IBM Tivoli Enterprise Console Adapters Guide Version 3.
IBM Tivoli Enterprise Console Adapters Guide Version 3.
Note Before using this information and the product it supports, read the information in “Notices” on page 165. First Edition (September 2002) This edition applies to version 3, release 8, of IBM Tivoli Enterprise Console (product number 5698-TEC) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2002. All rights reserved.
Contents Preface . . . . . . . . . . . . . . vii Chapter 2. AS/400 Alert Adapter . . . . 23 Who Should Read This Guide . . . . . . . . vii What This Guide Contains . . . . . . . . . vii Publications . . . . . . . . . . . . . . viii IBM Tivoli Enterprise Console Library . . . . viii Prerequisite Publications. . . . . . . . . viii Related Publications . . . . . . . . . . viii Accessing Publications Online . . . . . . . ix Providing Feedback about Publications . . . . ix Contacting Customer Support . . . . .
Configuration File . . . . . Format File . . . . . . . Events Listing . . . . . . Event Class Structure . . . TECADNW4.NLM . . . . . tecadnw4.nlm . . . . . Troubleshooting the NetWare Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . File Adapter . . . . . . . . . . . . . . 56 57 58 58 61 62 63 Chapter 5. OpenView Adapter . . . . . 65 OpenView Driver . . . . . . . . . . . . Reception of OpenView Messages . . . . . . Determining the OpenView NNM Version . . . Incoming Messages Format . . .
Format File . . . . . . . . . . . Non-English Format Files . . . . . Registry Variables . . . . . . . . . . Low Memory Registry Variables . . . . Adapter Administrator Roles for Windows NT Starting the Adapter . . . . . . . . . Stopping the Adapter. . . . . . . . . Events Listing . . . . . . . . . . . Event Class Structure . . . . . . . . tecad_nt Command . . . . . . . . . tecad_nt . . . . . . . . . . . . Troubleshooting the Windows NT Event Log Adapter . . . . . . . . . . . . . . . . . . . . . . . . . .
vi IBM Tivoli Enterprise Console: Adapters Guide
Preface The IBM® Tivoli Enterprise Console® Adapters Guide provides detailed descriptions for the currently available IBM Tivoli® Enterprise Console adapters. Who Should Read This Guide This guide is for IBM Tivoli Enterprise Console administrators who configure event adapters and IBM Tivoli Enterprise Console gateways.
Publications This section lists publications in the IBM Tivoli Enterprise Console library and any other related documents. It also describes how to access Tivoli publications online and how to make comments on Tivoli publications.
Accessing Publications Online Publications in the product libraries are included in PDF or HTML formats, or both, on the product CD. To access publications using a Web browser, open the infocenter.html file, which is located in the appropriate publications directory on the product CD. When IBM publishes an updated version of one or more online or hardcopy publications, they are posted to the Tivoli Information Center.
other information that you must use literally appear in bold. Names of windows, dialogs, and other controls also appear in bold. Italics Variables and values that you must provide appear in italics. Words and phrases that are emphasized also appear in italics. Monospace Code examples, output, and system messages appear in a monospace font. Operating System-dependent Variables and Paths This book uses the UNIX convention for specifying environment variables and for directory notation.
Chapter 1. Understanding Adapters Event adapters are software programs that collect information, perform local filtering, and convert relevant events into a format that can be used by the IBM Tivoli Enterprise Console product. Because adapters are located on or near their event sources and can perform local filtering of events, the adapters create a minimal amount of additional network traffic. Adapters use a minimal amount of system resources to perform their functions.
bundles them up and forwards them on to an event server. A TME interface is used for communications. The IBM Tivoli Enterprise Console gateway uses a connection-oriented service to the server by default. A connection-oriented service means that a connection is established when the adapter is initialized and the connection is maintained for all events to be sent.
The following figure shows an example of the IBM Tivoli Enterprise Console product and Tivoli Management Framework component relationships in a network with endpoints. How Events Get to the Event Server From a Managed Node For network management OpenView adapters, events are sent from the managed node adapter directly to the event server using a TME interface.
The event server can receive events in both UTF-8 encoding or the encoding of the event server host. The event server automatically determines the type of encoding (UTF-8 or non-UTF-8) of an event by evaluating a particular flag in the event data. The adapter automatically reads the format file from the appropriate directory. If the adapter is sending events to an event server running a version earlier than the IBM Tivoli Enterprise Console 3.
Attribute Name Contents acl The list of authorization roles that enables an administrator to modify the event. adapter_host The host on which the adapter is running. administrator The administrator who acknowledged or closed the event. cause_date_ reception The cause_date_reception attribute is used to link an effect event to its cause event. This value is set to the value of the date_reception attribute of the cause event.
Attribute Name Contents server_path Stores information describing the rule engines that an event has passed through. server_path has the following definition: server_path list_of_strings; Each element in the list represents one rule engine that the event has visited, and each element contains a rule engine identifier, server number, reception ID, and event handle.
Attribute Name Contents status The status of an event. It is initially set to OPEN or to a default value specified by the event class. Possible values during an event lifetime are as follows: ACK An administrator or rule has acknowledged the event. CLOSED An administrator or rule has fixed the problem that was reported by the event.
File Type Description Configuration Defines configuration options for adapters. Error Defines error logging and tracing options for the adapter. Format Defines the format of messages and matches them to event classes for the UNIX log file, NetWare log file, OS/2, and Windows and Windows NT event log adapters. Installation script Configures the adapter to start when the operating system starts.
The boundaries between events in the cache file are indicated by a terminating ^A character at the end of each event. Configuration File Most adapters come with a configuration file containing configuration options and filters. This file is read by an adapter when it is started. By modifying this file, you can reconfigure an adapter at anytime, without having to modify the adapter source code. To have your configuration changes take effect, simply stop and restart the adapter.
Some adapters have additional keywords specific to them. See each specific adapter chapter for descriptions of these keywords. Adapters do not issue error messages for misspelled keywords or keywords set to a value that is not valid. Do not use blank spaces in keyword statements unless enclosed in single quotation marks (however, you cannot use quotation marks at all with the HPOVFilter keyword in the HPOV adapter). Do not use class names not defined in a BAROC file with configuration options.
connection_oriented (or its abbreviations CO and co) and connection_less. The default value is connection_less, except for the AS/400 adapters and the IBM Tivoli Enterprise Console gateway, which have connection_oriented as the default value. When connection_less is specified or used by default, a new connection is established (and discarded) for each event or group of events that is sent.
For information about how to use filtering keywords to send, cache, and discard events, see “Event Filtering” on page 14. This keyword is optional. getport_timeout_seconds Specifies the number of seconds to wait before re-sending the UDP call for a port, if no response is heard. It re-transmits until the RPC call times out. The default value is zero (0) seconds. getport_timeout_usec Specifies the number of microseconds to add to the seconds specified with the getport_timeout_seconds keyword.
This option allows an adapter to send all events to the primary event server even if the primary event server is stopped briefly, such as when loading a new rule base. If you use this option to wait for restarting an event server, set the value for a period of time longer than necessary for the event server to be stopped and then restarted. The RetryInterval keyword is optional. The default is 120 seconds. ServerLocation Specifies the name of the host on which the event server is installed.
non-TME adapters that send events to a Windows event server or a Tivoli Availability Intermediate Manager (AIM), specify one value for each event server defined with the ServerLocation keyword. The ServerPort keyword is optional when the event server is running on UNIX, but mandatory when running on Windows. Note: If the event server is running on Windows: There is no portmapper daemon on a Windows machine that allows the adapter to query the reception port at runtime.
Regular Expressions in Filters: You can also use Tcl regular expressions in filtering statements. The format of a regular expression is re:’value_fragment’. Note: Tivoli Event Integration Facility uses an exception to the Tcl regular expression syntax. The backslash character (\) in Tivoli Event Integration Facility indicates that the following literal character is the character to filter for, not some special character such as a tab.
3. Create Filter and FilterCache statements to match the specific events that you want cached. v To discard specific events: 1. Set FilterMode to OUT. 2. Create Filter and FilterCache statements to match the specific events that you want discarded. v To cache all events (the default behavior): 1. Set FilterMode to OUT. 2. Set BufferEvents to YES. 3. Do not specify any FilterCache statements. Note: All events are discarded when the configuration is as follows: 1. FilterMode is set to IN. 2.
Rule File Some adapters come with a rule file describing the classes of events the adapter supports. This file is not used by the adapter itself, but serves as a mandatory link between the adapter and the event server. The event server must load this file before it is able to understand events received from the adapter. A rule file has an extension of .rls; see each specific adapter chapter for exact file names.
