||8 October 2001
Gear <firstname.lastname@example.org>, <email@example.com>
Copyright (c) 2000-2001, CITEC
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU Library General Public License as published
by the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
License for more details.
You should have received a copy of the GNU Library
General Public License along with this program; if not, write to the
Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
USA, or go to <http://www.gnu.org/copyleft/lgpl.html>
on the World Wide Web.
Itologmon is an alternative log file monitor for use with HP OpenView IT/Operations
(now VantagePoint Operations, formerly Operations Center - hereafter ITO).
It provides a mechanism for sending log file data to ITO via the opcmsg(3)
API instead of the HP-supplied log file encapsulator (opcle).
The Reason for Itologmon
The sole reason for itologmon's existence is to work around a design limitation
in ITO, namely that multiple templates cannot be used to monitor a single
log file in conjunction with the use of the 'Forward Unmatched' facility.
If such a configuration were used, the log file template that is set to
forward unmatched messages to the server would forward all messages that
are not matched by that specific template, resulting in an unmatched message
for every message that was configured in another template (in addition
to any message conditions that are configured for such messages).
Some template types are not subject to this limitation, namely opcmsg(3),
SNMP traps, and MPE console messages.
Thus, by sending log file data to ITO via the opcmsg(3) API, we can
monitor log files from multiple templates and still use the 'Forward Unmatched'
option to capture unmatched messages. At CITEC,
we separate log file conditions into individual templates for each application:
has one template, sshd another, inetd another,
another, and so on. Since all of these write their messages using
syslog(3), on most OSes they appear all in the one log file (on HP-UX /var/adm/syslog/syslog.log).
If we used opcle, these conditions would all have to be mixed
in together in the same template. By using itologmon, we can use
separate application templates and mix and match them on hosts as required.
Itologmon can be used instead of, or in conjunction with, opcle,
the default ITO log file monitor.
How It Works
Itologmon works by reading data from log files in a manner similar to 'tail
-f' and passing the data to the opcmsg(3) API. It can detect when
a file has been appended to, truncated, or deleted and recreated (thus
it works happily with log file rotation utilities such as Red
Hat Linux's logrotate).
Itologmon has been designed to be conservative in the way it monitors log
files, and a design decision was made to sacrifice performance for safety.
Itologmon saves a state file which indicates the last position in each
file that it has read to, along with a copy of the file's stat(2) buffer.
This enables it to track changes to files, even if it has been shut down
for some time (this is not recommended, but is possible due to the design
Disadvantages Of Using Itologmon
The reason for itologmon's existence is very specific,
and if it is not a requirement of your ITO installation that this functionality
be available, you may not want to use itologmon, as it has some drawbacks:
Seems to use more CPU time than opcle, given the same files to monitor.
This is probably due to the short sleep interval (100 ms) that itologmon
uses, and can be tuned if required.
Requires local installation and configuration of software. This could
probably be overcome by including OpenView integration of some sort, but
this has not been investigated at present.
Obtain the Software
You can download itologmon from its SourceForge
Build & Install the Software
See the file INSTALL for instructions on compiling
and installing itologmon. If you are upgrading from an older version,
see the file CHANGES for information about recent
changes to the software. Install the software on each client system
that requires it (i.e. those with ITO agents).
For those log files which you wish to wish to monitor with itologmon, set
up opcmsg(3) templates in ITO and assign them to the nodes you have installed
it on. Itologmon sends the name of the source log file as the opcmsg(3)
object name, so if you want to match on a specific log file location, you
need to set this field in each template condition. Otherwise, just
leave it blank, and your condition will match regardless of which file
it came from. In our implementation here at CITEC, we have used the
specific file name only in the suppress unmatched conditions at the top
of some of our templates.
It is recommended that you allocate a dedicated template for capturing
unmatched messages. To do this, create an empty template, turn on
the 'Forward to Server' option in the 'Unmatched Messages' section.
If you also create an 'Unmatched' message group in the message group
bank and set this as the default message group for that template, then
all unmatched messages can be filtered by message group.
There is no configuration file per se for itologmon. Simply call
it with a list of files to monitor. The supplied init script provides
a simple mechanism to do this by using an external configuration file.
Ensure that itologmon's own log file (/var/log/itologmon.log
by default) is not specified as a file to monitor (this can create logging
loops when there are ITO agent problems). Itologmon will automatically
send all errors in its own log file to ITO. The local log file is
provided for tracing and debugging purposes in the event that there are
If you experience problems with itologmon, use the link at the top of this
page to email the author a copy of the itologmon log file with full debugging
and tracing enabled, along with the following additional information:
Please read the file BUGS before emailing a problem
report to ensure that you are not reporting a known issue.
Make Your Contribution!
Please email any patches in 'diff -u' format.
See TODO for a list of tasks that could be done in the
||Initial public release.
||Makefile updated to enable compiling on Solaris.
||Unreleased development version using slightly different algorithm for
tailing files that (unsuccessfully) attempted to work around HP-UX kernel
stat buffer bug.
||Reversion to previous tailing algorithm due to failure of previous
attempts to work around it. We're stuck with this bug until HP fix