The Error Log Search module allows you to set up specific error log search terms in the dbo.ErrorLogSearch table.  This module automatically gathers any search term matches, and logs them in the Collector.ErrorLog table for alerting or reporting.

NOTE: If you want to be alerted on error log search hits, you must set that up yourself. In future releases, Minion Enerprise may have a generic error log search alert; but for now, feel free to use a scheduled alert, report, or to simply use the collected data ad hoc.

IMPORTANT: SQL Server error logs are simply text files; they aren’t indexable. So, any search on an error log file must (by definition) search the entire file.  It’s possible, then, that you could see some performance lag during error log searches if the SQL Server error log is extremely large.  To minimize this effect, set up a nightly job to cycle the SQL Server error log on every instance, and configure SQL Server to retain 30 days of logs.  This is good log management that we recommend in any case; it has the added benefit here of helping the performance of this process.

IMPORTANT: By default, there is no alert on collected errors. There is no way to determine what one SQL Server shop will be interested in. However, it is a simple matter to set up an automatic alert or email to notify you of important collected items. For example, you could set up a weekly email to summarize all found error log searches for Class=“Security” and Class=“Corruption”. 
 

Tables

Collector.ErrorLog

Holds the collected error log data pulled back from each server.
 
Column Type Description
ID bigint Primary key row identifier.
ExecutionDateTime datetime The execution date and time, common to the run of a collection for a single instance.
InstanceID bigint The instance ID of the instance in question, as defined in the table dbo.Servers.
LogDate datetime The date the entry was logged in the SQL Server error log.
ProcessInfo varchar Identifies the calling process. Example values: Server, Logon, spid54.
Text varchar Text of the error log entry.
LogNumber tinyint The number of the log file read. The current log (at the time of collection) is 0, the next most recent is 1, and so on.
LogType tinyint Log type: SQL error log (1), or SQL Server Agent log (2).
Search1 varchar The search string searched for and found.
Search2 varchar The second string searched for and found. (Note: Search1 and Search2 are ANDed together, if they are both populated.)
BeginDate datetime The date on which the search began.
EndDate datetime The date on which the search ends.
SortOrder Varchar Sort order for the error log search results.
 
Valid values:
ASC
DESC
SearchID Int The ID of the search, as defined in dbo.ErrorLogSearch.
 

dbo.ErrorLogSearch

Holds the searches to run on each instance.
 
Column Type Description
ID bigint Primary key row identifier.
LogNumber tinyint The number of the log file read. The current log (at the time of collection) is 0, the next most recent is 1, and so on.
LogType tinyint Log type: SQL error log (1), or SQL Server Agent log (2).
Class varchar Search class. For your reference only.
Examples: Errors, Integrity, Logins, Startup.
Search1 varchar The string to search for.
Search2 varchar The second string to search for. (Note: Search1 and Search2 are ANDed together, if they are both populated.)
BeginDate datetime The date on which the search begins.
EndDate datetime The date on which the search ends.
SortOrder varchar Sort order for the error log search results.
 
Valid values:
ASC
DESC
IsActive bit Determines whether the current row is active, and should be used.
Comment varchar For your reference only. Label each row with a short description and/or purpose.
 

dbo.ErrorLogSearchServerExceptions

Holds records of servers that have specific error log search term exceptions. If a server doesn’t have an entry here, then it will automatically take part in all the log searches defined in dbo.ErrorLogSearch.
 
Column Type Description
InstanceID bigint The instance ID of the instance in question, as defined in the table dbo.Servers.
SearchID Int The ID of the search, as defined in dbo.ErrorLogSearch.
 
Example: If we have 20 error log searches defined in the dbo.ErrorLogSearch table, but for Server3, we only want to run 5 of the searches.  In this case, our exception server would have 15 entries in this table: one for each search that Server3 should be excepted from:
INSERT  INTO dbo.ErrorLogSearchServerExceptions ( InstanceID , ErrorSearchID )
SELECT  ( SELECT    InstanceID
            FROM      dbo.Servers
            WHERE     ServerName = 'Server3'
        ) AS InstanceID
        , ID AS ErrorSearchID
FROM    dbo.ErrorLogSearch
WHERE   ID NOT IN ( 3, 5, 10, 12, 13 );
/* Error log search EXCEPTIONS are the searches we do not want to run; 
so in this query, omit the searches we WANT to run, i.e., 3, 5, 10, 12, 13. */
 

Stored Procedures

dbo.ErrorLogSearchQuery

The error log search process uses this procedure to determine which servers it should run searches on.  This is where exceptions and exclusions are determined.