-date1 $1 -date2 $2 date PRINTF("%s %s", date1, date2) END FORMAT NT_Share_Dir_Missing FOLLOWS NT_Base %t %s %s %s %s %s %s The server service was unable to recreate the share %s because the directory %s no longer exists. sharename $8 directoryname $9 END FORMAT NT_Service_Start FOLLOWS NT_Base %t %s %s %s %s %s %s %s* started successfully. service $8 END FORMAT NT_Service_Started FOLLOWS NT_Base %t %s %s %s %s %s %s The %s* service was started.
4: ATTR(=,"ifDescr"); 5: ATTR(=,"ifType"); 6: ATTR(=,"locIfReason"); FETCH 1: IPNAME($SOURCE_ADDR); MAP hostname = $F1; sub_origin = $V4; status = CLOSED; interface_index = $V3; interface_description = $V4; interface_type = $V5; reason = $V6; END Error File It is possible to selectively activate tracing for any module of an adapter (parser, kernel, select, fetch, map, driver, and so forth) and for any level of error tracing. A different log file can be specified for each module/level pair.
KERNEL A general kernel operation. SELECT A selection process. FETCH A fetch process. MAP A mapping process. DRIVER A driver main program. DRVSPEC An SNMP specific driver part. TECIO An event server I/O. error_level Specifies the type of error to look for or the type of trace to perform. Valid values are the following: MINOR A minor error. MAJOR A major error (running continues). FATAL A fatal error (running ends). LOW Minimal tracing. NORMAL Normal tracing. VERBOSE Verbose tracing.
Troubleshooting Adapters The following sections list troubleshooting guidelines for the different types of adapters. Adapter Startup Errors If the adapter fails to start, look in the /tmp directory for the tecadEH.log file. You might be able to learn why the adapter failed from reading this file. The following list shows examples of errors you might find in tecadEH.log: tecad EH : error 2 invalid error config line: Normal tecad EH : error 4 Init: Stat failed on error file
3. If the endpoint has logged into a Tivoli Management Framework gateway successfully, create and distribute the ACP profile (see the IBM Tivoli Enterprise Console User’s Guide for details). Check the lcfd.log file if there are further problems; you can also turn on tracing at the Tivoli Management Framework gateway and look in $DBDIR/gatelog for further debugging information. 4.
Chapter 2. AS/400 Alert Adapter The AS/400 alert adapter forwards events from an AS/400 system to the event server. The adapter can be registered with the startup configuration of the AS/400 so that the adapter is started with all the other applications when the system is started.
The AS/400 adapter package also consists of the following commands, which are copied into QSYS upon installation of the product: STRTECADP Starts an AS/400 adapter. ENDTECADP Ends an AS/400 adapter. Before starting the event server and an AS/400 alert adapter, check the configuration file to determine if it defines the preferred adapter behavior. Configuration File The configuration file for the AS/400 alert adapter defines the behavior of the adapter, which runs as a job on the AS/400.
JobDescription Specifies an AS/400 job description that is to be used when starting the adapter. The default is QGPL/QDFTJOBD. LanguageID Specifies the AS/400 language ID in which alerts are to be sent to the event server. If a value is specified for this keyword, the AS/400 secondary language must be installed for that language ID. The default value for this keyword is ENU. ProcessExistingAlerts Specifies whether to send existing alerts on the data queue defined by the FilterDataQueue keyword.
$ADAPTER_HOST_SNANODE The netID.nau name of the host where the adapter is running. $ALERT_CDPT The alert code point that provides an index into predefined text describing the alert condition. $ALERT_ID The unique ID describing the alert. $ARCH_TYPE Defines the alert type, either NONGENERIC_ALERT (alert subvector x’91’) or GENERIC_ALERT (alert subvector x’92’). $BLOCK_ID The legacy block ID for non-generic alerts (alert subvector x’91’).
If you use the default filter provided, copy it into library QUSRSYS and modify it there. Integrating with an Existing Alert Filter You might have alert filters that are already in use on your AS/400 system. These filters have been set up with the appropriate selection and action entries to filter alerts of interest and route them to predefined groups. The Filter keyword in the configuration file is used to indicate the name of the filter that the AS/400 alert adapter is to monitor.
STRTECADP Starts an AS/400 adapter. SYNOPSIS STRTECADP EVTADP(name) CFGFILE(filename) DESCRIPTION The AS/400 adapter runs as a batch job. The STRTECADP command starts an AS/400 adapter.
Stopping the Adapter The AS/400 adapter includes the ENDTECADP command that enables you to stop adapters individually or to stop all started adapters. The command is described on the following pages. Chapter 2.
ENDTECADP Stops the AS/400 adapter. Context ENDTECADP EVTADP(name | *ALL) [OPTION(*CNTRLD | *IMMED)] [DELAY(seconds)] Comments The AS/400 adapter runs as a batch job. The ENDTECADP command stops an AS/400 adapter.
Examples The following command stops the AS/400 alert adapter, started with the adapter name ALERTADP. ENDTECADP EVTADP(ALERTADP) The following command stops the AS/400 alert adapter, started with the adapter name MYCFG, in a controlled manner with a delay time of 60 seconds. ENDTECADP EVTADP(MYCFG) OPTION(*CNTRLD) DELAY(60) Chapter 2.
Events Listing The following shows the class names and severities of all events defined for the AS/400 alert adapter. You can use it to get a sense of how AS/400 alert events are mapped to IBM Tivoli Enterprise Console events and to determine if you want to make any changes. The events are defined in the tecad_snaevent.baroc file on the event server. See the IBM Tivoli Enterprise Console Rule Builder’s Guide for more information about customizing the BAROC file.
Event Class Default Event Severity SNA_4xxx_Performance CRITICAL SNA_Performance_Degraded CRITICAL SNA_Performance CRITICAL SNA_5xxx_Congestion CRITICAL SNA_Congestion CRITICAL SNA_Configurable_Capacity_Limit_Reached CRITICAL SNA_Congestion_Other CRITICAL SNA_6xxx_Microcode CRITICAL SNA_Microcode_Program_Abnormally_ Terminated CRITICAL SNA_Microcode_Program_Error CRITICAL SNA_Microcode_Program_Mismatch CRITICAL SNA_Microcode CRITICAL SNA_7xxx_Operator CRITICAL SNA_Operator_Proced
You can set the severity of an AS/400 alert event on the event console as follows, based on the AS/400 alert type field specified in the message description: Alert Type Default Severity 01 (permanent loss of availability) CRITICAL 04 (operator intervention required) CRITICAL 09 (unavailable network component) CRITICAL 0E (security problem) CRITICAL 10 (permanently affected resource) CRITICAL 03 (performance degradation) WARNING 0A (notification: loss impending) WARNING 0C (installation consi
Logging Events in Test Mode The file to which events are logged in test mode (instead of being sent to an event server) is created with a record length of 240 bytes if it does not exist. Because an event written to this file does not wrap to a new line if it is longer than 240 bytes, it is truncated. To avoid truncation, create the file ahead of time using the CRTPF or CRTSRCPF commands and specify a large enough record length to accommodate your events.
CRTJOBD JOBD(QGPL/STARTADP) JOBQ(QSYSNOMAX) TEXT(’Start TEC adapter after IPL.’) RQSDTA(’CALL QGPL/STRADPCL’) 3. Add an auto start job entry in QSYSWRK using the previous job description: ADDAJE SBSD(QSYSWRK) JOB(TECAMSGQ) JOBD(QGPL/STARTADP) This program runs at the start of QSYSWRK subsystem and ends quickly after doing the STRTECADP command. Changing the AS/400 Startup Program The system value QSTRUPPGM (startup program) contains the name of the program to execute after IPL.
Configuration File To create the configuration file, perform the following steps: 1. Copy the adapter files using the following commands: CPYF FROMFILE(QUSRSYS/CFG_ALERT) TOFILE(QUSRSYS/MYFILE) FROMMBR(*ALL) TOMBR(*FROMMBR) CRTFILE(*YES) 2. Update the configuration file to show the keywords pointing to the new objects, as follows: AdapterCdsFile=/QSYS.LIB/QUSRSYS.LIB/MYFILE.FILE/MYCFG.MBR Filter=mylib/myfilter FilterDataQueue=mylib/mydtaqueue 3.
POSTEMSG Posts an event to the event server. See the IBM Tivoli Enterprise Console Reference Manual for more details about this command. Context QTMETECA/POSTEMSG { –S | –f } [–r] [–m] [, ...] Note: There cannot be a space between the option letter and the option value. Examples Call QTMETECA/POSTEMSG PARM(‘–Sserver_name’ ‘–rHARMLESS’ ‘–m”This is a message”’ AS400_MSG LOGFILE) Call QTMETECA/POSTEMSG PARM(‘–f/QSYS.LIB/QUSRSYS.
