IBM Enterprise Console Manual Download Page 121 | Manualshive

Page: 121 / 194

background image

hour. You can edit this rule to change the time or the list of classes. Refer to the
IBM Tivoli Enterprise Console Rule Builder’s Guide for information about editing
rules.
– Logfile_Amd
– Logfile_Cron
– Logfile_Oserv
– Logfile_Date_Set

The event server also comes with some additional rules that you can install. The
$BINDIR/TME/TEC/contrib/rules/security

directory contains the

security_default.rls

file, which provides the following behavior to the event server:

v

When a host reports a repeated login failure attempt at least two times in a row,
e-mail is sent to the e-mail alias tec_security notifying the administrators of the
attempted security breach. (The tec_security alias must be added to the e-mail
alias file before the messages can be delivered.)

v

A rule is included that closes the following event classes after one hour:
– Repeated_Login_Failure
– Repeated_Login_Failure_From
– Root_Login_Success_From

Troubleshooting the UNIX Log File Adapter

Perform the following steps to troubleshoot the UNIX log file adapter:

1.

Stop any UNIX log file adapters that are currently running:

init.tecad_logfile stop

2.

Start the adapter in debug mode.

init.tecad_logfile

-

d start

3.

Generate some messages to determine if the adapter receives them. You can
send e-mail, perform an su, or perform any action that results in a write to
syslog. Alternatively, you can use the logger program to generate messages:

logger

-

t oserv

-

i execve failed: path: errno 13

This generates an Oserv_Exec_Failed event. The message written by logger
should match one of the format specifications in the tecad_logfile.fmt file.

4.

When events arrive, the adapter prints messages to the screen indicating the
class and the attribute values in the class.

matched CREATED_PROFILE_MANAGER name is ’Profile1’’

If you do not see any messages, the adapter is not receiving events from the
log file.

Verify that the syslogd daemon is running and is writing any new messages to
the system log files in /var/adm or its equivalent, or to the system console,
depending on how syslog.conf has been configured to write out messages. For
testing purposes, you can temporarily add the following line to syslog.conf:

*.info <Tab> <filename>

This allows all messages to be written to a file so you can see what messages
have arrived. This file grows large quickly, so make this a temporary change
only. You need to HUP the syslogd daemon each time you change syslog.conf
to put these changes into effect.

Chapter 9. UNIX Log File Adapter

109

«
...
119
120
121
122
123
...
»

Summary of Contents for Enterprise Console

Page 1: ...IBM Tivoli Enterprise Console Adapters Guide V ersion 3 8 GC32 0668 01...

Page 2: ......

Page 3: ...IBM Tivoli Enterprise Console Adapters Guide V ersion 3 8 GC32 0668 01...

Page 4: ...ion 3 release 8 of IBM Tivoli Enterprise Console product number 5698 TEC and to all subsequent releases and modifications until otherwise indicated in new editions Copyright International Business Mac...

Page 5: ...pter 2 AS 400 Alert Adapter 23 Adapter Files 23 Configuration File 24 Class Definition Statement File 25 SELECT Statement Example 25 FETCH Statement Example 25 Keywords 25 Configuring the AS 400 Alert...

Page 6: ...Error File 85 Starting and Stopping the Adapter 85 Cold Start 86 Warm Start 86 Stopping the Adapter 86 Events Listing 86 Event Class Structure 86 Rules Listing 88 SNMP Traps 88 Generic Traps 88 Enterp...

Page 7: ...File Example 147 Windows NT Example 149 Mappings 149 Additional Mapping Considerations 151 Activating Changes Made with a Format File 153 Generating a New Class Definition Statement File for a TME Ada...

Page 8: ...vi IBM Tivoli Enterprise Console Adapters Guide...

Page 9: ...ttributes adapter architecture and adapter files v The following chapters provide information about how to configure and use each adapter Chapter 2 AS 400 Alert Adapter Chapter 3 AS 400 Message Adapte...

Page 10: ...lation and automated event management v IBM Tivoli Enterprise Console User s Guide GC32 0667 Discusses how to plan for and configure your event database environment and describes components roles and...

Page 11: ...etter sized page are printed on the paper that you are using Providing Feedback about Publications If you have comments or suggestions about Tivoli products and documentation send an e mail to pubs ti...

Page 12: ...d system messages appear in a monospace font Operating System dependent Variables and Paths This book uses the UNIX convention for specifying environment variables and for directory notation When usin...

Page 13: ...s A source is an application for example a database or system resource for example an NFS server When an adapter detects an event generated from a source generally called a raw event it formats the ev...

Page 14: ...rently supported for an endpoint are the following v UNIX log file v OS 2 v SNMP v Microsoft Windows event log v Windows NT event log You configure these adapters to send their events to specific prim...

Page 15: ...TME adapters a managed node must also be configured as an endpoint to send events to the event server How Events Get to the Event Server From a Non TME Adapter A non TME adapter sends events directly...

Page 16: ...lasses format this information into attributes and send this information to the event server The event server then processes this information Event classes are a classification of events do not confus...

Page 17: ...event_handle and server_handle attributes duration For closed events the age in seconds of the event from when it was received by the event server until it was closed For all non closed events the va...

