Data Item XML - Appllication Log File
This post explains main data types which are involved in monitoring of application log files. Depending on the monitor used, following data types are initially created by data source modules.
Following is a sample of the data type created by System.ApplicationLog.GenericLogReader .
<DataItem type="System.ApplicationLog.GenericLogEntryData" time="2005-08-17T11:23:51.0870595-07:00">
<LogFileDirectory>d:\test</LogFileDirectory>
<LogFileType>Generic Log File Format</LogFileType>
<LogFileName>d:\test\test.log</LogFileName>
<Params>
<Param><![CDATA[error: component failed]]></Param>
</Params>
</DataItem>
Following is a sample of the data type created by System.ApplicationLog.InternetApplicationLogReader .
<DataItem type="System.ApplicationLog.InternetLogEntryData" time="2005-08-17T11:23:51.0870595-07:00">
<LogFileDirectory>c:\winnt\system32\logfiles\w3svc1</LogFileDirectory>
<LogFileType>Binary</LogFileType>
<LogFileName>ra1.ibl</LogFileName>
<Date>2005-11-28</Date>
<Time>21:55:32</Time>
<ClientIP>127.0.0.1</ClientIP>
<UserName>-</UserName>
<SiteID>W3SVC1539225103</SiteID>
<ServerName>Server01</ServerName>
<ServerIP>127.0.0.2</ServerIP>
<ServerPort>80</ServerPort>
<Method>GET</Method>
<URIStem>/Default.htm</URIStem>
<URIQuery>param=1</URIQuery>
<ProtocolStatus>200</ProtocolStatus>
<WindowsStatus>0</WindowsStatus>
<BytesSent>200</BytesSent>
<BytesReceived>320</BytesReceived>
<BytesTransferred>520</BytesTransferred>
<TimeTakenInMS>231</TimeTakenInMS>
<ProtocolVersion>1</ProtocolVersion>
<ProtocolSubstatus>0</ProtocolSubstatus>
<HostHeader>hosted</HostHeader>
<UserAgent>Mozilla/4.0</UserAgent>
<Cookie>cookie=1</Cookie>
<Referrer>https://www.cnn.com/</Referrer>
</DataItem>
Monitoring objects (monitors, rules …) which use those modules for the monitoring of application logs should use $Data/…$ context parameter replacement with following XPath queries:
Generating alert from rule uses following:
$Data/ <relative path to the property>$
Generating alert from a monitor state change uses following:
$Data/Context/ <relative path to the property>$
Sample:
get to first parameter of generic log one should replace <relative path to property> with Params/Param[1] to get following query: $Data/Params/Param[1]$
There are definitions of composite data source modules using modules mentioned above as start module which later convert (map) output data type into an even data type. Application log monitoring data type is the stored inside of a <EventData> section.
Following is a sample of the data type created by System.ApplicationLog.GenericLogReader.EventProvider .
<DataItem type="System.Event.Data" time="2007-05-22T10:07:41.6416394-07:00">
<EventOriginId>{8ED89955-E479-40A9-E83A-BB4A37A48499}</EventOriginId>
<PublisherId>{1F68E240-153F-3990-0560-2AC472836C4A}</PublisherId>
<PublisherName>GenericLog</PublisherName>
<Channel>GenericLog</Channel>
<LoggingComputer />
<EventNumber>0</EventNumber>
<EventCategory>3</EventCategory>
<EventLevel>0</EventLevel>
<UserName />
<RawDescription />
<CollectDescription Type="Boolean">true</CollectDescription>
<EventData>
<DataItem type="System.ApplicationLog.GenericLogEntryData" time="2007-05-22T10:07:41.6416394-07:00">
<LogFileDirectory>d:\genericlogs</LogFileDirectory>
<LogFileType>Generic Log File Format</LogFileType>
<LogFileName>d:\genericlogs\generic.log</LogFileName>
<Params>
<Param>parameter1</Param>
<Param>ERROR</Param>
<Param>parameter3</Param>
</Params>
</DataItem>
</EventData>
<EventDisplayNumber>0</EventDisplayNumber>
<EventDescription />
</DataItem>
Monitoring objects (monitors, rules …) which use these composite modules for their monitoring of the application logs should use $Data/…$ context parameter replacement with following XPath queries to get to the properties of initial application log data:
Generating alert from rule uses following:
$Data/EventData/DataItem/ <relative path to the property>$
Generating alert from a monitor state change uses following:
$Data/Context/EventData/DataItem/ <relative path to the property>$
Sample:
get to first parameter of generic log event provider one should replace <relative path to property> with Params/Param[1] to get following query: $Data/EventData/DataItem/Params/Param[1]$
NOTE: Just a reminder that SP1 RTM brings a fix (when shipped later next year) for always using keyword “DataItem” after “Context” , but all queries mentioned above will still work !
Sample of XPath query to use in SP1 RTM (only) when generating alert from a monitor state change:
$Data/Context/ DataItem/ <relative path to the property>$