Chapter 3. AS/400 Message Adapter The AS/400 message adapter forwards events from an AS/400 system to the event server. It can be registered with the startup configuration of the AS/400 system so that the adapter is started with all the other applications when the AS/400 system is started. See “Starting an AS/400 Adapter after an IPL” on page 52 for instructions on starting the adapter automatically with the AS/400 system.
A backup copy of each of these files also resides in the CFG_MSG file in library QTMETECA01. Before starting the event server and an AS/400 message adapter, check the configuration file to determine if it defines the preferred adapter behavior. Configuration File The configuration file for the AS/400 message adapter defines the behavior of the adapter, which runs as a job on the AS/400 system. A configuration file is created during the installation of the AS/400 message adapter.
PollInterval Specifies the amount of time in seconds to return to a suspended state between checking for new events that have been placed on the message queue. The default is 20. The following example shows the format: PollInterval=60 ProcessExistingMsgs Specifies whether the AS/400 messages adapter resets back to the first message on the message queue when starting. NO sends any new messages to the message queue. YES sends the first message on the message queue.
because access of them is direct. Event definition content and syntax are described in the IBM Tivoli Enterprise Console Rule Builder’s Guide. $ADAPTER_HOST The protocol address of the host where the adapter is running. $ALERT_OPTION If and when an SNA alert is created and sent for the message. If a message is received, the value is one of the following: *DEFER An alert is sent after local problem analysis. *IMMED An alert is sent immediately when the message is sent to the QHST message queue.
$MSG The default message used. $MSG_FILE_NAME The name of the message file containing the message received. $MSG_FILE_LIBRARY The name of the library containing the message file. For the actual library used when the message is sent, use the $MSG_LIBRARY_USED keyword. $MSG_HELP The message help for the message received. If an immediate message is received, this field is blank. $MSG_ID Indicates the AS/400 message identifier. $MSG_KEY The key to the message received.
$SEND_PROGRAM_NAME The program name or Integrated Language Environment® (ILE) program name that contains the procedure sending the message. $SEND_TIME The time at which the message being received was sent, in HHMMSS (hour, minute, second) format. $SEND_USER_PROFILE The name of the user profile that sent the message being received. $SEVERITY The severity of the event. $SOURCE The source of the event. The source is defined by the adapter type (AS400_MSGQ).
Starting the Adapter The AS/400 message adapter includes the STRTECADP command that enables you to start an adapter. The command is described on the following pages. Chapter 3.
STRTECADP Starts an AS/400 adapter. Flags STRTECADP EVTADP(name) CFGFILE(filename) Comments The AS/400 adapters run as a batch job. The STRTECADP command starts an AS/400 adapter.
Stopping the Adapter The AS/400 adapter includes the ENDTECADP command that enables you to stop adapters individually or to stop all started adapters. The command is described on the following pages. Chapter 3.
ENDTECADP Stops the AS/400 adapter. Context ENDTECADP EVTADP(name | *ALL) [OPTION(*CNTRLD | *IMMED)] [DELAY(seconds)] Comments The AS/400 adapters run as a batch job. The ENDTECADP command stops an AS/400 adapter.
Examples The following command stops the AS/400 message adapter, started with the adapter name SYSOPR, which was started to monitor the QSYSOPR message queue: ENDTECADP EVTADP(SYSOPR) The following command stops the AS/400 message adapter, started with the adapter name MYAPP, in a controlled manner that was set up to monitor an application-specific message queue: ENDTECADP EVTADP(MYAPP) OPTION(*CNTRLD) DELAY(60) Chapter 3.
Events Listing The following shows the class names and severities of all events defined for the AS/400 message adapter. You can use it to get a sense of how AS/400 messages are mapped to IBM Tivoli Enterprise Console events and to determine if you want to make any changes. The events are defined in the as400msg.baroc file on the event server. See the IBM Tivoli Enterprise Console Rule Builder’s Guide for more information about customizing the BAROC file.
Troubleshooting the AS/400 Adapter If a problem occurs with the AS/400 adapter, you can perform problem determination by investigating the job the adapter is running in. Each time you start an AS/400 adapter, a batch job is started. You can view the adapter job by issuing the following command: WRKJOB JOB(name) Where name is the name of the adapter job that matches the name specified on the STRTECADP command. This displays the Work with Job dialog.
Starting an AS/400 Adapter after an IPL Two methods can be used to automatically start an AS/400 message adapter after an IPL: v Adding an autostart job to a job queue v Modifying the AS/400 start-up program to call the STRTECADP command Adding an Autostart Job to QSYSWRK 1. Create a CL program that invokes the STRTECADP command, for example: a. Edit a source file member to add CL statements: STRSEU QGPL/QCLSRC STRADPCL b. Enter the following in the source file member.
DONE: RETURN CHGVAR VAR(&CPYR) VALUE(&CPYR) ENDPGM 3. Create the program and put it in the QSYS library: CRTCLPGM PGM(QSYS/program-name) SRCFILE(QGPL/QCLSRC) SRCMBR(program-name) Note: The start-up program runs under user profile QPGMR. By default, QPGMR does not have authority to change the AS/400 message adapter commands and programs.
54 IBM Tivoli Enterprise Console: Adapters Guide
Chapter 4. NetWare Log File Adapter The following sections contain reference information about the NetWare log file adapter. NetWare Log File Adapter Reference Information The log file adapter for NetWare forwards events from a NetWare server to the event server. The NetWare log file adapter can be registered with the startup configuration of the NetWare server so that the log file adapter is started when the NetWare server is started.
Prefiltering NetWare Events You can improve the performance of the NetWare log file adapter by filtering events, so that only important events are processed. This is called prefiltering and applies only to events logged to the SYS$LOG.ERR file. To use the prefiltering mechanism, you specify the prefilter statements in the configuration file using a format similar to that used for adapter filters. The prefiltering statements (PreFilter and PreFilterMode) are described in “Configuration File” on page 56.
previous line count is read. For example, the file has one line. After the poll interval elapses, the file is overwritten with two lines. Only the second line is read on the next polling. The adapter polls the SYS:SYTEM\SYS$LOG.ERR file by default. Additional files can be specified with the LogSources keyword. PollInterval Specifies the frequency, in seconds, to poll each log file listed in the LogSources keyword for new messages. The default value is 120 seconds.
The following example shows a formatted IBM Tivoli Enterprise Console event derived from an error message issued by the NetWare Directory Service (DS): 7-16-98 5:08:46 pm:DS-5.73-12 Severity=10 Locus=2 Class=5 Synthetic Time is being issued on partition “NOVELL_TREE.” For details about format files, see “Format File” on page 17. Events Listing The tables in the next section show the class names and severities of all events defined for the NetWare log file adapter.
Alert Severity Definition Severity Level 4 (Fatal) Resource fatally affected; shutdown. FATAL 5 (Operation Aborted) The operation cannot complete. FATAL 6 (Non OS unrecoverable) The operation cannot complete.
Alert_class NetWare Definition 6 System failure 7 Request error 8 Not found 9 Bad format 10 Locked 11 Media failure 12 Item exists 13 Station failure 14 Limit exceeded 15 Configuration error 16 Limit almost exceeded 17 Security audit information 18 Disk information 19 General information 20 File compression 21 Protection violation The following NetWare events are defined in the BAROC file: Event Class Default Severity NW4_Base UNKNOWN NW4_SysLog_Base 60 UNKNOWN NW4_C
Event Class Default Severity NW4_GeneralInformation UNKNOWN NW4_FileCompression UNKNOWN NW4_ProtectionViolation UNKNOWN NW4_AppMessage UNKNOWN NW4_NLM_Loading UNKNOWN NW4_NLM_Unloaded UNKNOWN NW4_NLM_NotLoaded UNKNOWN NW4_Abend UNKNOWN TECADNW4.NLM The NLM, tecadnw4.nlm, is the NetWare log file adapter. The commands for loading and unloading the NLM are described on the following pages. Chapter 4.
tecadnw4.nlm Starts the NetWare log file adapter in non-service mode. Flags Load tecadnw4 [–c ConfigFile] [–d] Description Loading tecadnw4.nlm starts the adapter. To stop the adapter, run the following from the command line: unload tecadnw4 Authorization: None is required. Arguments: –c ConfigFile Specifies the configuration file for the NetWare log file adapter. If a value is not specified, the TECADNW4.CNF file in the current directory is used.
Troubleshooting the NetWare Log File Adapter Perform the following steps to troubleshoot the NetWare log file adapter: 1. Stop the NetWare log file adapter that is currently running by unloading tecadnw4.nlm: unload tecadnw4 2. Start the adapter in debug mode: load tecadnw4 -d -c Config_File 3. Generate some events and see if the adapter receives them. As events arrive, the adapter prints messages to the screen indicating the class and the attribute values in the class. 4.