Page 18: ...2 3 where chair The rule engine identifier 1 The server number 12121212 The event reception ID in server 1 3 The event handle for the event in server 1 severity The severity of the event The database...

Page 19: ...nt This status is assigned a rule language predicate It is not available from an event console The database stores the status as a number This mapping is defined in the root baroc rule base file and i...

Page 20: ...oli Management Framework Release Notes Cache File Events are written to the cache file using a circular method when the cache file has reached the size limit set by BufEvtMaxSize the next new event is...

Page 21: ...naged node BINDIR TME TEC adapters etc or etc Tivoli tecad etc which is a link to the TME adapter directory Endpoint LCFROOT bin INTERP TME TEC adapters etc or etc Tivoli tecad etc which is a link to...

Page 22: ...ifies the full path name of the adapter cache file On endpoint adapters the BufEvtPath keyword uses the TIVOLIHOME variable to resolve file location and drive letter differences over different environ...

Page 23: ...onal FilterCache Works with the FilterMode and Filter keywords to determine which events are stored in the cache when events cannot be sent successfully to the event server To store events in the cach...

Page 24: ...oes not exist at the beginning of the event data The default value for this option is NO Pre37Server Specifies whether the adapter is to send its events in the encoding of the event server host or in...

Page 25: ...d in the order specified when the primary server is down For endpoint adapters secondary event servers if any are defined in the IBM Tivoli Enterprise Console gateway configuration file Only specify a...

Page 26: ...rd to case The default is NO The TestMode keyword is optional Event Filtering Normally an adapter sends all events to the event server You can optionally specify events that can or cannot be sent to t...

Page 27: ...fferent adapters Adapter Example AS 400 Alert The following entry matches all events of the SNA_Equipment_Malfunction class from the origin 1 2 3 4 Filter Class SNA_Equipment_Malfunction origin 1 2 3...

Page 28: ...Su_Success origin 126 32 2 14 OpenView The following entry matches all events of the OV_Message class from the origin 126 32 2 14 FilterCache Class OV_Message origin 126 32 2 14 Windows NT The followi...

Page 29: ...em implementations might report the file system full error in different formats As a result you might need to match different messages to the same or different event classes This type of matching is d...

Page 30: ...is changed in a CDS file the corresponding event class definition in the BAROC file might need changing as well Event definition content and syntax are discussed in the IBM Tivoli Enterprise Console...

Page 31: ...ns in the error file allow you to configure tracing options for an adapter An error file usually has an extension of err see each specific adapter chapter for exact file names An error file is located...

Page 32: ...support for a predefined set of events The set of files is composed of the following files v BAROC file v CDS file v For the adapters on NetWare OS 2 UNIX Windows and Windows NT format file By modifyi...

Page 33: ...e rules to see if the event was dropped See the IBM Tivoli Enterprise Console Reference Manual for more information about wtdumprl 4 Check the cache files to see if the event was cached Managed Node A...

Page 34: ...rify that all communications among the event server Tivoli Management Framework gateway and endpoint are working 5 Source the endpoint environment then use the endpoint wpostemsg command from the syst...

Page 35: ...s can be running at the same time each monitoring a different filter A few of the benefits are as follows v Consolidates alert monitoring v Integrates with existing AS 400 alert filters already define...

Page 36: ...e configuration file is ALERT AdapterCdsFile Specifies the CDS file to be used for the AS 400 alert adapter This file can reside in either the QSYS or IFS name space but the path must be specified in...

Page 37: ...The CDS file defines how events are constructed from information sent by the AS 400 alert adapter It is described in detail in Class Definition Statement File on page 18 SELECT Statement Example SELE...

Page 38: ...ted INCIDENT_CORREL Alert correlation data from alert subvector x 4A MSG The alert code point text and the first probable cause text for the alert ORIGIN The hierarchy list of the alert origin PRODUCT...

Page 39: ...brary name TYPE STD MAXLEN 592 FORCE NO SEQ FIFO Note If the data queue is not created per the previous specifications the adapter will not start Also if the AS 400 alert adapter is not running the sy...

Page 40: ...r AUT USE GRTOBJAUT OBJ QSYS QNMDRGFN OBJECTYPE PGM USER user AUT USE Arguments EVTADP name Specifies a name for the adapter being started This name is used on the ENDTECADP AS 400 command It can be a...

Page 41: ...pter The AS 400 adapter includes the ENDTECADP command that enables you to stop adapters individually or to stop all started adapters The command is described on the following pages Chapter 2 AS 400 A...

Page 42: ...ame matches the name specified on the STRTECADP command ALL If ALL is specified then all adapters of all types are stopped OPTION Specifies the way the adapter stops The following options can be speci...

Page 43: ...the adapter name ALERTADP ENDTECADP EVTADP ALERTADP The following command stops the AS 400 alert adapter started with the adapter name MYCFG in a controlled manner with a delay time of 60 seconds ENDT...

Page 44: ...h this product Event Class Default Event Severity AS400_TEC_ALERT_ADAPTER based on AS 400 alert type SNA_Event CRITICAL SNA_1xxx_Hardware CRITICAL SNA_Equipment_Malfunction CRITICAL SNA_Input_Device_E...

