Option to improve CPU usage when using Log File Sensor with Symantec Event collector
Last Updated November 02, 2011
You want to improve the CPU usage of the java.exe process whrn you running an Event Collector that uses Log File Sensor.
A newer option has been added to move or delete files that have been processed. This will reduce the CPU usage of the collector when it is monitoring Dynamic files.
From sensor release notes : Move/Delete option for files already read by sensor.
The LogFile sensor version 2.42 introduces new properties to allow move/delete for files already read by sensor. If you don't need this functionality, please skip this paragraph. Properties names are preprocess ("Delete/Move Processed Log Files" in SSIM UI) and ProcessedFileFolder (only available in config.xml).
Property "Delete/Move Processed Log Files" specifies what kind of action must be done after log file is processed. Possible values are NONE (default), DELETE and MOVE. If NONE is specified then nothing will be done. If DELETE is specified then log will be deleted after processing. If MOVE is selected then log file after processing will be moved to the folder specified in "ProcessedFileFolder" property. Please note, that this property works only if Reading Mode is MonitorDynamicLog.
Property "ProcessedFileFolder" is used to specify a folder for processed log files (make sense if value of Delete/Move Processed Log Files is MOVE only). If not specified then folder "processed" inside the Log File Directory will be used. This folder must be explicitly defined in case when property FolderDepthLevel or FolderPattern is specified and it could not be nested to Log File Directory. It is necessary to prevent repetitive processing of log files. It is strongly recommended to use ProcessedFileFolder in the same partition volume as Log File Directory otherwise performance of sensor can be significantly decreased.
To specify the new properties: 1. In a text editor, edit the config.xml file in the directory of the collector which uses the LogFile Sensor. On Windows, this is directory is normally C:\Program Files\Symantec\Event Agent\collectors\(collector name) On Linux and Solaris this is directory is normally /opt/Symantec/sesa/Agent/collectors/(collector name) 2. Find the <props> tag under the <property> tag 3. Insert the desired property or properties between the tags <props> and </props> 4. Specify the desired value 5. Save and close the file 6. Restart the Symantec Event Agent
Sample excerpt of a config.xml: <property name="props"> <props> .. <prop key="preprocess">MOVE</prop> <prop key="ProcessedFileFolder">C:\PROCESSED</prop> .. </props> </property>
You need to have June 2011 LiveUpdate Sensor: Version 2.42
Imported Document ID: TECH173421
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe