BEA Logo BEA Log Central Release 5.0

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

   http://www.oracle.com/technology/documentation/index.html   |   Search   |   PDF Files   |   Contact

 

   Log Central Doc Home   |   Configuration Guide   |   Previous Topic   |   Next Topic   |   Contents   |   Index

Creating Filters

 

The following sections describe how to define and assign filters:

Overview of Filters

Defining Filters

Assigning Filters

 

Overview of Filters

Filters are defined and assigned in the Log Central messaging configuration file. For more information about this file, see Configuration Files. You can also use the Log Central Console to filter messages. For information about the Log Central Console, see the Log Central Online Help.

You can create filters that cause the Data Collection Agents to do the following:

Try to use filters as little as possible. Because each log message must go through all of the filters, throughput can be adversely affected. In particular, the COMMAND action is very time-consuming.

To create a filter:

  1. Define the filter as described in Defining Filters.

  2. Assign the filter as described in Assigning Filters.

 

Defining Filters

The following sections explain how to define filters:

Creating a DEFINE_FILTER Entry

Defining a Condition

Filtering Based on a Domain

Defining an Action

Suppressing an Action

Creating a DEFINE_FILTER Entry

To define a filter, create a DEFINE_FILTER entry in the Log Central messaging configuration file. The DEFINE_FILTER entry must precede the filter assignment statements in the messaging configuration file. A DEFINE_FILTER entry has the following syntax:

DEFINE_FILTER "filtername"
if condition
        {
        action_statement1
        [action_statement2]
        [action_statementN]
        }

filtername cannot exceed eight characters. Each action statement must be of a different type. For example, a filter cannot include two COMMAND action statements. For information about action statements, see Defining an Action.

Note: The maximum number of filters that you can define is 50. If the messaging configuration file contains more than 50 filters, the Log Central behavior becomes unpredictable.

Defining a Condition

A condition can be simple or complex. The following example shows a filter that uses a simple condition:

DEFINE_FILTER "DropInfo"
if (MSGID == 8)
        {
        REMOTE = "NO"
        }

This entry defines a filter named DropInfo. The filter specifies that if a message has a message ID of 8, it is dropped (not sent to the Central Collector). You can use a filter like this to drop messages that you do not want to monitor. By default, data collection agents send all messages to the Central Collector. In other words, the default value of REMOTE is YES.

To create a complex condition, use logical operators to combine simple conditions. The following table describes these logical operators.

Table 7-1 Logical Operators for Defining Conditions

Syntax

Interpretation

 

!(condition)

Evaluates to true if condition is false.

 

(condition1) && (condition2)

Evaluates to true if both condition1 and condition2 are true. 

(condition1) || (condition2)

Evaluates to true if either condition1 or condition2 (or both) is true.

The following example shows a filter that drops messages that have a message ID of 8 and are from subsystem NDB:

DEFINE_FILTER "DropInfo"
if ((SUBSYSTEM == "NDB") && (MSGID == 8))
        {
        REMOTE = "NO"
        }

In a filter condition, use enough parentheses in the if statement to preclude ambiguities in the evaluation, because precedence rules are not followed strictly during evaluation.

You can use the message body and message header fields to define filtering conditions. You cannot use message definition fields because the Central Collector adds these fields to the message, which means that they are not available to the data collection agents. The following table describes the keywords that you can use to define conditions. String values must be enclosed in quotes.

Table 7-2 Keywords for Defining Conditions

Keyword

Data Type

Description

PID

Number

Process ID

MSGID

Number

Message ID

SUBSYSTEM

String

Subsystem

LOG_LEVEL

String

Logging level

HOST

String

Host name

FUNCTION

String

Internal function

ENTITY

String

Entity name of Log Monitor

Use this keyword to perform domain-based filtering as described in Filtering Based on a Domain.

USER

String

User ID

MSGBODY

String

String to test for a match in the body of the message

The following table describes the relations that you can use to define conditions.

Table 7-3 Relations for Defining Conditions

Symbol

Meaning

==

Numeric: Is equal to

String: Is identical to

!=

Numeric: Is not equal to

String: Does not match

>=

Numeric: Greater than or equal to

String: Contains or is the same as

<=

Numeric: Less than or equal to

String: Is a substring of or is the same as

>

Numeric: Greater than

String: Contains and is not the same as

<

Numeric: Less than

String: Is a substring of and is not the same as

Filtering Based on a Domain

Domain-based filtering enables you to filter messages based on the Log Monitor entity name. For example, if a system has three managed nodes and each managed node has a Log Monitor with an entity name of LogMonWLE, these Log Monitors constitute a domain.

