Linux log monitoring default checks and policies

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Linux Log Monitoring Default Checks and Policies

    The Agent Client Collector offers policies for monitoring Linux log files, catering to both regular and root user logs. These policies enable users to set up checks that can track log entries based on specified patterns, ensuring efficient monitoring of critical events within applications.

    Show full answer Show less

    Key Features

    • util.check-logs: Monitors log files owned by regular users, allowing various configurations such as case sensitivity, exclusion patterns, log file paths, and specific log formats.
    • util.check-logs-sudo: Similar functionality for log files owned by root users, with additional commands to run with sudo permissions.
    • Flexible Pattern Matching: Users can define multiple patterns, set warning and critical levels, and configure log file encodings for precise monitoring.
    • Event Management: Options to skip events for nonexistent log files and control the output of matched lines enhance usability and performance.

    Key Outcomes

    By implementing these checks, ServiceNow customers can effectively monitor log files for critical events, receive alerts based on defined patterns, and quickly respond to potential issues. This proactive approach ensures smoother operations and improved system reliability.

    Agent Client Collector provides the following policy for Linux log monitoring.

    Type Check Description Usage and Usage Example Output
    Event util.check-logs Enables monitoring log files owned by a regular user. Usage:
    • -i --icase: Run a case insensitive match.
    • -c, --crit N: Critical level (if pattern has a group).
    • --encode-utf16u: Encode line with utf16 before matching.
    • -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with.
    • -E, --exclude PAT: Pattern to exclude from matching.

    • -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX.

    • -f, --log-file FILE: Path to log file.
    • -l, --log-pattern PAT: Log format of each log entry:
    • -o, --warn-only Warn instead of critical on match.
    • -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(|) and put inside quotes (For example: "SEVERE|404").
    • -r, --return: Return matched line.
    • -L, --return-length N: Matched line length.
    • -M, --return-error-limit N: Max number of returned matched lines(log entries).
    • -n, --name NAME Set state file dir automatically using name.
    • -s, --state_dir DIR Dir to keep state files under.
    • -G, --skip-events-for-nonexistent: Skip event creation if the log file is missing or not found at the specified path. Default = False.
    • -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group.

    Usage example: command: check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

    		 CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE|Exception in log file /var/log/servicenow/agent-client-collector/acc.log
    Event util.check-logs-sudo Enables monitoring log files owned by a root user. Usage:
    • -i --icase: Run a case insensitive match
    • -c, --crit N: Critical level (if pattern has a group)
    • --encode-utf16u: Encode line with utf16 before matching
    • -e, --encoding ENCODING-PAGE: Specific encoding page to read log file with.
    • -E, --exclude PAT Pattern to exclude from matching

    • -F, --filepattern FILE: Check a pattern of files, instead of one file. For REGEX, first test it on https://rubular.com/ to get the expected outcomes and then pass it inside quotes as a parameter. For example, to get all .log extension files, pass "(.)*\.log$" as REGEX.

    • -f, --log-file FILE: Path to log file.
    • -l, --log-pattern PAT: Log format of each log entry:
    • -o, --warn-only Warn instead of critical on match
    • -q, --pattern PAT Pattern to search for.To search for multiple patterns, separate each pattern with pipe(|) and put inside quotes (for example: "SEVERE|404")
    • -r, --return: Return matched line.
    • -L, --return-length N: Matched line length.
    • -M, --return-error-limit N: Max number of returned matched lines(log entries).
    • -n, --name NAME: Set state file dir automatically using name.
    • -s, --state_dir DIR: Dir to keep state files under
    • -G, --skip-events-for-nonexistent: Skip event creation if the log file is missing or not found at the specified path. Default = False.
    • -w, --warn N: Warning level if pattern has a groupWarning level if pattern has a group.
    • must_sudo: Enables the servicenow user to run the command with sudo permissions.

    Usage example: command: check-log.rb -c 2 -w 1 -q "SEVERE|Exception" -s /tmp/cache/check-log -f /var/log/servicenow/agent-client-collector/acc.log

    		CheckLog CRITICAL: 0 warnings, 8 criticals for pattern SEVERE|Exception in log file /var/log/servicenow/agent-client-collector/acc.log