Page 45: ...r_Customization_Error CRITICAL SNA_Specification CRITICAL SNA_9xxx_Intervention_Required CRITICAL SNA_Operator_Intervention_Required CRITICAL SNA_Stock_Low CRITICAL SNA_Stock_Exhausted CRITICAL SNA_De...

Page 46: ...Troubleshooting the AS 400 Adapter If a problem occurs with the AS 400 adapter you can perform problem determination by investigating the job the adapter is running in Each time you start an AS 400 a...

Page 47: ...the AS 400 system Use the following commands to do this ADDTCPHTE INTNETADR event server protocol address HOSTNAME event server host name TEXT Tivoli Enterprise Console event server ADDTCPHTE INTNETA...

Page 48: ...E QSYS LIB QUSRSYS LIB CFG_ALERT FILE ALRCFG MBR MONMSG MSGID CPF0000 DONE RETURN CHGVAR VAR CPYR VALUE CPYR ENDPGM 3 Create the program and put it in the QSYS library CRTCLPGM PGM QSYS program name S...

Page 49: ...llows AdapterCdsFile QSYS LIB QUSRSYS LIB MYFILE FILE MYCFG MBR Filter mylib myfilter FilterDataQueue mylib mydtaqueue 3 Update the CDS and the BAROC files to include any new classes and filters 4 Upd...

Page 50: ...verity m message slot_name value class source Note There cannot be a space between the option letter and the option value Examples Call QTMETECA POSTEMSG PARM Sserver_name rHARMLESS m This is a messag...

Page 51: ...AS 400 message adapters can be running at the same time One AS 400 message adapter can monitor the system operator message queue while another is monitoring an application message queue A few of the b...

Page 52: ...SRSYS LIB CFG_MSG FILE MSGCDS MBR BufEvtPath Specifies the path and name of the buffer file for the AS 400 message adapter The default path is etc Tivoli tec and the default buffer file name is the va...

Page 53: ...RSYS LIB CFG_MSG FILE MSGCDS MBR defines how events are constructed from information sent by the AS 400 message adapter It is described in detail in Class Definition Statement File on page 18 SELECT S...

Page 54: ...the data converted to was 65535 2 No conversion occurred because you did not supply enough space for the data 3 The data was converted to the CCSID specified using the best fit conversion tables 4 A...

Page 55: ...RITY Specifies the severity A two digit value ranging from 0 through 99 The higher the value the more severe or important the condition MSG_TYPE The message type of the message received The possible v...

Page 56: ...essage help 3 The message or message help text was converted to the CCSID specified using the best fit conversion tables 4 A conversion error occurred using the best fit conversion tables so a default...

Page 57: ...Starting the Adapter The AS 400 message adapter includes the STRTECADP command that enables you to start an adapter The command is described on the following pages Chapter 3 AS 400 Message Adapter 45...

Page 58: ...S 400 command It can be any valid AS 400 job name however each adapter running on the AS 400 system must have a unique name CFGFILE filename Specifies the full path name of the configuration file in I...

Page 59: ...ter The AS 400 adapter includes the ENDTECADP command that enables you to stop adapters individually or to stop all started adapters The command is described on the following pages Chapter 3 AS 400 Me...

Page 60: ...me specified on the Start TEC Event Adapter command ALL If ALL is specified then all adapters of all types are stopped OPTION Specifies the way the adapter stops The following options can be specified...

Page 61: ...o monitor the QSYSOPR message queue ENDTECADP EVTADP SYSOPR The following command stops the AS 400 message adapter started with the adapter name MYAPP in a controlled manner that was set up to monitor...

Page 62: ...group filters source AS400_MSGQ sub_source Fully qualified message queue name origin Protocol address of the system hostname Name of the system from the host name table date Date and time the message...

Page 63: ...ing sent to an event server is created with a record length of 240 bytes if it does not exist Because an event written to this file does not wrap to a new line if it is longer than 240 bytes it is tru...

Page 64: ...iption that calls the previous program and use QSYSNOMAX as the Job Queue CRTJOBD JOBD QGPL STARTADP JOBQ QSYSNOMAX TEXT Start TEC adapter after IPL RQSDTA CALL QGPL STRADPCL 3 Add an auto start job e...

Page 65: ...e the configuration file perform the following steps 1 Copy the adapter files using the following commands CPYF FROMFILE QUSRSYS CFG_MSG TOFILE QUSRSYS MYFILE FROMMBR ALL TOMBR FROMMBR CRTFILE YES 2 U...

Page 66: ...54 IBM Tivoli Enterprise Console Adapters Guide...

Page 67: ...ile and forwards them to the event server for further processing The NetWare log file adapter can run silently without its own screen or it can run in the debugging mode that displays screen messages...

Page 68: ...be separated by commas Locus Specifies the NetWare defined locus You can specify up to 16 loci Multiple loci must be separated by commas Class Specifies the NetWare defined class You can specify up to...

Page 69: ...PreFilter statement are sent PreFilterMode IN or ignored PreFilterMode OUT Valid values are IN in OUT or out The default is OUT The PreFilterMode keyword is optional if PreFilterMode is not specified...

Page 70: ...mple hierarchy The adapter fills in the following attribute default values as shown in the following table The attributes are used in event group filters Attribute Default Value source NW4 sub_source...

