System Center Operations Manager 中的 Linux 記錄檔監視Linux Log file monitoring in System Center Operations Manager

重要

已不再支援此版本的 Operations Manager,建議升級至 Operations Manager 2019This version of Operations Manager has reached the end of support, we recommend you to upgrade to Operations Manager 2019.

System Center Operations Manager 現在已利用使用 Fluentd 的最新版代理程式,來增強 Linux 伺服器的記錄檔監視功能。System Center Operations Manager now has enhanced log file monitoring capabilities for Linux servers by using the newest version of the agent that uses Fluentd. 此更新基於先前的記錄檔監視提供下列改良功能:This update provides the following improvements over previous log file monitoring:

  • 記錄檔名稱和路徑中的萬用字元。Wild card characters in log file name and path.
  • 適用於可自訂記錄搜尋的新比對模式,例如,簡單比對、獨佔比對、相互關聯的比對、重複的相互關聯,以及獨佔的相互關聯。New match patterns for customizable log search like simple match, exclusive match, correlated match, repeated correlation and exclusive correlation.
  • 支援 Fluentd 社群發行的通用 Fluentd 外掛程式。Support for generic Fluentd plugins published by the fluentd community.

基本作業Basic operation

Linux 中記錄檔監視的基本作業包含下列步驟:The basic operation of log file monitoring in Linux includes the following steps:

  1. 記錄 (record) 會寫入到 Linux 代理程式上的記錄 (log)。Record is written to a log on a Linux agent.
  2. Fluentd 會收集記錄,並建立模式比對的事件。Fluentd collects the record and creates an event on pattern match.
  3. 事件會傳送到管理伺服器上的 OMED 服務。Event is sent to OMED service on management server.
  4. 自訂管理組件的規則和監視器會收集事件,並在 Operations Manager 中建立警示。Rules and monitors in a custom management pack collect events and create alerts in Operations Manager.

設定概觀Overview of configuration

需要執行下列步驟,才能在 Linux 代理程式上啟用記錄檔監視。The following steps are required to enable log file monitoring on Linux agents. 下列各節將詳細說明各個步驟。Each of these steps is described in detail in the following sections.

  1. 匯入最新的 Linux 管理組件。Import the latest Linux management pack.
  2. 在每部要監視的 Linux 電腦上,安裝最新版的 Linux 代理程式。Install the latest version of the Linux agent on each Linux computer to be monitored.
  3. 建立 Fluentd 設定檔來收集記錄。Create Fluentd configuration file to collect logs.
  4. 將設定檔複製到 Linux 代理程式。Copy configuration file to Linux agents.
  5. 使用管理組件範例來建立規則和監視器,以便從記錄收集事件並建立警示。Create rules and monitors using the sample management pack to collect events from the log and create alerts.

安裝最新版的 Linux 代理程式Install the latest version of the Linux agent

最新版的 Linux 代理程式支援增強記錄檔監視所需的 Fluentd。The latest version of the Linux agent supports Fluentd, which is required for enhanced log file monitoring. 您可以在從命令列將代理程式安裝在 UNIX 和 Linux 上取得新代理程式的詳細資料和安裝程序。You can get details and the installation process for the new agent at Install agent on UNIX and Linux from command line.

設定 Linux 記錄檔監視Configure Linux Log File monitoring

Linux 管理組件套件組合具有最新的 Operations Manager 代理程式 (含 Fluentd)。The Linux Management pack bundle has the latest Operations Manager agent (with Fluentd). 若要設定 Linux 記錄檔監視,使用者應該執行下列作業:To configure Linux log file monitoring, users should perform the following:

  1. 使用安裝管理組件的標準程序來匯入最新的 Linux 管理組件。Import the latest Linux Management pack using the standard process for installing a management pack.
  2. 在 Linux 伺服器上安裝新的 Linux 代理程式,這可透過探索精靈或以手動方式完成。Install the new Linux agent on the Linux servers, this can be done through discovery wizard or manually.
  3. 在管理 Linux 代理程式的資源集區中,於每部管理伺服器上啟用 OMED 服務。Enable the OMED service on each management server in the resource pool managing the Linux agents.

OMED 服務會從 Fluentd 收集事件,並將它們轉換成 Operations Manager 事件。The OMED service collects events from Fluentd and converts them to Operations Manager events. 使用者應該匯入自訂管理組件,其可根據接收自 Linux 伺服器的事件產生警示。Users should import a custom management pack which can generate alerts based on the events received from the Linux servers.

您可以從 Operations 主控台或手動從管理伺服器或閘道伺服器來啟用 OMED。You enable the OMED service either from the Operations console or manually on the management server or gateway server.

從 Operations 主控台From Operations console

  1. 從 Operations 主控台,移至 [監視] > [Operations Manager] > [管理伺服器] > [管理伺服器狀態] 。From the Operations Console, go to Monitoring > Operations Manager > Management Server > Management Servers State.
  2. 在 [管理伺服器] 狀態窗格中選取管理伺服器。Select the management server in the Management Servers state pane.
  3. 在 [工作] 窗格中,選取 [健全狀況服務工作] > [啟用 System Center OMED Server] 。In the Tasks pane, select Health Service Tasks > Enable System Center OMED Server.

手動Manually

  1. 在 [開始搜尋] 方塊中,按一下 [開始],鍵入 services.msc,然後按 EnterClick Start, in the Start Search box, type services.msc , and then press Enter.
  2. 在詳細資料窗格中,以滑鼠右鍵按一下 [System Center Operations Manager External DataSource Service] 服務,然後按一下 [屬性] 。In the details pane, right-click the service System Center Operations Manager External DataSource Service, and then click Properties.
  3. 在 [一般] 索引標籤的 [啟動] 類型上,按一下 [自動] ,然後按一下 [確定] 。On the General tab, in Startup type , click Automatic, and then click OK.
  4. 在詳細資料窗格中,以滑鼠右鍵按一下服務,然後按一下 [開始] 。In the details pane, right-click the service and then click Start.

建立 FluentD 設定檔Create FluentD configuration file

您可以使用設定檔來設定 Fluentd 作業。You configure Fluentd operation with a configuration file. 針對記錄監視,您需要建立設定檔 (其中包含像是來源記錄檔名稱,以及路徑和篩選等資訊),以定義要收集哪些資料。For log monitoring, you need to create a configuration file that includes such information as source log file name and path and filters to define which data to collect.

主要的 Fluentd 設定檔 omsagent.conf 位於 /etc/opt/microsoft/omsagent/scom/conf/The master Fluentd configuration file omsagent.conf is located in /etc/opt/microsoft/omsagent/scom/conf/. 您可以直接將記錄檔監視設定新增至此檔案,但您應該建立不同的設定檔,更妥善地管理不同的設定。You can add log file monitoring configuration directly to this file, but you should create a separate configuration file to better manage the different settings. 您接著要在主檔案中使用 @include 指示詞來包含自訂檔案。You then use an @include directive in the master file to include your custom file.

例如,如果您在 /etc/opt/microsoft/omsagent/scom/conf/omsagent.d 中建立了 logmonitoring.conf,則可以將下列其中一行新增至 fluent.confFor example, if you created logmonitoring.conf in /etc/opt/microsoft/omsagent/scom/conf/omsagent.d, you would add one of the following lines to fluent.conf:

#Include all configuration files
@include omsagent.d/*.conf

or

#include single configuration file
@include omsagent.d/logmonitoring.conf

您可以在 Fluentd 設定檔語法 (英文) 中取得 Fluentd 設定檔的詳細資料。You can get details on Fluentd configuration files at Fluentd Configuration file syntax. 下列各節將說明對記錄檔監視而言是唯一之設定檔不同指示詞中的設定。The following sections describe settings in different directives of the configuration file unique to log file monitoring. 每一個均包含您可以貼到設定檔並針對您的需求加以修改的範例設定。Each includes sample settings that you can paste into a configuration file and modify for your requirements.

完整的用於記錄檔監視的設定檔範例可供您在檢閱和評估之前自行建立。A complete sample configuration file for log monitoring is available for you to review and evaluate before creating your own.

來源Source

Source 指示詞定義所收集之資料的來源。The Source directive defines the source of the data you're collecting. 這是您定義記錄檔詳細資料的位置。This is where you define the details of your log file. Fluentd 會挑選已寫入至來源的每筆記錄,並將其事件提交至 Fluentd 的路由引擎。Fluentd picks up each record written to the source and submits an event for it into Fluentd's routing engine. 您需要在此指示詞中指定標記。You need to specify a tag here in this directive. 該標記是用來作為 Fluentd 內部路由引擎之指示的字串,可相互關聯不同的指示詞。The tag is a string that is used as the directions for Fluentd’s internal routing engine to correlate different directives.

此範例顯示所收集並標記為待 Operations Manager 處理的 syslog 記錄。This example shows syslog records collected and tagged for processing by Operations Manager.

<source>

    # Specifies input plugin. Tail is a fluentd input plugin - http://docs.fluentd.org/v0.12/articles/in_tail
    type tail

    # Specify the log file path. Supports wild cards.
    path /var/log/syslog

    # Recommended so that Fluentd will record the position it last read into this file.
    pos_file /home/user1/fluent-test/demo_syslog.log.pos

    # Used to correlate the directives.
    tag scom.log.syslog

    format /(?<message>.*)/

</source>

比對Match

match 指示詞定義如何使用相符的標記,來處理收集自來源的事件。The match directive defines how to process events collected from the source with matching tags. 系統只會將標記符合模式的事件傳送至輸出目的地。Only events with a tag matching the pattern will be sent to the output destination. 當一個 match 標記內列出多個模式時,事件就可以比對任何列出的模式。When multiple patterns are listed inside one match tag, events can match any of the listed patterns. Type 參數指定要針對這些事件使用哪一個外掛程式。The type parameter that specifies which plugin to use for these events.

此範例會處理其標記符合 scom.log. ** 和 scom.alert (** 會比對零或多個標記組件) 的事件。This example processes events with tags matching scom.log.** and scom.alert (** matches zero or more tag parts). 它會指定 out_scom 外掛程式,以允許 Operations Manager 管理組件收集事件。It specifies the out_scom plugin which allows the events to be collected by the Operations Manager management pack.

<match scom.log.** scom.event>

    # Output plugin to use
    type out_scom

    log_level trace
    num_threads 5

    # Size of the buffer chunk. If the top chunk exceeds this limit or the time limit flush_interval, a new empty chunk is pushed to the top of the  
    queue and bottom chunk is written out.
    buffer_chunk_limit 5m
    flush_interval 15s

    # Specifies the buffer plugin to use.
    buffer_type file

    # Specifies the file path for buffer. Fluentd must have write access to this directory.
    buffer_path /var/opt/microsoft/omsagent/scom/state/out_scom_common*.buffer

    # If queue length exceeds the specified limit, events are rejected.
    buffer_queue_limit 10

    # Control the buffer behavior when the queue becomes full: exception, block, drop_oldest_chunk
    buffer_queue_full_action drop_oldest_chunk

    # Number of times Fluentd will attempt to write the chunk if it fails.
    retry_limit 10

    # If the bottom chunk fails to be written out, it will remain in the queue and Fluentd will retry after waiting retry_wait seconds
    retry_wait 30s

    # The retry wait time doubles each time until max_retry_wait.
    max_retry_wait 9m

</match>

注意

若要停用使用 Fluentd 通訊之 Linux 機器上的「伺服器驗證」,請將 enable_server_auth false 參數新增到 Fluentd 的 SCOM 輸出外掛程式,如下所示:To disable Server Auth on the Linux machines that are using Fluentd communication, add a parameter enable_server_auth false to the SCOM out plugin for Fluentd, such as the following:

<match scom.log.** scom.event>
type out_scom

max_retry_wait 9m
enable_server_auth false
</match>

篩選器Filter

Filter 指示詞的語法與 match 的一樣,但允許以更複雜的方式篩選要處理的資料。The filter directive has same syntax as match but allows for more complex filtering of which data to process. 收集的事件必須符合要新增至輸出之所有篩選的準則。Collected events must match the criteria of all filters to be added to the output.

此處說明六個適用於記錄檔監視的篩選外掛程式。There are six filter plugins for log file monitoring described here. 使用這其中一或多個篩選,來定義您想要從記錄檔收集的事件。Use one or more of these filters to define the events that you want to collect from your log file.

簡單比對:filter_scom_simple_matchSimple match: filter_scom_simple_match

最多接受 20 個輸入模式。Takes up to 20 input patterns. 每當有任何模式相符時,傳送一個事件到 Operations Manager。Sends an event to Operations Manager whenever any pattern is matched.

<filter tag>
    type filter_scom_simple_match
    regexp1 <key> <pattern>
    event_id1 <event ID>
    regexp2 <key> <pattern>
    event_id2 <event ID>
    .
    .
    .
    regexp20 <key> <pattern>
    event_id20 <event ID>
</filter>

獨佔比對:filter_scom_excl_matchExclusive match: filter_scom_excl_match

接受兩個輸入模式。Takes two input patterns. 當單筆記錄符合模式 1 但不符合模式 2 時,傳送一個事件到 Operations Manager。Sends an event to Operations Manager when a single record matches pattern 1 but does not match pattern 2.

<filter tag>
    type filter_scom_excl_match
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
</filter>

重複的相互關聯:filter_scom_repeated_corRepeated correlation: filter_scom_repeated_cor

接受三個輸入:模式、時間間隔及發生次數。Takes three inputs: a patterns, a time interval, and a number of occurrences. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果模式在計時器結束之前符合指定的次數,就會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if the pattern is matched the specified number of times before the timer ends.