64 IBM Tivoli Enterprise Console: Adapters Guide
Chapter 5. OpenView Adapter The IBM Tivoli Enterprise Console adapter for the Hewlett-Packard OpenView (HPOV) product forwards events from OpenView to the event server. The adapter is registered with the startup configuration of the OpenView operating system using ovaddobj, so it is started along with all the other applications that use the operating system. The OpenView ovspmd process manages the adapter and forwards all preferred events to the event server.
Incoming Messages Format Messages received from the ovtrapd process consist of SNMP Trap-PDUs as defined in RFC 1157 (SNMPv l). OpenView-specific events are defined as enterprise-specific traps and have the following content: enterprise 1.3.6.1.4.1.11.2.
on the adapter in proportion to the number of events discarded by the NNM circuit settings and therefore not forwarded to the adapter. If you are running NNM 5 or earlier, the adapter calls OVsnmpTrapOpen to open a session; with NNM 6 or later, the adapter calls OVsnmpEventOpen. Only OVsnmpEventOpen allows for event correlation of the events before they are forwarded to the adapter. OVsnmpEventOpen contains a filter parameter that defines which events the application receives from ovspmd.
v Example 2: Adapter tracing is turned on by specifying output files in the .err file instead of /dev/null. You can find the NNM version and the specified filter value in the messages displayed when you start the adapter. The messages are similar to the following example: Initializing T/EC interface ... T/EC interface initialization complete Initializing driver ... Initializing SNMP driver ... Running as a WellBehavedDaemon Enter in TECAD_OVsInit...
v To find details about event arrivals for the circuits and streams, use the following command: ecsmgr -stats v To turn on tracing to see the OpenView events received, use the following command: ecsmgr -log_events input on This trace file is located in $OV_LOG/ecs//ecsin.
Adapter Files The OpenView adapter package consists of the following files in the following directories: v $TECADHOME/bin tecad_hpov.cfg The installation configuration script. tecad_hpov The adapter executable file. tecad_hpov.sh The adapter shell script to set the environment and call the adapter executable file. v $TECADHOME/etc tecad_hpov.baroc The adapter BAROC file to define the classes to the rule base. tecad_ov.baroc An additional BAROC file that precedes tecad_hpov.
HPOVFilter=filter Specifies the events the adapter receives from OpenView NNM 6. This value is ignored with OpenView NNM 5. The adapter can accept up to 4096 bytes for this parameter; you must enter the value in one continuous line of input with no intervening line returns. Do not enclose the value in quotation marks; if you enclose the value in quotation marks and turn on adapter tracing, the trace file displays the following error: Stream filtering set to: "{CORR{default}} .*" Enter in TECAD_OVsInit...
4:ATTR(=, ’openViewData3"); 5:ATTR(=, "openViewData4"); MAP origin=$V3; sub_origin=$V4; severity=WARNING; OV_status=2; # Marginal Keywords The OpenView adapter supports the use of the following keywords in class definition statements. These keywords can be useful if you want to customize events. $COMMUNITY Specifies the trap community string. $ENTERPRISE Specifies the enterprise object identifier of the object generating the trap.
Each line of this file has the following form: "name" "object identifier" For example "sysUpTime" "ifIndex" "whyReload" "1.3.6.1.2.1.1.3" "1.3.6.1.2.1.2.2.1.1" "1.3.6.1.4.1.9.2.1.2" Note: Object identifiers must appear in increasing order. You can use the names that are mapped to object identifiers in the CDS file. Error File The error file enables you to configure debugging and tracing options. This file is described in detail in “Error File” on page 19. LRF File The .
Events Listing The following table shows the class names and severities of all events defined for the OpenView adapter. You can use it to get a sense of how OpenView events are mapped to IBM Tivoli Enterprise Console events and to determine if you want to make any changes. The events are defined in the BAROC file. See the IBM Tivoli Enterprise Console Rule Builder’s Guide for more information about customizing the BAROC file.
Event Class Default Severity OV_IF_Deleted WARNING OV_IF_Descr_Chg MINOR OV_IF_Fault WARNING OV_IF_Down FATAL OV_IF_Flags_Chg WARNING OV_IF_Type_Change MINOR OV_Manage_IF WARNING OV_Manage_Network WARNING OV_Manage_Node WARNING OV_Manage_Segment WARNING OV_Network_Added HARMLESS OV_Network_Deleted WARNING OV_Network_Fault WARNING OV_Network_Critical CRITICAL OV_Network_Marginal WARNING OV_Network_Normal HARMLESS OV_Network_Flg_Chg WARNING OV_No_SNMP_Reply CRITICAL OV_No
Event Class Default Severity OV_Unmanage_Node WARNING OV_Unmanage_Segment WARNING HPOV_Event WARNING OV_ARP_Chg_New_Phys_Addr WARNING OV_ARP_Phys_Chg_Same_Src WARNING OV_AppUngracefulExit WARNING OV_Application_Alert WARNING OV_Application_Down WARNING OV_Application_Up WARNING OV_Bad_Forw_To_Host WARNING OV_Bad_Phys_Address WARNING OV_ConnectionUnknown WARNING OV_Connection_Down FATAL OV_DataCollect_Check WARNING OV_IF_Disconnected WARNING OV_IF_IP_Addr_Chg WARNING OV_IF_U
50790402 Segment Marginal 50790403 Network Normal 50790404 Network Marginal 50790405 Segment Added 50790406 Segment Deleted 50790407 Network Added 50790408 Network Deleted 50790409 Connection Added 50790410 Connection Deleted 50790411 Change Polling Period 50790412 Forced Poll 50790418 Manage Node 50790419 Unmanage Node 50790420 Manage Segment 50790421 Unmanage Segment All OpenView events are supported by the OpenView adapter.
78 IBM Tivoli Enterprise Console: Adapters Guide
Chapter 6. OS/2 Adapter The IBM Tivoli Enterprise Console adapter for OS/2 forwards events from an OS/2 system to the event server. The adapter is registered with the startup configuration of OS/2 so that the adapter is started with all the other applications that are automatically started when OS/2 is started. The adapter is an OS/2 process that reads events generated by an OS/2 system and forwards them to an event server for further processing.
If a file truncates while the adapter is active, the adapter automatically resets its internal pointer to the beginning of the file. If during the polling interval the file is overwritten, removed, or recreated with more lines than the previous poll, only the number of lines greater than the previous line count is read. For example, the file has one line. After the poll interval elapses, the file is overwritten with two lines. Only the second line is read on the next polling.
You can also manually start the adapter by entering the following command sequence from the OS/2 command line: sh %LCF_BINDER%/../TME/TEC/ADAPTERS/BIN/tecadini.sh start Stopping the Adapter You can manually stop the endpoint adapter by sourcing the endpoint environment, and then entering the following command sequence from the OS/2 command line: sh %LCF_BINDIR%/../TME/TEC/ADAPTERS/BIN/tecadini.
Numeric Value Literal Value 6 HARMLESS Troubleshooting the OS/2 Adapter Perform the following steps to troubleshoot the OS/2 adapter: 1. Stop the OS/2 adapter that is currently running. See “Stopping the Adapter” on page 81 for details. 2. Add a LogSources=c:\check.txt entry in the configuration file. 3. Start the adapter as described in “Starting the Adapter” on page 80. 4. Add a few lines to c:\check.txt. 5.
Chapter 7. SNMP Adapter The Simple Network Management Protocol (SNMP) adapter for the IBM Tivoli Enterprise Console product forwards events from SNMP traps to the event server. This chapter explains how to configure and start the SNMP adapter. SNMP Driver The SNMP adapter serves the function of collecting SNMP trap messages directly from the SNMP trap socket of a host and translating SNMP traps into appropriate IBM Tivoli Enterprise Console class instances.
Before starting the adapter, check each adapter file to determine if it defines the behavior you want from the adapter. Configuration File The configuration file defines the behavior of the adapter, which runs as a server daemon. The configuration file can have the common keywords described in “Configuration File” on page 9, as well as the following adapter-specific keywords: AdapterSpecificFile=path Specifies the full path name of the object identifier file.
$AGENT_ADDR Specifies the address of the object generating the trap. $VARBIND Specifies a list of all non-fixed attributes. $VB_NUM_VARS Specifies the number of elements in $VARBIND. $ADAPTER_HOST The name of the host machine where the adapter runs. Built-in Variables for $VARBIND: $VARBIND is a list of all non-fixed attributes. To access the individual elements of $VARBIND, use the VB_# variables, where # is a number greater than zero (0).
Cold Start The endpoint adapter is automatically started as a step in the adapter installation process when the adapter configuration profile (ACP) is distributed using the Adapter Configuration Facility (ACF). Manually start the adapter on the endpoint with the following command: init.tecad_snmp start Warm Start You can restart a running adapter. Doing so is useful when you have changed one of the adapter files and want to have it read in without bringing the adapter or host down completely.
adapter_host Host on which the adapter runs forwarding_agent Proxy agent that forwarded the event to the adapter Additional information is provided where possible by using OpenView category and status codes. See the ENUMERATION statements at the beginning of the BAROC file for details.