Page 71: ...etWare Definition 0 Unknown 1 Memory 2 File system 3 Disks 4 Lanboards 5 Comstacks 7 TTS 8 Bindery 9 Station 10 Router 11 Locks 12 Kernel 13 UPS 14 Service Protocol 15 SFTIII 16 Resource Tracking 17 N...

Page 72: ...Default Severity NW4_Base UNKNOWN NW4_SysLog_Base UNKNOWN NW4_ClassUnknown UNKNOWN NW4_OutOfResource UNKNOWN NW4_TempSituation UNKNOWN NW4_AuthorizationFailure UNKNOWN NW4_InternalError UNKNOWN NW4_Ha...

Page 73: ...UNKNOWN NW4_AppMessage UNKNOWN NW4_NLM_Loading UNKNOWN NW4_NLM_Unloaded UNKNOWN NW4_NLM_NotLoaded UNKNOWN NW4_Abend UNKNOWN TECADNW4 NLM The NLM tecadnw4 nlm is the NetWare log file adapter The comman...

Page 74: ...on file SYS ETC TIVOLI TECAD ETC TECADNW4 CNF is used d Shows verbose diagnostic information in the NLM screen as events are gathered and transmitted Press the Alt Esc or Ctl Esc keys to switch to oth...

Page 75: ...n process 5 Check the adapter configuration file to verify that ServerLocation and ServerPort are properly defined If the event class appears in any filter entry in the configuration file and FilterMo...

Page 76: ...64 IBM Tivoli Enterprise Console Adapters Guide...

Page 77: ...eceives events from the ovtrapd process and forwards the specified events to the appropriate registered applications such as the OpenView adapter The OpenView adapter must run as a well behaved daemon...

Page 78: ...me of the specifics for OpenView events 1 Descr ObjId Type OpenView Source ID number 1 3 6 1 4 1 11 2 17 2 1 0 INTEGER 2 Descr ObjId Type OpenView Source Name 1 3 6 1 4 1 11 2 17 2 2 0 OCTET_STRING 3...

Page 79: ...meter when calling the OVsnmpEventOpen API If you have NNM 6 and HPOVFilter is not specified or is commented out the adapter receives all events by default For more information about HPOVFilter see Co...

Page 80: ...OV_Message specific trap number 58916872 v OV_Popup_Message specific trap number 58916873 v OV_Bell_Message specific trap number 58916874 v OV_Highlight_Source specific trap number 58916875 An example...

Page 81: ...circuit event tracing for a stream named PairWise ecsmgr log_events circuit PairWise on Event Correlation Example The following event passes through circuits named PairWise and ConnectorDown When the...

Page 82: ...registration file This file is generated by the installation configuration script and placed in the OV_LRF directory For UNIX the directory is usually etc opt OV share lrf For Microsoft Windows NT th...

Page 83: ...or HPOVFilter to make sure that the value was entered correctly or to see the errors generated by it See the manual page for OVsnmpEventOpen for details on HPOVFilter and the filter parameter WellBeha...

Page 84: ..._VARS Specifies the number of elements in VARBIND ADAPTER_HOST The name of the host machine where the adapter runs The following example shows how you can use the keywords FETCH 1 IPNAME SOURCE_ADDR S...

Page 85: ...file as needed and save it 3 Register the change with NNM by using OV_BIN ovaddobj OV_LRF tecad_hpov lrf 4 Restart the adapter If the tecad_hpov lrf file has errors the adapter might not start success...

Page 86: ...in event group filters source HPOV sub_source NET origin hostIPaddress where the event originated hostname hostname where the event originated adapter_host Host on which the adapter runs forwarding_a...

Page 87: ...OV_No_SNMP_Reply CRITICAL OV_Node_Added WARNING OV_Node_Deleted WARNING OV_Node_Fault FATAL OV_Node_Down WARNING OV_Node_Marginal WARNING OV_Node_Flags_Chg WARNING OV_Object_ID_Chg MINOR OV_Phys_Addr...

Page 88: ...V_Network_IPAddrChg WARNING OV_Network_Name_Chg WARNING OV_Network_SubMskChg WARNING OV_Network_Unknown WARNING OV_Node_SupportsSNMP WARNING OV_Node_Unknown WARNING OV_Segment_Unknown WARNING OV_Trap_...

Page 89: ...OpenView adapter 1 Make sure that the tecad_hpov lrf entry is correct and has been registered with OpenView using the ovaddobj command 2 If the adapter does not start look for errors in the lrf oid an...

Page 90: ...78 IBM Tivoli Enterprise Console Adapters Guide...

Page 91: ...ow to configure and start the OS 2 adapter Adapter Files The OS 2 adapter package consists of the following files readme The readme file tecadcfg cmd The startup configuration script tecadini sh The s...

Page 92: ...tions in this file and when a match succeeds the corresponding IBM Tivoli Enterprise Console event is generated by the adapter The format file contains predefined mappings for some common OS 2 events...

Page 93: ...ents and to determine if you want to make any changes The events are defined in the BAROC file See the IBM Tivoli Enterprise Console Rule Builder s Guide for more information about customizing a BAROC...