<filter tag>
    type filter_scom_repeated_cor
    regexp <key> <pattern>
    event_id <event ID>
    time_interval <interval in seconds>
    num_occurences <number of occurrences>
</filter>

相互關聯的比對:filter_scom_cor_matchCorrelated match: filter_scom_cor_match

接受三個輸入:兩個模式和一個時間間隔。Takes three inputs: two patterns and a time interval. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果在計時器結束之前有第二個模式的相符項目,就會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if there is a match for the second pattern before the timer ends.

<filter tag>
    type filter_scom_cor_match
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
    time_interval <interval in seconds>
</filter>

獨佔的相互關聯:filter_scom_excl_correlationExclusive correlation: filter_scom_excl_correlation

接受三個輸入:兩個模式和一個時間間隔。Takes three inputs: two patterns and a time interval. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果在計時器結束之前沒有第二個模式的相符項目,就會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if there is no match for the second pattern before the timer ends.

<filter tag>
    type filter_scom_excl_correlation
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
    time_interval <interval in seconds>
</filter>

Operations Manager 轉換器:filter_scom_converterOperations Manager converter: filter_scom_converter

針對其接收的所有記錄,傳送一個事件到 Operations Manager。Sends an event to Operations Manager for all records it receives. 傳送指定的事件識別碼和描述作為事件的一部分。Sends the specified event ID and description as part of the event.

<filter tag>
    type filter_scom_converter
    event_id <event ID>
    event_desc <event description>
</filter>

將設定檔複製到代理程式Copy configuration file to agent

Fluentd 設定檔必須複製到您想要監視之所有 Linux 電腦上的 /etc/opt/microsoft/omsagent/scom/conf/omsagent.dThe fluentd configuration file must be copied to /etc/opt/microsoft/omsagent/scom/conf/omsagent.d on all Linux computers you want to monitor. 您也必須在主要設定檔中新增 @include 指示詞,如上所述。You must also add an @include directive in the master configuration file as described above.

建立規則和監視器Create rules and monitors

Linux MP 未提供從 FluentD 收集事件的模組。The Linux MP does not provide modules to collect events from FluentD. Linux MP 與 Linux 代理程式綁定。The Linux MP is bundled with the Linux agent. 它是 Linux 代理程式中的 fluentd 模組,以及管理和閘道伺服器上的 OMED 服務,它會提供增強記錄檔監視的功能。It is the fluentd module in the Linux agent and the OMED service on the management and gateway server that provides the capabilities for enhanced log file monitoring.

您必須使用自訂規則和監視器來建立自己的管理組件,而自訂的規則和監視器會使用從 Fluentd 收集事件的 Microsoft.Linux.OMED.EventDataSource 模組。You need to create your own management pack with custom rules and monitors that use the module Microsoft.Linux.OMED.EventDataSource which collects the events from Fluentd.

下表列出 Microsoft.Linux.OMED.EventDataSource 的參數。The following table lists the parameters of Microsoft.Linux.OMED.EventDataSource.

參數Parameter 類型Type DescriptionDescription
ComputerNameComputerName 字串String 必要。Required. 指定要讀取其事件的 Linux 電腦名稱。Specifies the name of the Linux computer for which events to be read. 儘管可將 ComputerName 參數指定為任何字串,但此參數最常使用 $Target 標記法傳遞到模組。The ComputerName parameter is most commonly passed to the module by using the $Target notation, although it can be specified as any string. 此模組會嘗試讀取由指定之 Linux 電腦產生的事件。This module attempts to read events generated by the given Linux computer.
ManagedEntityIdManagedEntityId 字串String 必要。Required. 指定受監視實體之受管理的實體識別碼。Specifies the managed entity ID of monitored entity. ManagedEntityId 參數最常使用 $Target\Id$ 傳遞到模組。The ManagedEntityId parameter is most commonly passed to module by using $Target\Id$.
EventNumberEventNumber 整數Integer 選擇性。Optional. 表示要擷取之事件的事件編號。Indicates the event number of the event to retrieve. 如果省略了這個選項,模組就會傳回針對該電腦和受管理實體產生的所有事件。If this option is omitted, the module returns all events generated for that computer and managed entity.

設定概觀Overview of configuration

需要執行下列步驟,才能在 Linux 代理程式上啟用記錄檔監視。The following steps are required to enable log file monitoring on Linux agents. 下列各節將詳細說明各個步驟。Each of these steps is described in detail in the following sections.

  1. 匯入最新的 Linux 管理組件。Import the latest Linux management pack.
  2. 在每部要監視的 Linux 電腦上,安裝最新版的 Linux 代理程式。Install the latest version of the Linux agent on each Linux computer to be monitored.
  3. 建立 Fluentd 設定檔來收集記錄。Create Fluentd configuration file to collect logs.
  4. 將設定檔複製到 Linux 代理程式。Copy configuration file to Linux agents.
  5. 使用管理組件範例來建立規則和監視器,以便從記錄收集事件並建立警示。Create rules and monitors using the sample management pack to collect events from the log and create alerts.

安裝最新版的 Linux 代理程式Install the latest version of the Linux agent

最新版的 Linux 代理程式支援增強記錄檔監視所需的 Fluentd。The latest version of the Linux agent supports Fluentd, which is required for enhanced log file monitoring. 您可以在從命令列將代理程式安裝在 UNIX 和 Linux 上取得新代理程式的詳細資料和安裝程序。You can get details and the installation process for the new agent at Install agent on UNIX and Linux from command line.

設定 Linux 記錄檔監視Configure Linux Log File monitoring

Linux 管理組件套件組合具有最新的 Operations Manager 代理程式 (含 Fluentd)。The Linux Management pack bundle has the latest Operations Manager agent (with Fluentd). 若要設定 Linux 記錄檔監視,使用者應該執行下列作業:To configure Linux log file monitoring, users should perform the following:

  1. 使用安裝管理組件的標準程序來匯入最新的 Linux 管理組件。Import the latest Linux Management pack using the standard process for installing a management pack.
  2. 在 Linux 伺服器上安裝新的 Linux 代理程式,這可透過探索精靈或以手動方式完成。Install the new Linux agent on the Linux servers, this can be done through discovery wizard or manually.
  3. 在管理 Linux 代理程式的資源集區中,於每部管理伺服器上啟用 OMED 服務。Enable the OMED service on each management server in the resource pool managing the Linux agents.

OMED 服務會從 Fluentd 收集事件,並將它們轉換成 Operations Manager 事件。The OMED service collects events from Fluentd and converts them to Operations Manager events. 使用者應該匯入自訂管理組件,其可根據接收自 Linux 伺服器的事件產生警示。Users should import a custom management pack which can generate alerts based on the events received from the Linux servers.

