Linux log monitoring default checks and policies

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Linux Log Monitoring Default Checks and Policies

    The Agent Client Collector offers policies for monitoring Linux log files, enabling customers to track logs owned by both regular and root users. This functionality is crucial for identifying critical issues and warnings in log files effectively.

    Show full answer Show less

    Key Features

    • Event util.check-logs: Monitors log files owned by regular users.
    • Event util.check-logs-sudo: Monitors log files owned by root users.
    • Flexible Matching Options: Supports case-insensitive matching, specific encoding, and exclusion patterns.
    • Log File Patterns: Allows checks on patterns of files using regex, improving the scope of log monitoring.
    • Return Options: Configurable to return matched lines, limit returned entries, and specify log entry formats.

    Key Outcomes

    By utilizing these monitoring checks, ServiceNow customers can:

    • Receive notifications of critical issues and warnings in log files, enhancing system reliability.
    • Customize log monitoring based on specific patterns and severity levels, ensuring relevant log entries are tracked.
    • Streamline log file management with automated state file directories, simplifying the monitoring process.

    Overall, these policies empower ServiceNow customers to maintain effective oversight of their Linux log files, ensuring timely responses to critical events.

    Agent Client Collector provides the following policy for Linux log monitoring.

    Type Check Description Usage and Usage Example Output
    Event util.check-logs Enables monitoring log files owned by a regular user. Usage:
    • -i --icase: Run a case insensitive match.
    • -c, --crit N: Critical level (if pattern has a group).
    • --encode-utf16u: Encode line with utf16 before matching.
    • -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with.
    • -E, --exclude PAT: Pattern to exclude from matching.

    • -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX.

    • -f, --log-file FILE: Path to log file.
    • -l, --log-pattern PAT: Log format of each log entry:
    • -o, --warn-only Warn instead of critical on match.
    • -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(|) and put inside quotes (For example: "SEVERE|404").
    • -r, --return: Return matched line.
    • -L, --return-length N: Matched line length.
    • -M, --return-error-limit N: Max number of returned matched lines(log entries).
    • -n, --name NAME Set state file dir automatically using name.
    • -s, --state_dir DIR Dir to keep state files under.
    • -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group.

    Usage example: command: check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

    		 CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE|Exception in log file /var/log/servicenow/agent-client-collector/acc.log
    Event util.check-logs-sudo Enables monitoring log files owned by a root user. Usage:
    • -i --icase: Run a case insensitive match
    • -c, --crit N: Critical level (if pattern has a group)
    • --encode-utf16u: Encode line with utf16 before matching
    • -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with.
    • -E, --exclude PAT Pattern to exclude from matching

    • -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX.

    • -f, --log-file FILE: Path to log file.
    • -l, --log-pattern PAT: Log format of each log entry:
    • -o, --warn-only Warn instead of critical on match
    • -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(|) and put inside quotes (for example: "SEVERE|404")
    • -r, --return: Return matched line.
    • -L, --return-length N: Matched line length.
    • -M, --return-error-limit N: Max number of returned matched lines(log entries).
    • -n, --name NAME: Set state file dir automatically using name.
    • -s, --state_dir DIR: Dir to keep state files under
    • -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group.

    Usage example: command: check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

    		CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE|Exception in log file /var/log/servicenow/agent-client-collector/acc.log