Page 94: ...lter entry in the configuration file the event is not sent to the server The administrator who started the adapter must have the required roles if running the TME version of the adapter For a TME adap...

Page 95: ...ng Messages Format Messages received on the udp 162 socket consist only of SNMP Trap PDUs as defined in RFC 1157 SNMPv1 Other types of messages are discarded Server Configuration Since the SNMP trap a...

Page 96: ...ed from information sent by SNMP It is described in detail in Class Definition Statement File on page 18 and in Appendix C Class Definition Statement File Reference on page 155 SNMP Event Example CLAS...

Page 97: ...file maps object identifiers used by SNMP to names No changes are necessary before the adapter is run Each line of this file has the following form name object identifier For example sysUpTime 1 3 6...

Page 98: ...prise Console User s Guide for additional information Manually stop the adapter on the endpoint with the following command init tecad_snmp stop Events Listing The following table shows the class names...

Page 99: ...r_Loss CRITICAL EGP_Neighbor_Loss_Cisco WARNING Specific_SNMP_Trap WARNING CBT_Trap WARNING Port_Segmenting_CBT WARNING Port_Link_Down_CBT WARNING Source_Address_New_CBT WARNING Source_Address_Timeout...

Page 100: ...n a Cisco router issues an Authentication_Failure trap it provides an additional variable in the varbind list that gives the protocol address of the device sending the badly authenticated SNMP request...

Page 101: ...ortCollisionThresholdExceeded 277 PortTypeChanged 278 LockSTATUSChanged 279 PortSecurityViolation 280 PortViolationReset 281 EnvTempWarm 282 EnvTempHot 283 EnvVoltageLow Creating a New SNMP Trap Event...

Page 102: ...R lanalert agent 51 Agent independent Data LANAlert alerts are assigned one of five priorities from 1 highest through 5 lowest The following values are used for the specific trap field of AFG Trap pro...

Page 103: ...CT TYPE SYNTAX OCTET STRING SIZE 12 ACCESS not accessible STATUS optional DESCRIPTION The IPX network address of a node lanalert data 7 nodeAddressAppleTalk OBJECT TYPE SYNTAX OCTET STRING SIZE 4 ACCE...

Page 104: ...nagementServerName 4 ATTR nodeName 5 ATTR eventID 6 ATTR alertText MAP managementServerName V3 nodeName V4 eventID V5 alertText V6 msg PRINTF The LANAlert File Server Agent on s has set a priority 1 a...

Page 105: ...NES source default LANA sub_source default NET severity default WARNING trapTime INT32 specificTrap INT32 managementServerName STRING nodeName STRING eventID INT32 alertText STRING END TEC_CLASS lanal...

Page 106: ...esses such as SNMP or ovtrapd already listening on port 162 Use netstat a grep 162 to see if this port is in use The first process to start up gets the port and the other processes that follow never r...

Page 107: ...Get Sent to the Event Server on page 1 for an overview of the IBM Tivoli Enterprise Console gateway referred to in the rest of this chapter as the gateway Controlling Event Traffic at the Gateway At...

Page 108: ...keyword Any events above the value specified for the EventSendThreshold keyword are stored in the cache on the gateway To regulate the number of events being sent to the event server the BufferFlushR...

Page 109: ...t server average rate gateway A events gateway B events EventSendThreshold adjusted send rate for gateway gateway A gateway B BufferFlushRate BufferFlushRate event server peak rate Additionally you ca...

Page 110: ..._cache EventServer tmr central More than one buffer file might be created at the gateway depending on how many event server locations are configured by the adapters sending events For each different s...

Page 111: ...efore connecting to a secondary server While the gateway is waiting for the expiration of this interval new events continue to be received by the gateway and are buffered in memory and cached to disk...

Page 112: ...vent Note that if you are forwarding events to a Tivoli Availability Intermediate Manager you cannot specify zero 0 as the port because the Tivoli Availability Intermediate Manager does not register i...

Page 113: ...et file must be imported into a rule base and then compiled This rule base must then be loaded and made the active rule base See the IBM Tivoli Enterprise Console Rule Builder s Guide for additional i...

Page 114: ...s the following init tecad_logfile s start stop AdapterID If the s flag skip syslog is specified the adapter does not monitor the syslogd daemon If the s flag is not specified use so that the command...

Page 115: ...u want from the adapter Configuration File The configuration file defines the behavior of the adapter The configuration file can have the common keywords described in Configuration File on page 9 as w...

Page 116: ...nce on page 155 Error File The error file is described in detail in Error File on page 19 Events Listing The following table shows the class names and severities of all events defined for the UNIX log...

Page 117: ...file_Getty WARNING Logfile_Halt WARNING Logfile_Idi HARMLESS Logfile_Inetd WARNING Logfile_Init WARNING Logfile_Innd WARNING Logfile_Kernel WARNING File_Write_Error MINOR File_System_Full MINOR NFS_Wr...

Page 118: ...y WARNING Oserv_Tmgr WARNING Oserv_Event_Method_Failed MINOR Logfile_Passwd WARNING Logfile_Pcnfsd WARNING Logfile_Printer WARNING Printer_Connection_Abort WARNING Printer_Error_Cleared HARMLESS Print...