Event Class Event Severity Port_Type_Changed_CBT WARNING Lock_Status_Changed_CBT WARNING Port_Security_Violation_CBT WARNING Port_Violation_Reset_CBT WARNING Env_Temperature_CBT WARNING Cisco_Trap WARNING Reload_Cisco WARNING TCP_Connection_Close_Cisco HARMLESS The tecad_snmp.baroc file contains a complete listing of events including NetWare, Cisco, Cabeltron, and generic traps. Refer to the BAROC file for details. Rules Listing There are no default rules for the SNMP adapter.
261 NewSourceAddress 262 SourceAddressTimeout 263 BoardRemoval 264 BoardInsertion 265 ActivePortInRedundantCircuitFailed 266 RedundantPortActivated 267 RedundantPortTesfFailed 268 DeviceTrafficThresholdExceeded 269 DeviceErrorThresholdExceeded 270 DeviceCollisionThresholdExceeded 271 BoardTrafficThresholdExceeded 272 BoardErrorThresholdExceeded 273 BoardCollisionThresholdExceeded 273 BoardCollisionThresholdExceeded 274 PortTrafficThresholdExceeded 275 PortErrorThresholdExceede
BEGIN IMPORTS enterprises FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212 TRAP-TYPE FROM RFC1215; -- Network Computing Inc. nci OBJECT IDENTIFIER ::= { enterprises 768 } -- LANAlert alert packets lanalert OBJECT IDENTIFIER ::= { nci 2 } -- Agent-independent data items lanalert-data OBJECT IDENTIFIER ::= { lanalert 2 } -- (NOTE: Some MIB processors have problems with the definition -- of lanalertFSA-NW2; this can be commented out if no -- NetWare 2.x File Server Agents are in use.
STATUS mandatory DESCRIPTION "A number designating a monitored condition." := { lanalert-data 3 } thresholdID OBJECT-TYPE SYNTAX INTEGER (1..4294967295) ACCESS not-accessible STATUS optional DESCRIPTION "A number designating a threshold set on a monitored condition." := { lanalert-data 4 } alertText OBJECT-TYPE SYNTAX DisplayString (SIZE (0..79)) ACCESS not-accessible STATUS mandatory DESCRIPTION "A string describing an alert condition.
Change alerts are generated when a condition changes state. These types of alerts are forwarded to any consoles and gateways that are currently attached to the agent management server. Change alerts cannot be cleared, since neither the agent or the management server maintains information about the alert (other than logging the alert). Console operators dismiss change alerts locally. Resettable alerts are generated when a condition changes in a predefined manner.
VARIABLES { managementServerName, nodeName, eventID, alertText } These are denoted in the tecad_snmp.cds file as follows: 3:ATTR(=,"managementServerName"); 4:ATTR(=,"nodeName"); 5:ATTR(=,"eventID"); 6:ATTR(=,"alertText"); You would add the following entry to the tecad_snmp.cds file to map the trap variables to adapter variables: MAP managementServerName=$V3; nodeName=$V4; eventID=$V5; alertText=$V6; msg=PRINTF("The LANAlert File Server Agent on %s has set a priority 1 alert.
–d Starts the adapter in debug mode. This argument prevents the daemon from forking itself. –c configuration_file Specifies the location of the configuration file. If –c is not specified, then the adapter searches $TECADHOME/etc/tecad_snmp.conf if the environment variable TECADHOME is set, or /etc/Tivoli/tecad/etc/tecad_snmp.conf for the configuration file. 2. Make sure that there are no other processes such as SNMP or ovtrapd already listening on port 162.
Chapter 8. IBM Tivoli Enterprise Console Gateways Although not an adapter, the IBM Tivoli Enterprise Console gateway is similar in that it is software that uses the TME interface of Tivoli Event Integration Facility to communicate with the event server. Like an adapter, it can be configured with a configuration file, and the configuration file can be distributed with an adapter configuration profile (ACP) entry using the Adapter Configuration Facility (ACF).
2. Determine the number of gateways and the resulting number of events that they can send to the event server. The example environment contains two gateways, where gateway A is responsible for Web commerce servers and gateway B is responsible for the secretaries’ systems. Divide the average capacity of the event server by the number of gateways: 120 ÷ 2 = 60 The resulting value of 60 indicates the average number of events each gateway can send without overwhelming the event server.
Worksheets and Calculations Table 1 and Table 2 summarize the values for this example. You can use these tables as worksheets to assemble the values you measure and calculate for your environment. All numerical values are expressed in events per second, except where noted. Table 1. Example values for controlling event traffic for the event server Average Receive Rate Expected Peak Rate for High Traffic 120 140 Table 2.
The following example illustrates how the Windows path notation can be expanded: c:\winnt\system32\drivers\etc\Tivoli\tec\tec_gateway.conf The configuration file defines the behavior of the gateway. The configuration file can have the common keywords described in “Keywords” on page 9, as well as the following custom keywords: BufEvtPath Specifies the gateway to buffer events at this location if it cannot forward them to the event server.
acknowledgement from the event server. The default value is 30 seconds. This keyword works with the GatewayTMEAckEnabled keyword for event delivery. GatewayQueueSize Specifies, in bytes, the size for the buffers containing events waiting to be forwarded to event servers. If any of these buffers fill before the expiration of the GatewaySendInterval option, the waiting events are immediately sent. The default is 40 000 bytes.
The default value is @EventServer. You can specify multiple server names as a comma-delimited list. Server names later in the list can be backups for times when the gateway cannot contact its primary server for an event and the RetryInterval has expired without successfully contacting the primary server. You can specify a host name as you would for a non-TME adapter, and the events are then forwarded to that host using the non-TME Tivoli Event Integration Facility.
Chapter 9. UNIX Log File Adapter The TME UNIX log file adapter receives raw log file information from the UNIX syslogd daemon, formats it, and sends it to the IBM Tivoli Enterprise Console gateway. The IBM Tivoli Enterprise Console gateway then sends the information to the event server. The non-TME UNIX log file adapter sends information directly to the event server. The UNIX log file adapter adds entries into the /etc/syslog.
Stopping the Adapter Use the init.tecad_logfile stop command to manually stop the adapter. Always use this command to ensure that the syslogd daemon is correctly configured to stop sending messages to the adapter. If the adapter is stopped with any other method, the syslogd daemon might exit because the adapter is no longer listening on the named pipe the syslogd daemon is writing to.
Adapter Files The UNIX log file adapter package consists of the following files: tecad_logfile.cfg The installation script. init.tecad_logfile The adapter startup and shutdown script. Never stop the adapter using signals. Use this script to ensure that the syslogd daemon remains running and functional. tecad_logfile The executable file of the adapter that receives the log information and transforms it into events. logfile_gencds The executable file that converts a format file to a CDS file. tecad_logfile.
PollInterval Specifies the frequency, in seconds, to poll each file listed in the LogSources field for new messages. The default value is 120 seconds. UnmatchLog Specifies a file to log discarded events that cannot be parsed into an IBM Tivoli Enterprise Console event class by the adapter. The discarded events can then be analyzed to determine if modifications are needed to the adapter format file. Format File The format file is described in detail in “Format File” on page 17.
Event Class Default Severity Logfile_Amd WARNING Amd_Mounted WARNING Amd_Unmounted WARNING Logfile_Automount WARNING Logfile_Bootpd WARNING Logfile_Comsat WARNING Logfile_Cron HARMLESS Logfile_Date HARMLESS Logfile_Date_Set Logfile_Ebbackupd Ebbackupd_Waiting WARNING WARNING WARNING Logfile_Ebcatcomp WARNING Logfile_Fsck WARNING Logfile_Ftp WARNING Logfile_Ftpd WARNING Logfile_Gated WARNING Logfile_Getty WARNING Logfile_Halt WARNING Logfile_Idi HARMLESS Logfile_Inetd WAR
Event Class Logfile_Lpd_Get_Hostname WARNING Logfile_Lpd_Lost_Connection WARNING Logfile_Lpd_No_File WARNING Logfile_Mosaic WARNING Logfile_Mountd WARNING Logfile_Named WARNING Logfile_Nfsd WARNING Logfile_Nnrpd WARNING Logfile_Oserv WARNING Oserv_Panic CRITICAL Oserv_Graceful_Exit HARMLESS Oserv_System_Error MINOR Oserv_Fork_Failed CRITICAL Oserv_Exec_Failed MINOR Oserv_Comm_Error Oserv_IPC_Dispatch_Failed WARNING MINOR Oserv_Security WARNING Oserv_Tmgr WARNING Oserv_Event
Event Class Default Severity Logfile_Rtelnet WARNING Logfile_Rwhod WARNING Logfile_Sendmail HARMLESS Sendmail_Loopback WARNING Sendmail_No_Space MINOR Logfile_Snmpd WARNING Logfile_Sockd WARNING Sockd_Connected HARMLESS Sockd_Terminated WARNING Sockd_Transfer WARNING Logfile_Strerr HARMLESS Logfile_Su WARNING Su_Failure WARNING Su_Success WARNING Logfile_Syslogd WARNING Syslogd_Nospace MINOR Logfile_Talkd WARNING Logfile_Telnetd WARNING Logfile_Tftpd WARNING Logfile_X
Event Class Default Severity NFS_No_Response WARNING NIS_No_Response WARNING Server_OK HARMLESS NFS_OK HARMLESS NIS_OK HARMLESS Default Rules The UNIX log file adapter has a set of default rules that can be installed to enhance event server operation. Rules can enable the server to perform functions such as deleting events and sending e-mail to alert administrators of an unresolved problem. The rules are contained in the log_default.
