42 » Sat Mar 15, 2014 5:25 pm

ok, i'm gonna try to find a solution with this

thx for your time to resolve this case :-)
xfrsquad42
Avarage
 
Posts: 14
Joined: Wed Mar 12, 2014 2:28 pm

Google Ads


Previous

Return to EventReporter

Who is online

Users browsing this forum: No registered users and 0 guests

cron