Page 119: ...ARNING Logfile_Telnetd WARNING Logfile_Tftpd WARNING Logfile_Xntpd WARNING Xntpd_Clock_Reset WARNING Xntpd_Ntpdate WARNING Logfile_YP HARMLESS Logfile_Ypbind WARNING Logfile_Ypchfn WARNING Logfile_Ypc...

Page 120: ...int alias must be added to the e mail alias file before the messages can be delivered Printer_Paper_Out Printer_Toner_Low Printer_Offline Printer_Output_Full Printer_Paper_Jam Printer_Door_Open v When...

Page 121: ...mode init tecad_logfile d start 3 Generate some messages to determine if the adapter receives them You can send e mail perform an su or perform any action that results in a write to syslog Alternativ...

Page 122: ...he TME version of the adapter For a TME adapter running the odstat command can offer some clues as to what failed 6 If the reception log has a PARSING_FAILED error the BAROC definition of the class do...

Page 123: ...rity DNS server File Replication service and Directory service logs whether the Windows event log adapter is running continuously or is restarted You can alter this behavior using the appropriate swit...

Page 124: ...the same as the ManagedNode name which is case sensitive of the host where the event originated You must take this into consideration if you run tasks or programs from the IBM Tivoli Enterprise Consol...

Page 125: ...default value is 120 seconds PreFilter Specifies how events in a Windows event log are filtered before adapter processing PreFilter statements are used by PreFilterMode when determining which events a...

Page 126: ...s optional if PreFilterMode is not specified only events that do not match any PreFilter statements are sent to the adapter Note If you set PreFilterMode IN make sure you have one or more PreFilter st...

Page 127: ...s so only those events that are of importance to administrators are processed by the adapter This type of filtering is called prefiltering because it specifies selection criteria based on the raw Wind...

Page 128: ...on Windows events and can be customized to add any new messages A Windows event is written to an ASCII message in the following sequence v The date expressed as month day time and year v The event cat...

Page 129: ...ssed event 1 923673952 To prevent this stop the adapter and then make the necessary registry changes When you restart the adapter a consistency check updates the registry entry for the appropriate var...

Page 130: ...ding event identified by the value of the FileReplicationEventsProcessed variable PollingInterval The adapter polls the Windows event logs for new events at intervals when it does not receive any even...

Page 131: ...ows event log adapter attempts to send an event If the amount of free memory is extremely low the Windows event log adapter returns to a suspended state until more memory is available which prevents t...

Page 132: ...dapter For example you can start and stop the adapter using Windows Control Panel Services You can also manually start the adapter from the command line with the following command net start TECWinAdap...

Page 133: ...ng WARNING NT_Service_Start WARNING NT_Service_Stop WARNING NT_Out_Of_Paper WARNING NT_Printer_Out_Of_Paper WARNING NT_Low_Virtual_Memory WARNING NT_Security_Db_Not_In_Sync WARNING NT_Registry_Bad_DB...

Page 134: ...Timeserv_Failed_5 NT_Timeserv_Failed_6 NT_License_Service_No_License_Available NT_License_Service_Out_Of_Licenses NT_Restore NT_Backup NT_Replicator_Did_Not_Send_Update NT_Replicator_System_Error NT_R...

Page 135: ...ror NT_Table_Reached_Maximum_Size NT_Handle_Closed NT_Object_Open NT_Audit_Policy_Change NT_Duplicate_Name WARNING tecad_win Command The Windows event log adapter includes the tecad_win command which...

Page 136: ...ation file otherwise one of the appropriate directories specified in File Location on page 9 is used d Shows debug information as events are gathered and transmitted This argument also selects a verbo...

Page 137: ...hat the FTP server has registered as a trusted login process If you do not see this message run the Windows User Manager application located in the Administrative Tools folder select Audit from the Po...

Page 138: ...126 IBM Tivoli Enterprise Console Adapters Guide...

Page 139: ...d for the System Application and Security logs whether the Windows NT event log adapter is running continuously or is restarted You can alter this behavior using the appropriate switches when the Wind...

Page 140: ...originated You must take this into consideration if you run tasks or programs from the IBM Tivoli Enterprise Console product or the rule base because they might use the hostname attribute to determine...

Page 141: ...again If no event is detected from a poll the polling interval is doubled until the upper limit is reached After the upper limit is reached the polling frequency remains at that interval until a new e...

Page 142: ...ation for them The default setting is TRUE UnmatchLog Specifies a file to log discarded events that cannot be parsed into an IBM Tivoli Enterprise Console event class by the adapter The discarded even...

Page 143: ...ter Format File The format file contains message format descriptions and their mapping to BAROC events The message fields of a Windows NT event are matched against the format descriptions in this file...

Page 144: ...he Windows NT event log adapter is installed All of the registry variables for the Windows NT event log adapter are located in the HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services TECNTAdapter dir...

Page 145: ...HINE SYSTEM CurrentControlSet Services TECNTAdapter This is not set by default and must be added to the registry to alter the default value of 120 seconds SecurityEventsProcessed Contains the highest...

Page 146: ...e amount of free memory then returns to a suspended state for 1 minute After 1 minute the adapter checks free memory again if free memory is still below this level the adapter returns to a suspended s...