hour. You can edit this rule to change the time or the list of classes. Refer to the IBM Tivoli Enterprise Console Rule Builder’s Guide for information about editing rules. – – – – Logfile_Amd Logfile_Cron Logfile_Oserv Logfile_Date_Set The event server also comes with some additional rules that you can install. The $BINDIR/TME/TEC/contrib/rules/security directory contains the security_default.
5. If you see the messages, the adapter is receiving events and processing them. Run the wtdumprl command on the event server and verify that the messages are actually showing up in the reception log. If not, the events were not received by event server or there is a problem with the event server reception process. Check the adapter configuration file to verify that ServerLocation and ServerPort are properly defined.
Chapter 10. Windows Event Log Adapter The adapter for the Microsoft Windows event log forwards events from a Windows system to the event server. It is registered with the start-up configuration of Windows 2000 or Windows NT so that the adapter is started with all the other applications that are automatically started when Windows is started.
tecad_win.baroc The BAROC file. postemsg.exe The command line interface program to send an event to an event server. tecad_win.err The error file. Before starting the event server, check the configuration file to determine if it defines the preferred adapter behavior. Configuration File The configuration file defines the behavior of the adapter.
If a file truncates while the adapter is active, the adapter automatically resets its internal pointer to the beginning of the file. If during the polling interval the file is overwritten, removed, or recreated with more lines than the previous poll, only the number of lines greater than the previous line count is read. For example, the file has one line. After the poll interval elapses, the file is overwritten with two lines. Only the second line is read on the next polling.
The following example shows a PreFilter statement with a regular expression. This prefilter statement matches all Application Log events with a source name that contains TEC_ somewhere in its name: PreFilter:Log=Application;Source=re:’TEC_.*’; The following example shows a prefilter statement with a more narrow range. This prefilter statement matches all Application Log events with a source name that contains TEC_ somewhere in its name and has an EventID of 24: PreFilter:Log=Application;Source=re:’TEC_.
The WINEVENTLOGS statement is a comma-delimited list with no spaces that can contain the following values: Application, Directory (Directory service), DNS, FRS, Security, System, All, and None.
Source The source that logged the event to the Windows event log. You can specify up to sixteen sources. Multiple sources must be separated by commas. EventType The classification of the event assigned by Windows. Valid values are as follows: v Error v Warning v Information v AuditSuccess v AuditFailure v Unknown The following examples show prefiltering statements. The first statement is on multiple lines due to space restrictions.
Registry Variables Registry variables are used to control the operation of the Windows event log adapter. Changes made to registry variables take effect immediately; there is no need to stop and restart the adapter. Use the registry editor (regedt32) provided by Windows to view and modify registry variables. Note: It is not necessary to modify the registry variables for the Windows event log adapter to function.
DirectoryEventsProcessedTimeStamp Contains the time stamp for the corresponding event identified by the value of the DirectoryEventsProcessed variable. DNSEventsProcessed Contains the highest event number in the Windows DNS Server Log that the adapter has processed. The adapter uses this variable to keep track of how many events it has read and sent to the event server so that the adapter can start at the next event the next time it polls the log.
SecurityEventsProcessedTimeStamp Contains the time stamp for the corresponding event identified by the value of the SecurityEventsProcessed variable. SystemEventsProcessed Contains the highest event number in the Windows event log that the adapter has processed. The adapter uses this variable to keep track of how many log events it has read and sent to the event server so that the adapter can start at the next event the next time it polls the log.
Any values, which you do not set, use the default values when you enable this feature. The adapter only checks these values at startup. Adapter Administrator Roles for Windows Both the service and non-service version of TME adapters on Windows run under the local SYSTEM account (the built-in Windows account). You must create a Tivoli administrator that grants the Tivoli role of senior (or higher) to the SYSTEM account so that the adapters can send events to the event server.
Event Class Structure Event classes are defined hierarchically, with child classes inheriting attribute value defaults from the parent. The Windows event classes follow a simple hierarchy. The adapter fills in the following attribute default values. The attributes are used in event group filters.
Event Class NT_Printer_Was_Set NT_Printer_Was_Created NT_Printer_Pending_Deletion NT_Security_Database NT_Security_Database_Error NT_Insight_Agent_Disk_Alert NT_DHCP_Rejected_Allocation_Request NT_Domain_Not_Contactable NT_WINS_Alert NT_WINS_Server_Alert NT_Master_Browser NT_Trustee_Relationship NT_Timeserv_Worked NT_Timeserv_Failed_1 NT_Timeserv_Failed_2 NT_Timeserv_Failed_3 NT_Timeserv_Failed_4 NT_Timeserv_Failed_5 NT_Timeserv_Failed_6 NT_License_Service_No_License_Available NT_License_Service_Out_Of_Lice
Event Class Severity NT_Global_Group_Changed NT_Local_Group_Member_Removed NT_Account_Password_Change_Success NT_Server_Start NT_Application_Error NT_Table_Reached_Maximum_Size NT_Handle_Closed NT_Object_Open NT_Audit_Policy_Change NT_Duplicate_Name WARNING tecad_win Command The Windows event log adapter includes the tecad_win command, which enables you to start the adapter in non-service mode. The command description is on the following pages. Chapter 10.
tecad_win Starts the Windows event log adapter in non-service mode. SYNOPSIS tecad_win.exe [–d] [–c ConfigFile] [–L none | EventLog ...] DESCRIPTION The tecad_win command starts the Windows event log adapter in non-service mode. You can use the non-service mode for diagnostic purposes or to view event messages in a Windows console window. The Windows service mode adapter must be stopped before the non-service mode adapter is started.
Troubleshooting the Windows Event Log Adapter Perform the following steps to troubleshoot the Windows event log adapter: 1. Stop the Windows event log adapter that is currently running by pressing the Esc key in the command window session that is running the Windows event log adapter. Pressing the Ctrl+c key combination in the command window session that is running the Windows event log adapter also stops the adapter. 2. Start the adapter in debug mode: tecad_win –d –c Config_File 3.
126 IBM Tivoli Enterprise Console: Adapters Guide
Chapter 11. Windows NT Event Log Adapter The adapter for the Microsoft Windows NT event log forwards events from a Windows NT system to the event server. It is registered with the start-up configuration of Windows NT so that the adapter is started with all the other applications that are automatically started when Windows NT is started. Note: Only a single instance of the Windows NT or Windows event log adapter can be run on a managed node or endpoint.
postemsg.exe The command line interface program to send an event to an event server. tecad_nt.err The error file. Before starting the event server, check the configuration file to determine if it defines the preferred adapter behavior. Configuration File The configuration file defines the behavior of the adapter.
If during the polling interval the file is overwritten, removed, or recreated with more lines than the previous poll, only the number of lines greater than the previous line count is read. For example, the file has one line. After the poll interval elapses, the file is overwritten with two lines. Only the second line is read on the next polling. NumEventsToCatchUp Specifies which event in the Windows NT event logs that the adapter starts with.
The PreFilter keyword is optional. All Windows NT log events are sent to the adapter if prefilters are not specified and PreFilterMode=OUT. For additional information about prefiltering Windows NT log events, see “Prefiltering Windows NT Log Events” on page 130. PreFilterMode Specifies whether Windows NT log events that match a PreFilter statement are sent (PreFilterMode=IN) or ignored (PreFilterMode=OUT). Valid values are IN, in, OUT, or out. The default is OUT.