您可以從 Operations 主控台或手動從管理伺服器或閘道伺服器來啟用 OMED。You enable the OMED service either from the Operations console or manually on the management server or gateway server.

從 Operations 主控台From Operations console

  1. 從 Operations 主控台,移至 [監視] > [Operations Manager] > [管理伺服器] > [管理伺服器狀態] 。From the Operations Console, go to Monitoring > Operations Manager > Management Server > Management Servers State.
  2. 在 [管理伺服器] 狀態窗格中選取管理伺服器。Select the management server in the Management Servers state pane.
  3. 在 [工作] 窗格中,選取 [健全狀況服務工作] > [啟用 System Center OMED Server] 。In the Tasks pane, select Health Service Tasks > Enable System Center OMED Server.

手動Manually

  1. 在 [開始搜尋] 方塊中,按一下 [開始],鍵入 services.msc,然後按 EnterClick Start, in the Start Search box, type services.msc , and then press Enter.
  2. 在詳細資料窗格中,以滑鼠右鍵按一下 [System Center Operations Manager External DataSource Service] 服務,然後按一下 [屬性] 。In the details pane, right-click the service System Center Operations Manager External DataSource Service, and then click Properties.
  3. 在 [一般] 索引標籤的 [啟動] 類型上,按一下 [自動] ,然後按一下 [確定] 。On the General tab, in Startup type , click Automatic, and then click OK.
  4. 在詳細資料窗格中,以滑鼠右鍵按一下服務,然後按一下 [開始] 。In the details pane, right-click the service and then click Start.

建立 FluentD 設定檔Create FluentD configuration file

您可以使用設定檔來設定 Fluentd 作業。You configure Fluentd operation with a configuration file. 針對記錄監視,您需要建立設定檔 (其中包含像是來源記錄檔名稱,以及路徑和篩選等資訊),以定義要收集哪些資料。For log monitoring, you need to create a configuration file that includes such information as source log file name and path and filters to define which data to collect.

主要的 Fluentd 設定檔 omsagent.conf 位於 /etc/opt/microsoft/omsagent/scom/conf/The master Fluentd configuration file omsagent.conf is located in /etc/opt/microsoft/omsagent/scom/conf/. 您可以直接將記錄檔監視設定新增至此檔案,但您應該建立不同的設定檔,更妥善地管理不同的設定。You can add log file monitoring configuration directly to this file, but you should create a separate configuration file to better manage the different settings. 您接著要在主檔案中使用 @include 指示詞來包含自訂檔案。You then use an @include directive in the master file to include your custom file.

例如,如果您在 /etc/opt/microsoft/omsagent/scom/conf/omsagent.d 中建立了 logmonitoring.conf,則可以將下列其中一行新增至 fluent.confFor example, if you created logmonitoring.conf in /etc/opt/microsoft/omsagent/scom/conf/omsagent.d, you would add one of the following lines to fluent.conf:

#Include all configuration files
@include omsagent.d/*.conf

or

#include single configuration file
@include omsagent.d/logmonitoring.conf

您可以在 Fluentd 設定檔語法 (英文) 中取得 Fluentd 設定檔的詳細資料。You can get details on Fluentd configuration files at Fluentd Configuration file syntax. 下列各節將說明對記錄檔監視而言是唯一之設定檔不同指示詞中的設定。The following sections describe settings in different directives of the configuration file unique to log file monitoring. 每一個均包含您可以貼到設定檔並針對您的需求加以修改的範例設定。Each includes sample settings that you can paste into a configuration file and modify for your requirements.

完整的用於記錄檔監視的設定檔範例可供您在檢閱和評估之前自行建立。A complete sample configuration file for log monitoring is available for you to review and evaluate before creating your own.

來源Source

Source 指示詞定義所收集之資料的來源。The Source directive defines the source of the data you're collecting. 這是您定義記錄檔詳細資料的位置。This is where you define the details of your log file. Fluentd 會挑選已寫入至來源的每筆記錄,並將其事件提交至 Fluentd 的路由引擎。Fluentd picks up each record written to the source and submits an event for it into Fluentd's routing engine. 您需要在此指示詞中指定標記。You need to specify a tag here in this directive. 該標記是用來作為 Fluentd 內部路由引擎之指示的字串,可相互關聯不同的指示詞。The tag is a string that is used as the directions for Fluentd’s internal routing engine to correlate different directives.

此範例顯示所收集並標記為待 Operations Manager 處理的 syslog 記錄。This example shows syslog records collected and tagged for processing by Operations Manager.

<source>

    # Specifies input plugin. Tail is a fluentd input plugin - http://docs.fluentd.org/v0.12/articles/in_tail
    type tail

    # Specify the log file path. Supports wild cards.
    path /var/log/syslog

    # Recommended so that Fluentd will record the position it last read into this file.
    pos_file /home/user1/fluent-test/demo_syslog.log.pos

    # Used to correlate the directives.
    tag scom.log.syslog

    format /(?<message>.*)/

</source>

比對Match

match 指示詞定義如何使用相符的標記,來處理收集自來源的事件。The match directive defines how to process events collected from the source with matching tags. 系統只會將標記符合模式的事件傳送至輸出目的地。Only events with a tag matching the pattern will be sent to the output destination. 當一個 match 標記內列出多個模式時,事件就可以比對任何列出的模式。When multiple patterns are listed inside one match tag, events can match any of the listed patterns. Type 參數指定要針對這些事件使用哪一個外掛程式。The type parameter that specifies which plugin to use for these events.

此範例會處理其標記符合 scom.log. ** 和 scom.alert (** 會比對零或多個標記組件) 的事件。This example processes events with tags matching scom.log.** and scom.alert (** matches zero or more tag parts). 它會指定 out_scom 外掛程式,以允許 Operations Manager 管理組件收集事件。It specifies the out_scom plugin which allows the events to be collected by the Operations Manager management pack.

<match scom.log.** scom.event>

    # Output plugin to use
    type out_scom

    log_level trace
    num_threads 5

    # Size of the buffer chunk. If the top chunk exceeds this limit or the time limit flush_interval, a new empty chunk is pushed to the top of the  
    queue and bottom chunk is written out.
    buffer_chunk_limit 5m
    flush_interval 15s

    # Specifies the buffer plugin to use.
    buffer_type file

    # Specifies the file path for buffer. Fluentd must have write access to this directory.
    buffer_path /var/opt/microsoft/omsagent/scom/state/out_scom_common*.buffer

    # If queue length exceeds the specified limit, events are rejected.
    buffer_queue_limit 10

    # Control the buffer behavior when the queue becomes full: exception, block, drop_oldest_chunk
    buffer_queue_full_action drop_oldest_chunk

    # Number of times Fluentd will attempt to write the chunk if it fails.
    retry_limit 10

    # If the bottom chunk fails to be written out, it will remain in the queue and Fluentd will retry after waiting retry_wait seconds
    retry_wait 30s

    # The retry wait time doubles each time until max_retry_wait.
    max_retry_wait 9m

</match>

注意

若要停用使用 Fluentd 通訊之 Linux 機器上的「伺服器驗證」,請將 enable_server_auth false 參數新增到 Fluentd 的 SCOM 輸出外掛程式,如下所示:To disable Server Auth on the Linux machines that are using Fluentd communication, add a parameter enable_server_auth false to the SCOM out plugin for Fluentd, such as the following:

<match scom.log.** scom.event>
type out_scom

max_retry_wait 9m
enable_server_auth false
</match>

篩選器Filter

Filter 指示詞的語法與 match 的一樣,但允許以更複雜的方式篩選要處理的資料。The filter directive has same syntax as match but allows for more complex filtering of which data to process. 收集的事件必須符合要新增至輸出之所有篩選的準則。Collected events must match the criteria of all filters to be added to the output.