Valid error log searches have the following attributes:  
  • Only instances marked IsSQL=1 and IsActive=1 in dbo.Servers will be represented.
  • Only error log search terms marked IsActive=1 in dbo.ErrorLogSearch will be represented.
 
Column Type Description
@GroupType varchar The type of group for which to retreive error log search data.
 
For example, to retrieve active search terms that apply to Gold level servers, set @GroupType to SLA, and @Group to Gold.
 
Valid values:
SLA
Single
@Group varchar The group for which to retreive error log search data.
 
Example: Gold, Silver, Bronze, Server1, MyServer\Inst
 
While this procedure was not designed with manual use in mind, running dbo.ErrorLogSearchQuery by hand does not affect the data or processes in any way. Note that the majority of the SP output comes from dbo.ErrorLogSearch. However, the “LogDate” column denotes the last time this particular search term was found.
 

Views

Collector.ErrorLogCurrent

Provides the most recent collection of error log search results.

Each “Current” view associated with a Collector table contains all (or nearly all) of the columns from the base table, plus a “ViewDesc” description column, and columns from dbo.Servers data:
  • ServerName
  • ServiceLevel
  • Version
  • Edition
  • Descr

Collector.ErrorLogPrevious

Provides the next-to-most recent collection of error log search results.

Each “Previous” view associated with a Collector table contains all (or nearly all) of the columns from the base table, plus a “ViewDesc” description column, and columns from dbo.Servers data:
  • ServerName
  • ServiceLevel
  • Version
  • Edition
  • Descr

Jobs

CollectorErrorLog-GOLD

Calls the executable ErrorLogGet.exe for all servers with ServiceLevel = ‘Gold’, to perform error log searches.
 

CollectorErrorLog-SILVER

Calls the executable ErrorLogGet.exe for all servers with ServiceLevel = ‘Silver’, to perform error log searches.
 

CollectorErrorLog-BRONZE

Calls the executable ErrorLogGet.exe for all servers with ServiceLevel = ‘Bronze’, to perform error log searches.
 

Executables

ErrorLogGet.exe

Perform the error log searches defined in the dbo.ErrorLogSearch table, on the instances determined by the dbo.ErrorLogSearchQuery procedure. Log the results to the Collector.ErrorLog table.

Input parameters:
  • $Query – This parameter refers to the service level that the collector should operate on. Examples: Gold, Silver, Bronze. For more information on this topic, see the article “Executables and Service Levels”.

Example execution:
C:\MinionByMidnightDBA\Collector\ErrorLogGet.exe Gold
 

Setup

To set up an error log search, just insert that search to the dbo.ErrorLogSearch table.  From that time forward, search is now valid for all active, managed SQL Server instances. (You can make exceptions, but we’ll cover that in the next section.)

Take the example of an enterprise-wide search for corruption errors. DBCC CHECKDB detects corruption, and logs it in the SQL Server error logs in the form of Error 823 and Error 824. So we will define one search for 823, and one for 824:
​-- Error log search: Error 823
INSERT INTO dbo.ErrorLogSearch
        ( LogNumber
        , LogType
        , Class
        , Search1
        , Search2
        , BeginDate
        , EndDate
        , SortOrder
        , IsActive
        , Comment
        )
VALUES  ( 0  -- LogNumber
        , 1  -- LogType
        , 'Corruption'  -- Class
        , 'Error: 823'  -- Search1
        , NULL  -- Search2
        , NULL  -- BeginDate
        , NULL  -- EndDate
        , 'DESC'  -- SortOrder
        , 1  -- IsActive
        , 'High priority: Standard corruption search for all servers.'  -- Comment
        );
 