Log Specifies one or more of the Windows NT event logs to prefilter. Valid values are System, Security, Application, or any combination of these separated by commas. The default is all three event logs. EventId Specifies the event number assigned by Windows NT. You can specify up to sixteen event numbers. Multiple event numbers must be separated by commas. Source The source that logged the event to the Windows NT event log. You can specify up to sixteen sources.
against a format description. A formatted error message from the Windows NT service control manager can look like the following example: Jan 15 15:06:19 1998 0 Error N/A Service_Control_Manager 7024 \ The UPS service terminated with service-specific error 2481. For details about format files, see “Format File” on page 17 and Appendix B, “Format File Reference” on page 145.
that the adapter has processed. The adapter uses this variable to keep track of how many events it has read and sent to the event server so that the adapter can start at the next event the next time it polls the log. You can lower the ApplicationEventsProcessed variable if you want an event to be read and processed again. To process all messages in the Application Log, set the ApplicationEventsProcessed variable to 1.
drive:\adapter_dir, where drive and adapter_dir are the drive and directory, respectively, that contain the adapter executable files and run-time files. Only change the TECInstallPath variable if you move the adapter executable files and run-time files after you have installed the adapter. Low Memory Registry Variables When enabled, this feature checks the amount of available memory before the adapter attempts to send an event.
Starting the Adapter By default, the adapter is always started when Windows NT is started. If you are using the Windows NT service version of the Windows NT event log adapter, you can use the Windows NT tools to operate the adapter. For example, you can start and stop the adapter using Windows NT Control Panel Services.
Event Class Default Severity NT_Share_Dir_Missing WARNING NT_Service_Start WARNING NT_Service_Stop WARNING NT_Out_Of_Paper WARNING NT_Printer_Out_Of_Paper WARNING NT_Low_Virtual_Memory WARNING NT_Security_Db_Not_In_Sync WARNING NT_Registry_Bad_DB WARNING NT_NCNB_Error WARNING NT_Parity_Error WARNING NT_Power_Failure WARNING NT_Thread_Create_Fail WARNING NT_Semaph_Create_Fail WARNING NT_Monitor_Start WARNING NT_TCPService_Fail NT_Master_Browser_Conflict NT_Document_Print_Success
Event Class Default Severity NT_Timeserv_Failed_3 NT_Timeserv_Failed_4 NT_Timeserv_Failed_5 NT_Timeserv_Failed_6 NT_License_Service_No_License_Available NT_License_Service_Out_Of_Licenses NT_Restore NT_Backup NT_Replicator_Did_Not_Send_Update NT_Replicator_System_Error NT_Replicator NT_Tivoli_Courier NT_Tivoli_TEC_Adapter NT_Tivoli_TEC_Adapter_Error_Sending_Alert NT_Sophos_Sweep NT_SNMP NT_Insight_Manager_Error NT_Insight_Manager NT_Privileged_Service_Called NT_Trusted_Process_Logon_Success NT_Logon_Succe
tecad_nt Starts the Windows NT event log adapter in non-service mode. SYNOPSIS tecad_nt.exe [–d] [–c ConfigFile] [–L none | EventLog ...] DESCRIPTION The tecad_nt command starts the Windows NT event log adapter in non-service mode. You can use the non-service mode for diagnostic purposes or to view event messages in a Windows NT console window. The Windows NT service mode adapter must be stopped before the non-service mode adapter is started.
Troubleshooting the Windows NT Event Log Adapter Perform the following steps to troubleshoot the Windows NT event log adapter: 1. Stop any Windows NT event log adapters that are currently running by pressing the Esc key in the command window session that is running the Windows NT event log adapter. Pressing the Ctrl+c key combination in the command window session that is running the Windows NT event log adapter also stops the adapter. 2. Start the adapter in debug mode: tecad_nt –d –c Config_File 3.
Shutting down the service version of the Windows NT event log adapter can take up to 10 minutes, if the adapter and the CPU are under a heavy load. This delay occurs because the adapter attempts to finish processing all pending events before exiting. The adapter should shut down immediately under normal load conditions.
Appendix A. Files Shipped with Adapters Notes: 1. The NetView for OS/390® adapters are delivered with Tivoli NetView for OS/390 as part of the Event/Automation Service. Although these adapters are shipped as part of that product, the BAROC files and rule files for them are shipped with the IBM Tivoli Enterprise Console product. For information about additional files shipped with these adapters, see the Tivoli NetView for OS/390 documentation.
The following table lists the file names for some of the more significant files used for the IBM Tivoli Enterprise Console adapters: Adapter Extension File Name AS/400 alert .baroc /QSYS.LIB/QUSRSYS.LIB/CFG_ALERT.FILE/ ALRBRC.MBR tecad_snaevent.baroc (on event server) .cds /QSYS.LIB/QUSRSYS.LIB/CFG_ALERT.FILE/ ALRCDS.MBR .conf /QSYS.LIB/QUSRSYS.LIB/CFG_ALERT.FILE/ ALRCFG.MBR .rls /QSYS.LIB/QUSRSYS.LIB/CFG_ALERT.FILE/ ALRRLS.MBR tecad_snaevent.rls (on the event server) .baroc /QSYS.LIB/QUSRSYS.
Adapter Extension File Name UNIX log file .baroc tecad_logfile.baroc .cds tecad_logfile.cds .cfg tecad_logfile.cfg .conf tecad_logfile.conf .err tecad_logfile.err .fmt tecad_logfile.fmt .rls log_default.rls .baroc tecad_win.baroc .cds tecad_win.cds .conf tecad_win.conf .err tecad_win.err .fmt tecad_win.fmt .baroc tecad_nt.baroc .cds tecad_nt.cds .conf tecad_nt.conf .err tecad_nt.err .fmt tecad_nt.fmt Microsoft Windows event log Windows NT event log Appendix A.
144 IBM Tivoli Enterprise Console: Adapters Guide
Appendix B. Format File Reference This appendix contains details about format files. The format file usually has an extension of .fmt; see each specific adapter chapter for exact file names. To use non-English characters in a format string, you must enter the non-English characters in the local encodings. Notes: 1.
Format Specifications The format file is made up of one or more format specifications. A format specification has the following parts: v Format header The keyword FORMAT followed by the event class name. This is optionally followed by the FOLLOWS keyword and a previously defined class name, as shown in the following example: FORMAT NT_Share_Dir_Missing FOLLOWS NT_Base Note: A format specification with the same class name can be defined more than once.
Matches one constant in the message. The optional length is a decimal number of any size and allows the constant to be truncated to the length if the constant actual length is greater than the specifier length. v %[length]s* Matches zero or more constants in the system log message. The optional length is a decimal number of any size and allows any of the accumulated constants to be truncated to the length if the constant actual length is greater than the specifier length.
Using the system log message from the preceding September 29 example, the component specifiers and matches are as follows: %t Sep 29 14:57:28 %s aspen su: ’su su: ’su %s root succeeded for succeeded for %s jsmith on on %s /dev/ttypd The white space characters that separate the words of a system log message must also be present in the format string. A single space character (that is, one blank) in the format string will match any number of white space characters in the message.
Windows NT Example The following example is a Windows NT message: Jan 15 15:06:19 1998 0 Error N/A Service_Control_Manager 7024 \ The UPS service terminated with service-specific error 2481. The variable parts are the time stamp (Jan 15 15:06:19 1998), possibly the security ID (N/A), the event ID (7024), the service name (UPS), and the error code (2481).
The mapping part of a format specification consists of zero or more lines that contain a BAROC file attribute name followed by a value specifier. The value specifiers can be one of the following types: $i Where i indicates the position of a component specifier in a format string. Each component specifier is numbered from 1 to the maximum number of component specifiers in the format string.
Additional Mapping Considerations Specify only one mapping for each BAROC file attribute. A mapping can be inherited from a more generic format specification (using the FOLLOWS keyword) or can be explicitly defined on the format specification that directly matches the message. Because the adapter does not access the BAROC file, which resides on the event server, care must be taken to make sure that the format specifications agree with the corresponding BAROC file definitions.
The log file adapter will attempt to match this system log message to the most specific format specification. In this case, the event matches the Root_Login_Success_From format specification. The event created by the log file adapter will therefore have an event class of Root_Login_Success_From.
PRINTF statement in the Root_Login_Success_From class, its value would have been ttyp6. This is because the msg attribute is inherited as the third component specification in the event, even though the third component in the originating class (Logfile_Base) would have yielded the value sawmill login: ROOT LOGIN ttyp6 FROM oak. Activating Changes Made with a Format File If you have made changes to a format file, you must generate a new class definition statement (CDS) file that contains those changes.
Windows event log win_gencds /language/tecad_win.fmt tecad_win.cds Windows NT event log nt_gencds /language/tecad_nt.fmt tecad_nt.cds 3. Restart the adapter: NetWare log file See “TECADNW4.NLM” on page 61. OS/2 See “Starting the Adapter” on page 80. UNIX log file See “Starting the Adapter” on page 101. Windows event log See “Starting the Adapter” on page 120. Windows NT event log See “Starting the Adapter” on page 135.