此處說明六個適用於記錄檔監視的篩選外掛程式。There are six filter plugins for log file monitoring described here. 使用這其中一或多個篩選,來定義您想要從記錄檔收集的事件。Use one or more of these filters to define the events that you want to collect from your log file.

簡單比對:filter_scom_simple_matchSimple match: filter_scom_simple_match

最多接受 20 個輸入模式。Takes up to 20 input patterns. 每當有任何模式相符時,傳送一個事件到 Operations Manager。Sends an event to Operations Manager whenever any pattern is matched.

<filter tag>
    type filter_scom_simple_match
    regexp1 <key> <pattern>
    event_id1 <event ID>
    regexp2 <key> <pattern>
    event_id2 <event ID>
    .
    .
    .
    regexp20 <key> <pattern>
    event_id20 <event ID>
</filter>

獨佔比對:filter_scom_excl_matchExclusive match: filter_scom_excl_match

接受兩個輸入模式。Takes two input patterns. 當單筆記錄符合模式 1 但不符合模式 2 時,傳送一個事件到 Operations Manager。Sends an event to Operations Manager when a single record matches pattern 1 but does not match pattern 2.

<filter tag>
    type filter_scom_excl_match
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
</filter>

重複的相互關聯:filter_scom_repeated_corRepeated correlation: filter_scom_repeated_cor

接受三個輸入:模式、時間間隔及發生次數。Takes three inputs: a patterns, a time interval, and a number of occurrences. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果模式在計時器結束之前符合指定的次數,就會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if the pattern is matched the specified number of times before the timer ends.

<filter tag>
    type filter_scom_repeated_cor
    regexp <key> <pattern>
    event_id <event ID>
    time_interval <interval in seconds>
    num_occurences <number of occurrences>
</filter>

相互關聯的比對:filter_scom_cor_matchCorrelated match: filter_scom_cor_match

接受三個輸入:兩個模式和一個時間間隔。Takes three inputs: two patterns and a time interval. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果在計時器結束之前有第二個模式的相符項目,就會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if there is a match for the second pattern before the timer ends.

<filter tag>
    type filter_scom_cor_match
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
    time_interval <interval in seconds>
</filter>

獨佔的相互關聯:filter_scom_excl_correlationExclusive correlation: filter_scom_excl_correlation

接受三個輸入:兩個模式和一個時間間隔。Takes three inputs: two patterns and a time interval. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果在計時器結束之前沒有第二個模式的相符項目,就會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if there is no match for the second pattern before the timer ends.

<filter tag>
    type filter_scom_excl_correlation
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
    time_interval <interval in seconds>
</filter>

Operations Manager 轉換器:filter_scom_converterOperations Manager converter: filter_scom_converter

針對其接收的所有記錄,傳送一個事件到 Operations Manager。Sends an event to Operations Manager for all records it receives. 傳送指定的事件識別碼和描述作為事件的一部分。Sends the specified event ID and description as part of the event.

<filter tag>
    type filter_scom_converter
    event_id <event ID>
    event_desc <event description>
</filter>

將設定檔複製到代理程式Copy configuration file to agent

Fluentd 設定檔必須複製到您想要監視之所有 Linux 電腦上的 /etc/opt/microsoft/omsagent/scom/conf/omsagent.dThe fluentd configuration file must be copied to /etc/opt/microsoft/omsagent/scom/conf/omsagent.d on all Linux computers you want to monitor. 您也必須在主要設定檔中新增 @include 指示詞,如上所述。You must also add an @include directive in the master configuration file as described above.

建立規則和監視器Create rules and monitors

Linux MP 未提供從 FluentD 收集事件的模組。The Linux MP does not provide modules to collect events from FluentD. Linux MP 與 Linux 代理程式綁定。The Linux MP is bundled with the Linux agent. 它是 Linux 代理程式中的 fluentd 模組,以及管理和閘道伺服器上的 OMED 服務,它會提供增強記錄檔監視的功能。It is the fluentd module in the Linux agent and the OMED service on the management and gateway server that provides the capabilities for enhanced log file monitoring.

您必須使用自訂規則和監視器來建立自己的管理組件,而自訂的規則和監視器會使用從 Fluentd 收集事件的 Microsoft.Linux.OMED.EventDataSource 模組。You need to create your own management pack with custom rules and monitors that use the module Microsoft.Linux.OMED.EventDataSource which collects the events from Fluentd.

下表列出 Microsoft.Linux.OMED.EventDataSource 的參數。The following table lists the parameters of Microsoft.Linux.OMED.EventDataSource.

參數Parameter 類型Type DescriptionDescription
ComputerNameComputerName 字串String 必要。Required. 指定要讀取其事件的 Linux 電腦名稱。Specifies the name of the Linux computer for which events to be read. 儘管可將 ComputerName 參數指定為任何字串,但此參數最常使用 $Target 標記法傳遞到模組。The ComputerName parameter is most commonly passed to the module by using the $Target notation, although it can be specified as any string. 此模組會嘗試讀取由指定之 Linux 電腦產生的事件。This module attempts to read events generated by the given Linux computer.
ManagedEntityIdManagedEntityId 字串String 必要。Required. 指定受監視實體之受管理的實體識別碼。Specifies the managed entity ID of monitored entity. ManagedEntityId 參數最常使用 $Target\Id$ 傳遞到模組。The ManagedEntityId parameter is most commonly passed to module by using $Target\Id$.
EventNumberEventNumber 整數Integer 選擇性。Optional. 表示要擷取之事件的事件編號。Indicates the event number of the event to retrieve. 如果省略了這個選項,模組就會傳回針對該電腦和受管理實體產生的所有事件。If this option is omitted, the module returns all events generated for that computer and managed entity.

