Create an Agent Client Collector log policy

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:9分

    • Create a new ACC log policy when no default policy exists for the CI that you want Agent Client Collector to monitor.

    始める前に

    • The Agent Client Collector Log Analytics (ACC-L) application, available from the ServiceNow Store, must be installed. For more information, see Agent Client Collector installation.
    • The Agent Client Collector comes with the default servicenow user. Ensure that this user has read access to enable Agent Client Collector to view all the configured log paths. For example, the Agent Client Collector servicenow user that comes installed with the base system does not have permissions to view the paths to /var/log/ in Linux and C:\Windows\System32 in Windows. For information about configuring permissions for the servicenow user, see the ACC-L Permission Denied issues [KB1117271] article in the Now Support Knowledge Base.

    Role required: agent_client_collector_admin

    手順

    1. Navigate to All > ACC Log Analytics > ACC Log Policies.
      The Policies page displays all Log Analytics policies. For a list of the policies that come with the base system, see Agent Client Collector Log Analytics default policies and checks.
    2. Click New.
      注:
      For general information about creating an ACC policy, see Create a new Agent Client Collector policy.
    3. On the form, fill in the fields.
      表 : 1. Policy Definition Form
      Field Description
      Name A descriptive name for the policy.
      Description Description of the policy.
      Publish status Hard coded as Draft, which means that the policy has not yet been published. You cannot edit this field.
      Hierarchy Hard coded as None. When a child policy is added to the policy, the value changes to Parent. Child policies have a value of Child.
    4. On the Checks tab, associate the log policy with the relevant log shipper check.
      • For Linux and Windows, except for Windows event logs, select the log shipper check definition.
      • For Windows event logs only, select the log shipper for win events check definition.
    5. On the Monitored CIs tab, specify the CIs to which the policy applies.
      1. Choose the CI type to be monitored.
        • Monitored CI type by filter: Select the monitored CI type. You can narrow down the CIs that will be monitored by using filter conditions.
        • Monitored CI type by script: Specify the monitored CIs by using a script.
        • Monitored CI type by CMDB Group: Specify the monitored CIs by using CMDB group queries.

        For more information about choosing monitored CI types, see Create a new Agent Client Collector policy.

      2. オプション: Monitor only CIs that are associated with an Application Service by selecting Filter Monitored CIs by Application Service.
        You can specify the Application Services to be monitored by using filter conditions. Agent Client Collector will only retrieve the logs of CIs that are associated with these Application Services.
    6. Save the log policy.
      In the Check instances related list, a check instance record is created.
    7. Open the relevant check instance record and then select Edit in Sandbox.
    8. Select the Log path configurations related list.
    9. Add a log path for the check instance.
      注:
      A check must have at least one log path configured for it to enable streaming logs. For more information about checks, see Checks and policies.
      1. Select New.
      2. On the form, fill in the fields.
        表 : 2. New path configuration form
        Field Description
        Path The full path from where the logs are streamed. You can use a wildcard. This field is required.
        Component The device type or stack layer that provides a context for the logs, used for anomaly detection and correlation. For example: Tomcat.
        Source Type Defines how Health Log Analytics handles a specific log type and parses the log data. For example: Tomcat Catalina.
      3. オプション: For shipping multiline logs using Filebeat, configure the following properties.

        These parameters control how Agent Client Collector Log Analytics (ACC-L) handles messages that span multiple lines of text.

        For more information, see Manage multiline messages in the Elastic documentation.

        Field Description
        multiline.pattern (regex) The regular expression to match.
        注:
        You must define this property before you can configure the multiline.match and multiline.negate properties.
        multiline.match How ACC-L combines matching lines into a single log line.

        The available options are None, Before, and After. Default is None.
        multiline.negate Option for determining whether the pattern identified in the log lines is negated.

        The available options are None, True, and False. Default is None.
      4. オプション: Define the following properties that control the Filebeat YML configuration.
        Field Description
        Fields Field that enables you to include and exclude information in the output. For example, you can add a field for filtering the log data.

        Add more Field rows by selecting the plus icon next to the Value field: Plus icon.. Remove a Field row by selecting the minus icon: Minus icon..

        For more information, see the Log input Fields description in the Elastic documentation.
        Configuration Options Field that enables you to add configuration options to the log lines. For example, you can add the encoding to use.
        注:
        Define only configuration options that are supported by Filebeat.

        For more information, see the Log input Configuration options description in the Elastic documentation.
      5. Select OK.
        The log path is created.
    10. Select Return to Policy.
    11. On the policy form, select Publish.
      The policy's Publish status changes to Published.
    12. オプション: Activate the policy by selecting Activate.

    次のタスク

    Ensure that the data input is streaming data.