Page 147: ...the after file distribution actions See the IBM Tivoli Enterprise Console User s Guide for additional information Events Listing The following table shows the class names and severities of all events...

Page 148: ...r_Conflict NT_Document_Print_Success NT_Document_Print_Deleted NT_Internal_Error_In_The_DHCP_Server NT_Performance_Alert NT_Capacity_Alert NT_Performance_Monitor NT_Trustee_Relationship_Failed NT_Serv...

Page 149: ...ce_Called NT_Trusted_Process_Logon_Success NT_Logon_Successful NT_Logon_Failure NT_User_Logoff NT_Log_Clear_Successful NT_Account_Management_Success NT_Group_Management_Change_Success NT_Global_Group_...

Page 150: ...me for the configuration file otherwise one of the appropriate directories specified in File Location on page 9 is used d Shows debug information as events are gathered and transmitted This argument a...

Page 151: ...see a message that the FTP server has registered as a trusted login process If you do not see this message run Windows NT User Manager application located in the Administrative Tools folder select Au...

Page 152: ...o 10 minutes if the adapter and the CPU are under a heavy load This delay occurs because the adapter attempts to finish processing all pending events before exiting The adapter should shut down immedi...

Page 153: ...ed adapters An x indicates the file is used by an adapter File Extension Adapter AS 400 Alert AS 400 Message NetWare OpenView OS 2 SNMP UNIX Log File Windows Event Log Windows NT Event Log BAROC baroc...

Page 154: ...S LIB CFG_MSG FILE MSGBRC MBR as400msg baroc on the event server cds QSYS LIB QUSRSYS LIB CFG_MSG FILE MSGCDS MBR conf QSYS LIB QUSRSYS LIB CFG_MSG FILE MSGCFG MBR NetWare brc tecadnw4 brc cds tecadnw...

Page 155: ...tecad_logfile err fmt tecad_logfile fmt rls log_default rls Microsoft Windows event log baroc tecad_win baroc cds tecad_win cds conf tecad_win conf err tecad_win err fmt tecad_win fmt Windows NT even...

Page 156: ...144 IBM Tivoli Enterprise Console Adapters Guide...

Page 157: ...g file and OS 2 adapter format files are in English only The Microsoft Windows NT event log format file is in English and localized into a sample file for the Tivoli supported languages If you have a...

Page 158: ...server service was unable to recreate the share s because the directory s no longer exists sharename 8 directoryname 9 END The FOLLOWS relationship is used to allow specific format specifications to b...

Page 159: ...l su message from a system log is an example of matching a system log message to the generic format specification mentioned in the preceding section Sep 13 12 17 11 elcap su su root succeeded for tjon...

Page 160: ...that this does not matter but the importance is apparent as discussed in Mappings on page 149 The following format string however is meaningful This is a good format s s The first s matches everything...

Page 161: ...d s The following format specification does not make much sense This is not a good format s s The first s matches everything through the end of the message and the second s never matches anything It m...

Page 162: ...derived from either a i value specification or a constant string value specification they cannot be derived from another PRINTF statement The value of the argument attributes will be used to compose a...

Page 163: ...get sent to the event server but are used in the PRINTF statement Temporary attributes are designated with a hyphen immediately preceding the attribute name in a mapping In order to illustrate the use...

Page 164: ...e adapter default v The msg attribute was not inherited from the Logfile_Base class because it was overridden by the Root_Login_Success_From class v The sub_source attribute was inherited from the con...

Page 165: ...ile being distributed by selecting Actions in the Edit Adapter window of the ACF Generating a New Class Definition Statement File for a Non TME Adapter To generate a new CDS file for a non TME adapter...

Page 166: ...t cds 3 Restart the adapter NetWare log file See TECADNW4 NLM on page 61 OS 2 See Starting the Adapter on page 80 UNIX log file See Starting the Adapter on page 101 Windows event log See Starting the...

Page 167: ...r syntax reference information in BNF notation see Class Definition Statement File Syntax Diagrams on page 161 Operators Various operators are used in class definition statements as follows v The PREF...

Page 168: ...t prints using the two items that were pulled with the FETCH statement Class Definition Statement File Details For each class of event supported by an adapter one or more class definition statements a...

Page 169: ...key or value PREFIX SUFFIX CONTAINS a_op_value k_op_value and v_op_value specify the comparison value In order for a SELECT statement to be evaluated successfully the following conditions must be met...

Page 170: ...be used to reference these mandatory attributes and thereby directly access their values These keywords have the format attribute_name Examples of keywords supported by the SNMP adapter are AGENT_ADD...

Page 171: ...ing two formats attribute_name variable attribute_name PRINTF format_string var1 An example of a MAP statement is the following MAP origin AGENT ADDRESS msg PRINTF Link s is DOWN V3 The output from a...

Page 172: ...essages the standard way of naming attributes is to use object identifiers OIDs For example SNMP variable ifDescr is named 1 3 6 1 2 1 2 2 1 2 Using SNMP object identifiers in SELECT statements is not...

Page 173: ...ult_statement MAP DEFAULT mapdef_statements END mapdef_statements mapdef_statement mapdef_statement mapdef_statements mapdef_Statement attribute_name constant attribute_name keyword attribute_name ato...