設定概觀Overview of configuration

記錄檔監視需要下列步驟,詳細資訊請參閱下列各節:log file monitoring requires the following steps, detailed information for these is provided in the following sections:

  1. 匯入最新的 Linux 管理組件。Import the latest Linux management pack.
  2. 在每部要監視的 Linux 電腦上,安裝最新版的 Linux 代理程式。Install the latest version of the Linux agent on each Linux computer to be monitored.
  3. 在要監視的每部 Linux 電腦上安裝最新 OMSAgent。Install latest OMSAgent on each Linux computer to be monitored.
  4. 建立 Fluentd 設定檔來收集記錄。Create Fluentd configuration file to collect logs.
  5. 將設定檔複製到 Linux 代理程式。Copy configuration file to Linux agents.
  6. 使用管理組件範例來建立規則和監視器,以便從記錄收集事件並建立警示。Create rules and monitors using the sample management pack to collect events from the log and create alerts.

安裝記錄監視管理組件Install the log monitoring management pack

在 Operations Manager 2019 中,安裝 Microsoft.Linux.Log.Monitoring 管理組件以啟用 Linux 記錄檔監視。In Operations Manager 2019, install Microsoft.Linux.Log.Monitoring management pack to enable Linux log file monitoring.

注意

如果您已設定 OMS 代理程式,且嘗試從主控台解除安裝 UNIX 和 LINUX 代理程式,則系統不會將 OMS 元件從該代理程式中解除安裝。If you have the OMS agent configured, and you try to uninstall UNIX and LINUX agent from the console, then OMS component will not be uninstalled from the agent.

設定 Linux 記錄檔監視Configure Linux log file monitoring

若要設定 Linux 記錄檔監視,請執行下列作業:To configure Linux log file monitoring, do the following:

  1. 使用安裝管理組件的標準程序,匯入最新的 Linux 管理組件。Import the latest Linux management pack using the standard process for installing a management pack.

  2. 在 Linux 伺服器上手動安裝或使用 [探索精靈] 來安裝新的 Linux 代理程式。Install the new Linux agent on the Linux servers manually or by using Discovery wizard.

  3. 在要監視的每部 Linux 電腦上安裝最新 OMSAgent。Install latest OMSAgent on each Linux computer that you want to monitor.

    使用下列命令:use the following commands:

    wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard\_agent.sh
    sh onboard_agent.sh
    
    

    在 Linux 代理程式上執行下列動作:Do the following on the Linux agent:

  4. 在下列路徑中建立資料夾:Create the folders in the following paths:

     - /etc/opt/microsoft/omsagent/scom/conf/omsagent.d
    
     - /etc/opt/microsoft/omsagent/scom/certs
    
     - /var/opt/microsoft/omsagent/scom/log
    
     - /var/opt/microsoft/omsagent/scom/run
    
     - /var/opt/microsoft/omsagent/scom/state
    
     - /var/opt/microsoft/omsagent/scom/tmp
    
     - /home/omsagent/fluent-logging (used for log file position file)
    
  5. 將上述每個路徑的所有權設為 omsagent:omiusersSet ownership of each of the above to omsagent:omiusers

    - <span data-ttu-id="0f86c-123">chown omsagent:omiusers state</span><span class="sxs-lookup"><span data-stu-id="0f86c-123">chown omsagent:omiusers state</span></span>
    
    - <span data-ttu-id="0f86c-124">chown omsagent:omiusers run</span><span class="sxs-lookup"><span data-stu-id="0f86c-124">chown omsagent:omiusers run</span></span>
    
    - <span data-ttu-id="0f86c-125">chown omsagent:omiusers log</span><span class="sxs-lookup"><span data-stu-id="0f86c-125">chown omsagent:omiusers log</span></span>
    
    - <span data-ttu-id="0f86c-126">chown omsagent:omiusers tmp</span><span class="sxs-lookup"><span data-stu-id="0f86c-126">chown omsagent:omiusers tmp</span></span>
    
    - <span data-ttu-id="0f86c-127">chown omsagent:omiusers /home/omsagent/fluent-logging</span><span class="sxs-lookup"><span data-stu-id="0f86c-127">chown omsagent:omiusers /home/omsagent/fluent-logging</span></span>
    
     ![記錄檔監視](../scom/media/log-file-monitoring/log-file-monitoring.png)
    

啟用 OMED 服務Enable the OMED service

在管理 Linux 代理程式的資源集區中,於每部管理伺服器上啟用 OMED 服務。Enable the OMED service on each management server in the resource pool, managing the Linux agents.

OMED 服務會從 Fluentd 收集事件,並將它們轉換成 Operations Manager 事件。The OMED service collects events from Fluentd and converts them to Operations Manager events. 您要匯入自訂管理組件,其可根據從 Linux 伺服器接收到的事件產生警示。You import a custom management pack, which can generate alerts based on the events received from the Linux servers.

您可從 Operations 主控台啟用 OMED,或從管理伺服器或閘道伺服器手動啟用 OMED。You can enable the OMED service either from the Operations console or manually on the management server or gateway server.

從 Operations 主控台啟用 OMED 服務Enable the OMED service from Operations console

  1. 從 Operations 主控台,移至 [監視] > [Operations Manager] > [管理伺服器] > [Management Servers state] (管理伺服器狀態) 。From the Operations console, go to Monitoring>Operations Manager>Management Server>Management Servers State.
  2. 在 [Management Servers state] (管理伺服器狀態) 中選取管理伺服器。Select the management server in the Management Servers state.
  3. 從 [工作] 中選取 [Health Service Tasks] (健全狀況服務工作) > [Enable System Center OMED Server] (啟用 System Center OMED Server) 。From Tasks, select Health Service Tasks>Enable System Center OMED Server.

手動啟用 OMED 服務Enable the OMED service manually

  1. 在 [開始搜尋] 方塊中,按一下 [開始],鍵入 services.msc,然後按 EnterClick Start in the Start Search box, type services.msc, and then press Enter.
  2. 在詳細資料窗格中,以滑鼠右鍵按一下 [System Center Operations Manager External DataSource Service] 服務,然後按一下 [屬性] 。In the details pane, right-click the service System Center Operations Manager External DataSource Service, and then click Properties.
  3. 在 [一般] 的 [啟動] 類型上,按一下 [自動] ,然後按一下 [確定] 。On General, in Startup type, click Automatic, and then click OK.
  4. 在詳細資料窗格中,以滑鼠右鍵按一下 [服務] ,然後按一下 [開始] 。In the details pane, right-click Service and then click Start.

