Sensors provide a logging option to record a history of their execution. Sensors are evaluated when their related facts update. For example, using the simple policy example, we subscribe to one fact, the counter value.
Every time the counter changes, the sensor is evaluated. If there are multiple facts being monitored, than any time any of them change, the sensor will be evaluated. Inversely, if they are not changing, the sensor is not evaluated.
Log Destination
The logging destinations are setup in the root sensor, where you can configure the database and/or file for logging. The individual sensors refer back to this definition and can only elect to log into it or not. When working with models, you can also refer back to the clone sensor for logging destination.
Logging Properties
Whether the evaluation is logged is controlled on the logging properties tab. There are 2 key options here.
When Exception based logging only is not checked, every sensor evaluation will be logged. When checked, the logging is controlled by the alert tab and only conditions checked there will be logged.
When Do not log during ignore period is checked, than the sensor will not log in the sensor is in an ignore window.
The remainder of the logging setting control whether logging to a file or a database. File logging is good for small log sizes with wrapping enabled. Database tables should be used when capturing a large amount of sensor data over a long period of time. This data can be displayed on the sensor chart to show both the value(s) and the resultant severity. For this sensor, a straight line value growth and a sawtooth for severity.
Sensor log example:
Changing the sensor logic to modulo 4 provides a better example of how that works, The counter will only go into a warning state with every 4 updates instead of every 2. In the example below, you can see the 3 evaluations for success, then one for warning and so on.
Note: sensor logging and alerting are related but are independent.
- A sensor will log every evaluation and an alert will be generated based on its schema. That is, for "change", a single alert is sent when going from success to warning regardless of how many times the sensor is evaluated.
- When using the sensor logs for integration with other systems, it is important to configure them to process the multiple log entries for the same severity,
- With an alert schema of None, no alerts are generated but exception logging is controlled by Alert on severities.
- If no severities are checked and exception based logging is, the sensor will not log anything.
- During an ignore window, the sensor logging may be suppressed but an alert is still generated that will trigger if the condition active at the end of the ignore window