Appendix C. Class Definition Statement File Reference A class definition statement (CDS) file specifies SELECT, FETCH, and MAP statements for all event classes supported by adapters that utilize a CDS file. This provided file is required for most adapters and has the same format for all adapters that use it. A CDS file has an extension of .cds; see each adapter chapter for exact file names. File Format Most of the CDS file is composed of class definition statements.
$msg = PRINTF("Job %s for user %s is on message wait", $F1, $F2); END Table 3 describes each statement in the example: Table 3. Explanation of operators in example code Code Explanation SELECT A match occurs when any message arriving with the Class=AS400_MSG, where the first part of the message field equals Job. ATTR(=,$MSG), VALUE(PREFIX,"Job"); SELECT ATTR(=,$MSG), VALUE(CONTAINS,"for User"); SELECT ATTR(=,$MSG), VALUE(SUFFIX,"You must investigate.
If the class name equals *DISCARD*, any incoming event matching the SELECT statement is discarded. Note that an event is also discarded if it does not match any class definition statement.
SELECT statements and their associated clauses are evaluated in the order they appear in the CDS file. If all the clauses of a SELECT statement are evaluated successfully, the incoming event matches the corresponding class. After an event is matched with a class because of successful SELECT statement evaluation, processing continues with the FETCH statement, unless the class is *DISCARD*, in which case the event is discarded.
There can be one or more clauses within a FETCH statement. Each clause has the following format: n:expression; where n is the identification number of a clause within a FETCH statement and expression is an expression specifying the value to assign the pseudo-variable $Fn. Pseudo-variables are the output from a clause of a FETCH statement.
source=NET; sub_source=SNMP-TRAP; origin=$SOURCE_ADDR; END CLASS Authentication_Failure_Cisco SELECT 1: ATTR(=,$ENTERPRISE), VALUE(PREFIX, "1.3.6.1.4.1.9"); 2: $TYPE = 4; 3: ATTR(=,"authAddr"); FETCH 1: IPNAME($SOURCE_ADDR); MAP hostname = $F1; originating_address = $V3; END # For Cisco routers, because we know the interface generating the trap, # we map ’linkUp’ traps to ’linkDown’ CLOSED events CLASS Link_Down_Cisco SELECT 1: ATTR(=,$ENTERPRISE), VALUE(PREFIX, "1.3.6.1.4.1.
Class Definition Statement File Syntax Diagrams This section describes the syntax for statements allowed within a CDS file. The syntax is shown in BNF-like notation where the vertical bar (|) character represents alternatives, and optional parts are contained within braces ({}).
’,’ ’)’ ::= ’=’ | PREFIX | SUFFIX | EXISTS ::= | | | | ::= ’=’ | ’!=’ | ’>’ | ’>=’ | ’<’ | ’<=’ | PREFIX | SUFFIX | EXISTS ::= | | | | ::= ’=’ | ’!=’ | ’>’ | ’>=’ | ’<’ | ’<=’ | PREFIX | SUFFIX | EXISTS ::= | | | | /* * FETCH STATEMENT */
| | | | ckey_var> ::= SUBSTR ’(’ ’.
164 IBM Tivoli Enterprise Console: Adapters Guide
Notices This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
168 IBM Tivoli Enterprise Console: Adapters Guide
Glossary The following cross-references are used in this glossary: See: This refers the reader to (a) a related term, (b) a term that is the expanded form of an abbreviation or acronym, or (c) a synonym or more preferred term. Obsolete term for: This indicates that the term should not be used and refers the reader to the preferred term. A ACF. See Adapter Configuration Facility. ACP. See adapter configuration profile. adapter. See event adapter. Adapter Configuration Facility (ACF).
event server. In the IBM Tivoli Enterprise Console product, a central server that processes events. The event server creates an entry for each incoming event and evaluates the event against a rule base to determine whether it can respond to or modify the event automatically. The event server also updates the event consoles with the current event information. If the primary event server is not available, events can be sent to a secondary event server. F format file.
Index Special characters .baroc file See BAROC files 16 .cfg file See installation script 8 .conf file See configuration file 9 .err file See error file 19 .oid file See object identifier file 8 .
attributes (continued) msg_index 5 num_actions 5 origin 5 overview 4 repeat_count 5 server_handle 5 server_path 6 severity 6 source 6 status 7 sub_origin 7 sub_source 7 B backup copies CFG_ALERT 23 CFG_MSG 40 BAROC files adapter-specific AS/400 alert adapter 32 AS/400 message adapter 50 NetWare adapter 58 OpenView adapter 74 OS/2 adapter 81 SNMP adapter 86 UNIX log file adapter 104 Windows event log adapter 121 Windows NT event log adapter 135 attributes list 4 described 16 example 16 root.
CDS file keywords (continued) SNMP adapter (continued) $TYPE 84 $VARBIND 85 $VB_NUM_VARS 85 CDS files adapter-specific AS/400 alert adapter 25 AS/400 message adapter 40 OpenView adapter 71, 72 SNMP adapter 84 UNIX log file adapter 104 example 18 format files 17 location 9, 10 overview 18 syntax 161 CFG_ALERT file 23 CFG_MSG file 40 Change Alert Action Entry command 27 Change Network Attributes command 27 CHGALRACNE command 27 CHGNETA command 27 circuit tracing, OpenView adapter 68 class definition statement
configuration file keywords (continued) Windows NT event log adapter HostnameIsAdapterHost 128 LanguageID 128 LogSources 128 NumEventsToCatchUp 129 PollInterval 129, 133 PreFilter 129 PreFilterMode 130 SpaceReplacement 130 UnmatchLog 130 configuration files adapter-specific AS/400 alert adapter 24 AS/400 message adapter 40, 53 OS/2 adapter 79 SNMP adapter 84 UNIX log file adapter 103 Windows event log adapter 112 Windows NT event log adapter 128 described 9 example 9 format 9 IBM Tivoli Enterprise Console g
files adapter-specific AS/400 alert adapter 23 AS/400 message adapter 39 NetWare adapter 55 OpenView adapter 70 OS/2 adapter 79 SNMP adapter 83 UNIX log file adapter 102 Windows event log adapter 111 Windows NT event log adapter 127 adapters 7 ALRBRC.MBR 23 ALRCDS.MBR 23 ALRCFG.MBR 23 ALRRLS.MBR 23 as400msg.baroc 39 BAROC 16 buffer 10 cache 8 CDS 18 configuration 9 error 19 format 17 IBM Tivoli Enterprise Console gateway 97 init.tecad_logfile 102, 103 init.tecad_snmp 83 initial 20 install.
gateway, IBM Tivoli Enterprise Console (continued) tec_gateway_sce 97 gateway, Tivoli Management Framework 2 GatewayAckInterval keyword 98 GatewayQueueSize keyword 99 GatewaySendInterval keyword 99 GatewayTMEAckEnabled keyword 99 getport_timeout_seconds keyword 12 getport_timeout_usec keyword 12 getport_total_timeout_seconds keyword 12 getport_total_timeout_uset keyword 12 graphic character set 25 graphic character set, AS/400 41 H hostname attribute 5 hosts, for adapters 5 HP OpenView adapter See OpenView
OpenView adapter (continued) configuration file 70 described 65 error file 73 event correlation with NNM 6 66, 68 event listing 74 files 70, 142 ovspmd process 65 ovtrapd process 65 starting 73 stopping 73 stream tracing 68 testing tool 68 traps 76 troubleshooting 77 OpenView NNM version, determining 65 origin attribute 5 OS/2 adapter attribute defaults 81 BAROC file 81 class name 81 configuration file 79 described 79 error file 79 files 142 format file 80 starting 80 stopping 81 troubleshooting 82 oserv 1,
SNMP adapter (continued) BAROC file 86 CDS file 84 cold start 93 configuration file 84 default rules 88 described 83 error file 85 event listing 87 files 83, 142 lanalert entry 92 object identifier (OID) file 85 restarting 86 starting 85, 86 stopping 85, 86 trapd daemon 83 traps 88 troubleshooting 93 warm start 86 sockets 1, 3 source attribute 6 described 1 starting adapters AS/400 alert adapter 27, 35 AS/400 message adapter 45, 52 errors 21 OpenView adapter 73 OS/2 adapter 80 SNMP adapter 85 UNIX log file
troubleshooting all adapters 21 AS/400 alert adapter 34 AS/400 message adapter 51 described 19 endpoint adapters 21 managed node adapters 21 NetWare adapter 55, 63 non-TME adapters 22 OpenView adapter 73, 77 OS/2 adapter 82 SNMP adapter 93 UNIX log file adapter 109 Windows event log adapter 125 Windows NT event log adapter 139 U UDP calls 12 UNIX log file adapter attribute defaults 104 BAROC file 104 CDS file 104 configuration file 103 configuring the adapter 103 default rules 108 description 101 error fil
180 IBM Tivoli Enterprise Console: Adapters Guide
Program Number: 5698-TEC Printed in U.S.A.