為 Fluentd 產生新的用戶端憑證Generate new client certificate for Fluentd

  1. /opt/microsoft/scx/bin/tools/scxsslconfig -c -g /etc/opt/microsoft/omsagent/scom/certs//opt/microsoft/scx/bin/tools/scxsslconfig -c -g /etc/opt/microsoft/omsagent/scom/certs/

    注意

    新憑證必須由管理伺服器簽署。New certificate must be signed by the Management Server. 若要這麼做,請複製到管理伺服器,使用 scxcertconfig -sign 簽署憑證,並將憑證複製回 Linux 代理程式To do this, copy to management server, sign the certificate using scxcertconfig -sign, and copy it back to the linux agent

  2. 在 Linux 端重新命名憑證:Rename the certificates on the Linux side:

    omi-host-server.domain.pem 變更為 scom-cert.pemomi-host-server.domain.pem to scom-cert.pem

    omikey.pem 變更為 scom-key.pemomikey.pem to scom-key.pem

  3. 變更憑證檔的所有權:Change ownership of the certificate file:

    chown omsagent:omiusers /etc/opt/microsoft/omsagent/scom/certs/scom-cert.pemchown omsagent:omiusers /etc/opt/microsoft/omsagent/scom/certs/scom-cert.pem

    chown omsagent:omiusers /etc/opt/microsoft/omsagent/scom/certs/scom-key.pemchown omsagent:omiusers /etc/opt/microsoft/omsagent/scom/certs/scom-key.pem

建立 FluentD 設定檔Create Fluentd configuration file

您可以使用設定檔來設定 Fluentd 作業。You configure Fluentd operation using a configuration file. 針對記錄監視,建立包含來源記錄檔名稱、路徑和篩選等資訊的設定檔,以定義要收集的資料。For log monitoring, create a configuration file that includes information such as source log file name, path and filters to define the data to collect.

主要的 Fluentd 設定檔 omsagent.conf 位於 /etc/opt/microsoft/omsagent/scom/conf/The master Fluentd configuration file omsagent.conf is located in /etc/opt/microsoft/omsagent/scom/conf/. 您可以直接將記錄檔監視設定新增至此檔案,但應該建立不同的設定檔,以更妥善地管理不同設定。You can add log file monitoring configuration directly to this file, but should create a separate configuration file to better manage the different settings. 您接著要在主檔案中使用 @include 指示詞來包含自訂檔案。You then use an @include directive in the master file to include your custom file.

例如,如果在 /etc/opt/microsoft/omsagent/scom/conf/omsagent.d 中建立了 logmonitoring.conf,則可在 omsagent.d 檔案中新增下列其中一行:For example, if you created logmonitoring.conf in /etc/opt/microsoft/omsagent/scom/conf/omsagent.d, you would add one of the following lines to omsagent.d file:

#Include all configuration files
@include omsagent.d/*.conf

or

#include single configuration file
@include omsagent.d/logmonitoring.conf

如需 Fluentd 設定檔的詳細資訊,請參閱 Fluentd 設定檔語法For more information on Fluentd configuration files, see Fluentd Configuration file syntax.

下列各節將描述對記錄檔監視而言是唯一的設定檔中,不同指示詞中的設定。The following sections describe settings in different directives of the configuration file that are unique to log file monitoring. 每一個均包含您可以貼到設定檔並針對您的需求加以修改的範例設定。Each includes sample settings that you can paste into a configuration file and modify for your requirements.

完整的用於記錄檔監視的設定檔範例可供您在檢閱和評估之前自行建立。A complete sample configuration file for log monitoring is available for you to review and evaluate before creating your own.

來源Source

Source 指示詞定義所收集之資料的來源。The Source directive defines the source of the data you're collecting. 這是您定義記錄檔詳細資料的位置。This is where you define the details of your log file. Fluentd 會挑選已寫入至來源的每筆記錄,並將其事件提交至 Fluentd 的路由引擎。Fluentd picks up each record written to the source and submits an event for it into Fluentd's routing engine. 在此指示詞中指定標記。Specify a tag here in this directive. 此標記作為 Fluentd 內部路由引擎的指示字串,可相互關聯不同的指示詞。The tag is a string that is used as the directions for Fluentd's internal routing engine to correlate different directives.

下列範例顯示為供 Operations Manager 處理所收集並標記的 syslog 記錄。The following example shows syslog records collected and tagged for processing by Operations Manager.

<source>

    # Specifies input plugin. Tail is a fluentd input plugin - http://docs.fluentd.org/v0.12/articles/in\_tail
    type tail

    # Specify the log file path. Supports wild cards.
    path /var/log/syslog

    # Recommended so that Fluentd will record the position it last read into this file.
    pos_file /home/user1/fluent-test/demo_syslog.log.pos

    # Used to correlate the directives.
    tag scom.log.syslog

    format /(?<message>.*)/

</source>

篩選器Filter

filter 指示詞的語法與 Match 一樣,但允許以更複雜方式篩選要處理的資料。The filter directive has same syntax as Match but allows more complex filtering of which data to process. 收集的事件必須符合要新增至輸出之所有篩選的準則。Collected events must match the criteria of all filters to be added to the output.

此處說明六個適用於記錄檔監視的篩選外掛程式。There are six filter plugins for log file monitoring described here. 使用這其中一或多個篩選,來定義您想要從記錄檔收集的事件。Use one or more of these filters to define the events that you want to collect from your log file.

簡單比對:filter_scom_simple_matchSimple match: filter_scom_simple_match

最多接受 20 個輸入模式。Takes up to 20 input patterns. 每當有任何模式相符時,傳送一個事件到 Operations Manager。Sends an event to Operations Manager whenever any pattern is matched.

<filter tag>

    type filter_scom_simple_match
    regexp1 <key> <pattern>
    event_id1 <event ID>
    regexp2 <key> <pattern>
    event_id2 <event ID>
    .
    .
    .
    regexp20 <key> <pattern>
    event_id20 <event ID>
</filter>

獨佔比對:filter_scom_excl_matchExclusive match: filter_scom_excl_match

接受兩個輸入模式。Takes two input patterns. 當單筆記錄符合模式 1 但不符合模式 2 時,傳送一個事件到 Operations Manager。Sends an event to Operations Manager when a single record matches pattern 1 but does not match pattern 2.

<filter tag>
    type filter_scom_excl_match
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
</filter>

重複的相互關聯:filter_scom_repeated_corRepeated correlation: filter_scom_repeated_cor

接受三種輸入:模式、時間間隔及發生次數。Takes three inputs: a patterns, a time interval, and number of occurrences. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果模式在計時器結束前符合指定的次數,即會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if the pattern is matches the specified number of times before the timer ends.

<filter tag>
    type filter_scom_repeated_cor
    regexp <key> <pattern>
    event_id <event ID>
    time_interval <interval in seconds>
    num_occurences <number of occurrences>
</filter>

相互關聯的比對:filter_scom_cor_matchCorrelated match: filter_scom_cor_match

接受三個輸入:兩個模式和一個時間間隔。Takes three inputs: two patterns and a time interval. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果在計時器結束之前有第二個模式的相符項目,就會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if there is a match for the second pattern before the timer ends.

<filter tag>
    type filter_scom_cor_match
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
    time_interval <interval in seconds>
</filter>

獨佔的相互關聯:filter_scom_excl_correlationExclusive correlation: filter_scom_excl_correlation

接受三個輸入:兩個模式和一個時間間隔。Takes three inputs: two patterns and a time interval. 找到第一個模式的相符項目時,計時器就會啟動。When a match is found for the first pattern, a timer starts. 如果在計時器結束之前沒有第二個模式的相符項目,就會傳送一個事件到 Operations Manager。An event is sent to Operations Manager if there is no match for the second pattern before the timer ends.

<filter tag>
    type filter_scom_excl_correlation
    regexp1 <key> <pattern1>
    regexp2 <key> <pattern2>
    event_id <event ID>
    time_interval <interval in seconds>
</filter>

Operations Manager 轉換器:filter_scom_converterOperations Manager converter: filter_scom_converter

針對其接收的所有記錄,傳送一個事件到 Operations Manager。Sends an event to Operations Manager for all records it receives. 傳送指定的事件識別碼和描述作為事件的一部分。Sends the specified event ID and description as part of the event.

<filter tag>
    type filter_scom_converter
    event_id <event ID>
    event_desc <event description>
</filter>

比對Match

match 指示詞定義如何使用相符的標記,來處理收集自來源的事件。The match directive defines how to process events collected from the source with matching tags. 系統只會將其標記符合模式的事件傳送至輸出目的地。Only events with a tag matching the pattern are sent to the output destination. 當一個 match 標記內列出多個模式時,事件就可以比對任何列出的模式。When multiple patterns are listed inside one match tag, events can match any of the listed patterns. type 參數指定要用於這些事件的外掛程式類型。The type parameter specifies the type of plugin to use for these events.

這個範例會處理標記符合 scom .log 的事件。This example processes events with tags matching scom.log. ** 和 scom.alert (** 符合零或多個標記部分)。** and scom.alert (** matches zero or more tag parts). 指定允許 Operations Manager 管理組件收集事件的 out_scom 外掛程式。It specifies the out_scom plugin which allows the events to be collected by the Operations Manager management pack.

<match scom.log.** scom.event>

    # Output plugin to use
     type out_scom

    log_level trace
    num_threads 5

    # Size of the buffer chunk. If the top chunk exceeds this limit or the time limit flush\_interval, a new empty chunk is pushed to the top of the
    queue and bottom chunk is written out.
    buffer_chunk_limit 5m
    flush_interval 15s

    # Specifies the buffer plugin to use.
    buffer_type file

    # Specifies the file path for buffer. Fluentd must have write access to this directory.
    buffer_path /var/opt/microsoft/omsagent/scom/state/out\_scom\_common\*.buffer

    # If queue length exceeds the specified limit, events are rejected.
    buffer_queue_limit 10

    # Control the buffer behavior when the queue becomes full: exception, block, drop\_oldest\_chunk
    buffer_queue_full_action drop_oldest_chunk

    # Number of times Fluentd will attempt to write the chunk if it fails.
    retry_limit 10

    # If the bottom chunk fails to be written out, it will remain in the queue and Fluentd will retry after waiting retry\_wait seconds
    retry_wait 30s

    # The retry wait time doubles each time until max\_retry\_wait.
    max_retry_wait 9m

</match>

注意

若要停用 Linux 機器上使用 Fluentd 通訊的伺服器驗證,請將參數 enable_server_auth false 新增到 Fluentd 的 Operations Manager 外掛程式,如下所示:To disable Server Authentication on the Linux computers that are using Fluentd communication, add a parameter enable_server_auth false to the Operations Manager plugin for Fluentd, such as the following:

<match scom.log.** scom.event>
type out_scom

max_retry_wait 9m
enable_server_auth false

</match>

將設定檔複製到代理程式Copy configuration file to agent

您必須將 Fluentd 設定檔複製到所有想要監視其 Linux 電腦上的 /etc/opt/microsoft/omsagent/scom/conf/omsagent.dThe Fluentd configuration file must be copied to /etc/opt/microsoft/omsagent/scom/conf/omsagent.d on all Linux computers you want to monitor. 您也必須在主要設定檔中新增 @include 指示詞,如上所述。You must also add an @include directive in the master configuration file as described above.

重新開機 omsagentRestart omsagent

/opt/microsoft/omsagent/bin/service_control restart/opt/microsoft/omsagent/bin/service_control restart

注意

在執行 OMED 服務的管理伺服器上,確定連接埠 8886 的防火牆已開啟,且中繼憑證授權單位憑證存放區只包含中繼憑證授權單位。On the Management Server running the OMED service, ensure the firewall on port 8886 is open and that the intermediate certificate authorities cert store only contains intermediate certificate authorities.

建立規則和監視器Create rules and monitors

Linux 管理組件不提供從 FluentD 收集事件的模組,Linux 管理組件搭配 Linux 代理程式。The Linux management pack does not provide modules to collect events from FluentD, the Linux management pack is bundled with the Linux agent. 它是 Linux 代理程式中的 fluentd 模組,以及管理和閘道伺服器上的 OMED 服務,它會提供增強記錄檔監視的功能。It is the fluentd module in the Linux agent and the OMED service on the management and gateway server that provides the capabilities for enhanced log file monitoring.

您必須使用自訂規則和監視器建立自己的管理組件,而這些自訂的規則和監視器會使用 Microsoft.Linux.OMED.EventDataSource 模組從 Fluentd 收集事件。You need to create your own management pack with custom rules and monitors that use the module Microsoft.Linux.OMED.EventDataSource to collect the events from Fluentd.

下表列出 Microsoft.Linux.OMED.EventDataSource 的參數。The following table lists the parameters of Microsoft.Linux.OMED.EventDataSource.

參數Parameter 類型Type DescriptionDescription
ComputerNameComputerName 字串String 必要。Required. 指定要讀取其事件的 Linux 電腦名稱。Specifies the name of the Linux computer for which events are to be read. 儘管可將 ComputerName 參數指定為任何字串,但此參數最常使用 $Target 標記法傳遞到模組。The ComputerName parameter is most commonly passed to the module by using the $Target notation, although it can be specified as any string. 此模組會嘗試讀取由指定之 Linux 電腦產生的事件。This module attempts to read events generated by the given Linux computer.
ManagedEntityIdManagedEntityId 字串String 必要。Required. 指定受監視實體之受管理的實體識別碼。Specifies the managed entity ID of monitored entity. ManagedEntityId 參數最常使用 $Target\Id$ 傳遞到模組。The ManagedEntityId parameter is most commonly passed to module by using $Target\Id$.
EventNumberEventNumber 整數Integer 選擇性。Optional. 表示要擷取之事件的事件編號。Indicates the event number of the event to retrieve. 如果省略了這個選項,模組就會傳回針對該電腦和受控實體所產生的全部事件If this option is omitted, the module returns all events generated for that computer and managed entity

後續步驟Next steps