-- Error log search: Error 824
INSERT INTO dbo.ErrorLogSearch
        ( LogNumber
        , LogType
        , Class
        , Search1
        , Search2
        , BeginDate
        , EndDate
        , SortOrder
        , IsActive
        , Comment
        )
VALUES  ( 0  -- LogNumber
        , 1  -- LogType
        , 'Corruption'  -- Class
        , 'Error: 824'  -- Search1
        , NULL  -- Search2
        , NULL  -- BeginDate
        , NULL  -- EndDate
        , 'DESC'  -- SortOrder
        , 1  -- IsActive
        , 'High priority: Standard corruption search for all servers.'  -- Comment
        );
Let’s go over each value of the insert statements. dbo.ErrorLogSearch holds control columns, the xp_readerrorlog parameters, and a couple of columns useful for reporting and documentation:
  • LogNumber – This determines which of the several error logs to search on each instance. 0 is always the current error log, 1 is the next most recent, and so on. For our 823 and 824 search, we definitely want to search the current log. We highly recommend adding a LogNumber=1 search for each of these errors; you never know when a new error log was created, and you don’t want to miss an error this serious.
  • LogType –  LogType = 1 is the SQL Server error log. 2 is the SQL Agent log. We use 1, as corruption errors won’t show up in the Agent log.
  • Class – This is a name you give the search, to categorize them for your own purposes. Logon searches might have a class of “Security”. Here we used “Corruption”.
  • Search1 –  The first search criteria. The collector looks for this exact string within the specified error log.
  • Search2 –  The second search criteria. These are ANDed together. We could have specified Search1 = “Error”, and Search2 = “823”, which would return all entries with both “Error” and “823”. While that would get us all the corruption errors, it would also return any Error that happened to have the number “823” within the string. So, we search for “Error: 823”, as it will appear in the error log, and leave Search2 NULL.
  • BeginDate –  This is the earliest date to log collected error log search results for an instance. In our example, we are searching only the SQL Server error log, and we set the BeginDate NULL, meaning ME would return all found instances of the error within the current error log. If we set BeginDate to one week ago, ME would only log errors found in the current log that are dated within the last 7 days. Note that this only applies to the first time the search (collection) runs for a given instance. Subsequent collections use the most recent date for that instance in the Collector.ErrorLog table.
  • EndDate –  This is the latest date to log collected error log search results for an instance. Both BeginDate and EndDate are meant to be used for targeted searches (where you want to examine a specific date range). For long term searches, both values should be NULL.
  • SortOrder –  Valid values are ASC and DESC.  This orders the error log search results coming from the servers.
  • IsActive – You can turn searches on or off using IsActive. This is a great way to keep a list of searches and only use certain ones every now and then.
  • Comment –  A description of the search, for your own use.
IMPORTANT: By default, there is no alert on collected errors. There is no way to determine what one SQL Server shop will be interested in. However, it is a simple matter to set up an automatic alert or email to notify you of important collected items. For example, you could set up a weekly email to summarize all found error log searches for Class=“Security” and Class=“Corruption”. 

A note on performance

SQL Server error logs are simply text files; they aren’t indexable. So, any search on an error log file must (by definition) search the entire file.  It’s possible, then, that you could see some performance lag during error log searches if the SQL Server error log is extremely large. 

To minimize this effect, set up a nightly job to cycle the SQL Server error log on every instance, and configure SQL Server to retain 30 days of logs.  This is good log management that we recommend in any case; it has the added benefit here of helping the performance of this process.

Except or disable log searches

To exempt (or except) a server from one or more specific error log searches, insert a row for the server-error search pari, to the dbo.ErrorLogSearchServerExceptions table:

INSERT INTO dbo.ErrorLogSearchServerExceptions ( InstanceID, ErrorSearchID )
VALUES  ( 9, 2 );
 

The dbo.CollectionExceptionsServer table allows you to turn off a single collection (module) for a particular instance. So, to turn off error log searches for an entire server, insert a row into dbo.CollectionExceptionsServer for that particular instance, using “Collector.ErrorLog” as the CollectionName:

INSERT INTO dbo.CollectionExceptionsServer ( InstanceID, CollectionName )
VALUES  ( 11 , 'Collector.ErrorLog' );
 

An example: We have 10 error log searches defined in the dbo.ErrorLogSearch table, and we only wants to run 3 of those seraches on Svr9.  So, we should insret 7 rows to dbo.ErrorLogSearchServerExceptions: one for each search that should NOT run for Svr9:

INSERT INTO dbo.ErrorLogSearchServerExceptions ( InstanceID, ErrorSearchID )
VALUES  ( 9, 2 ),
                ( 9, 3 ),
                ( 9, 4 ),
                ( 9, 7 ),
                ( 9, 8 ),
                ( 9, 9 ),
                ( 9, 10 );
 

Furthermore, Svr20 should never be searched for any errors. So, insert a row for Svr20 to the dbo.CollectionExceptionsServer table:

INSERT INTO dbo.CollectionExceptionsServer ( InstanceID, CollectionName )
VALUES  ( 20 , 'Collector.ErrorLog' );
 
https://minionware.desk.com/customer/portal/articles/2378789-error-log-search-module
http://www.MinionWare.net