You can create filters for Log Monitors based on the domain. For example:

DEFINE_FILTER "DropInfoWLE"
if (MONITOR == "LogMonWLE" && MSGID == 8)
        {
        REMOTE = "NO"
        }

To implement filtering based on a domain, define the Log Monitor entity names in one of the following places:

For information about the log_monitor command, see Commands. For information about the messaging configuration file, see Configuration Files.

Defining an Action

You can specify one or more actions for a Data Collection Agent to perform when a condition is true. The following table describes the types of action statements that are possible.

Table 7-4 Types of Actions

To Perform the Following Action:

Use the Following Action Statement:

Drop a log message

REMOTE = "NO"

Forward a log message

REMOTE = "YES"

Run a script or program

COMMAND = "executable_path [arguments]"

where executable_path is the full pathname for the script or program

Send an SNMP trap

TRAPID = trap_number

Save a log message to a file

LOCAL = "filename"

where filename is the full pathname for the file.

Suppressing an Action

In addition to using a filter condition to determine whether or not to perform an action, you can also apply suppression criteria to actions. Suppression criteria are based on one or both of the following values:

You can apply suppression criteria to all actions in a filter or to a selected subset of actions in a filter. The following table describes the keywords for defining suppression criteria.

Table 7-5 Keywords for Defining Suppression Criteria

Keyword

Data Type

Description

INTERVAL

Time

Time interval during which Log Central ignores duplicate log messages. The format is xxh:yym:zzs where:

OCCURRENCES

Number

Number of occurrences during which Log Central ignores duplicate log messages.

To use suppression criteria:

For example:

DEFINE_FILTER "fatal"
if (SUBSYSTEM == "KERNEL" && MSGBODY >= "fatal")
{
    DO
    {
        COMMAND="/usr/mybin/page_admin"
        TRAPID=123
        REMOTE="YES"
    }IGNORE_DUPLICATES_WITHIN (INTERVAL="00h:30m:00s" || OCCURRENCES=100)
    LOCAL="/usr/local/logs/fatal"
}

In this example, the actions in the DO statement are suppressed (ignored) if the log message occurs within 30 minutes after the first duplicate log message or if the log message precedes the 100th occurrence of the same log message.

A REMOTE statement exhibits the following special behaviors when included in a filter that includes suppression criteria:

If a filter that includes suppression criteria does not include a REMOTE statement, then all messages are forwarded.

 

Assigning Filters

The following sections explain how to assign and turn off filters:

Overview of Assigning Filters

Assigning a Global Filter

Turning Off a Global Filter

Assigning a Local Filter

Overview of Assigning Filters

You can assign a filter globally or locally. A global filter affects the entire system. A local filter affects a managed node. The simplest approach is to use global filters for situations that apply to the greatest number of nodes, and specify any exceptions locally.

Filters are assigned or turned off in the Log Central messaging configuration file. For information about this file, see Configuration Files.

Assigning a Global Filter

To assign a global filter, create a FILTER statement in the LC_GLOBAL entry in the Log Central messaging configuration file. You can use multiple FILTER statements to assign multiple global filters. The syntax for the FILTER statement is:

FILTER = "filtername"

where filtername cannot exceed eight characters.

For example:

LC_GLOBAL
        {
        CENTRAL_HOST = "quahog"
        LOGPREFIX = "/usr/lclog"
        BACKUP_HOST = "orca"
        BACKUP_LOGPREFIX = "/usr/backuplog"
        FILTER = "BankTrap"
        }

Turning Off a Global Filter

To turn off the global filters for a particular managed node, use the GLOBAL_FILTER = "NO" statement in the MANAGED_NODE entry in the Log Central messaging configuration file. For example:

MANAGED_NODE
        {
        HOSTNAME = "bigiron"
        GLOBAL_FILTER = "NO"
        }

Assigning a Local Filter

To assign a local filter, create a FILTER statement in a MANAGED_NODE entry in the Log Central messaging configuration file. You can use multiple FILTER statements to assign multiple local filters to a node. The syntax for the FILTER statement is:

FILTER = "filtername"

filtername cannot exceed eight characters.

For example:

MANAGED_NODE
        {
        HOSTNAME = "marmalade"
        FILTER = "F2"
        FILTER = "F3"
        GLOBAL_FILTER = "NO"
        }

 

 

Copyright © 2000 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.