Is it possible to match if a match string is not in a log every 6 hours for example?
attached: sample logmon watcher that:
- send an alarm when the string "beat" is found (only as debug) in the monitored file
- if the string "beat" is not found during 10 minutes it will generate an alarm
I think that this comes close to answering the question but does not.
The posted config will indicate if the text occurred since the previous run of logmon.
This is not quite what the original question asks, depending on the interpretation of the English used.
If the behavior is that a log entry is generated once every 6 hours exactly, then having a logmon profile that has the same period and an expect clause will detect it not happening. That's true. The problem is that your detection delay is, on average, half the period.
Consider what happens if the logmon check runs a second before the next entry should be written to the log file. It detects the one that's almost six hours old and then doesn't check again for another six hours where it then alerts on the missing log entry. So, you aren't alerting on it not being there every 6 hours in this case because when detected it will have been almost 12 hours elapsed since the last time the log entry was seen.
In order to achieve the general case of alerting when an entry hasn't been seen in the past specified amount of time, you need logmon to store history of that last successful detection event. And you need logmon to check the file often enough such that the cycling of logmon approximates the time that the entry was added to the log.
I think that at the moment the only successful way to achieve this is to script the age test logic and have logmon run the script. Or use cron or windows scheduler to run a script that creates a file of the match and a dirscan profile to detect and alert on the age of that file.
You're correct, my example is more suitable for checking short running heartbeats