Page 174: ...ant keyword name_var key_var value_var v_op PREFIX SUFFIX EXISTS v_op_val constant keyword name_var key_var value_var FETCH STATEMENT fetch statements fetch_statement fetch_statement fetch_statements...

Page 175: ...map_args map_args map_value map_value map args map value constant keyword name_var value_var fetch_var VARIOUS constant string e g hello hello number 12 keyword atom e g TARGET name_var N number e g N...

Page 176: ...164 IBM Tivoli Enterprise Console Adapters Guide...

Page 177: ...ive Armonk NY 10504 1785 U S A For license inquiries regarding double byte DBCS information contact the IBM Intellectual Property Department in your country or send inquiries in writing to IBM World T...

Page 178: ...ave been made on development level systems and there is no guarantee that these measurements will be the same on generally available systems Furthermore some measurement may have been estimated throug...

Page 179: ...form the photographs and color illustrations might not appear Trademarks The following terms are trademarks of International Business Machines Corporation in the United States other countries or both...

Page 180: ...168 IBM Tivoli Enterprise Console Adapters Guide...

Page 181: ...gned to event attributes configuration file A file that specifies the characteristics of a system device or network E endpoint 1 In a Tivoli environment a Tivoli client that is the ultimate recipient...

Page 182: ...er to recognize relationships among events event correlation and to execute automated responses accordingly Also see rule base and rule set rule base In the IBM Tivoli Enterprise Console product one o...

Page 183: ...FETCH examples 25 files 23 142 graphic character set 25 AS 400 alert adapter continued job queue 35 keywords CDS file 25 message queues 24 multiple adapters 36 Name Server 35 POSTEMSG command 38 regis...

Page 184: ...ACTION_CODE 25 ACTIONS 25 ADAPTER_CORREL 25 ADAPTER_HOST 25 ADAPTER_HOST_SNANODE 26 ALERT_CDPT 26 CDS file keywords continued AS 400 alert adapter continued ALERT_ID 26 ARCH_TYPE 26 BLOCK_ID 26 CAUSE...

Page 185: ...24 27 FilterDataQueue 24 27 JobDescription 25 LanguageID 25 ProcessExistingAlerts 25 ServerCCSID 25 AS 400 message adapter AdapterCdsFile 40 AdapterType 40 configuration file keywords continued AS 40...

Page 186: ...tribute 5 E effect events 5 encoding UTF 8 3 12 14 145 endpoint adapters 13 endpoint gateway See gateway Tivoli Management Framework 2 endpoints described 1 distributing adapters 95 getting events to...

Page 187: ...3 tecad_logfile err 103 104 tecad_logfile fmt 103 104 109 tecad_nt baroc 127 tecad_nt conf 127 tecad_nt err 128 files continued tecad_nt exe 127 tecad_nt fmt 127 131 tecad_snaevent baroc 32 tecad_snmp...

Page 188: ...ords 24 L lanalert entry SNMP adapter 92 language support packs and postemsg 22 last cfg file 21 lcfd process 1 2 22 lcfd log file 21 list events 104 localization directories 4 log files ASCII 1 log_d...

Page 189: ...n NetWare adapter 55 region Tivoli management 95 registration files described 8 registry variables ApplicationEventsProcessed 117 132 ApplicationEventsProcessed TimeStamp 117 133 DirectorEventsProcess...

Page 190: ...nt log adapter 111 TCP IP continued Windows NT event log adapter 127 tec_gateway_sce ACP 97 tec_gateway conf 97 tec_recv_agent_port entry 14 tec_uninstal cmd 79 tecad_hpov 70 tecad_hpov baroc 70 tecad...

Page 191: ...ment 8 notation for x W warm start SNMP adapter 86 wep ls command 21 Windows event log adapter attribute defaults 121 BAROC file 121 configuration file 112 Control Panel Services Applet 120 described...

Page 192: ...180 IBM Tivoli Enterprise Console Adapters Guide...

Page 193: ......

Page 194: ...Program Number 5698 TEC Printed in U S A GC32 0668 01...

Reviews:

No comments

Related manuals for Enterprise Console

Brand: 3Com Pages: 20

Brand: Panasonic Pages: 44

Ethernet Communication Module DVPEN01-SL

Brand: Delta Electronics Pages: 54

HiGain HLU-231 List 8F

Brand: ADC Pages: 7

Brand: Lancom Pages: 102

BIC 1I12-P2A25-M30MI1-BPX05-110

Brand: Balluff Pages: 12

DSL5068EN(1T1R)

Brand: Aztech Pages: 40

OP-8000-EDFA-1U Series

Brand: Optostar Pages: 9

Brand: Juniper Pages: 2

Brand: ADTRAN Pages: 2

VMG5313-BXB SERIES

Brand: ZyXEL Communications Pages: 2

Elinx EIR508 Series

Brand: B&B Electronics Pages: 2

Brand: Symantec Pages: 100

Brand: MiWire Pages: 24

Brand: H3C Pages: 68

Brand: ZyXEL Communications Pages: 2

Brand: B&B Electronics Pages: 2

Brand: M-Audio Pages: 67

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands