CA Unified Infrastructure Management

(1)

Probe Guide for NT Event Log

Monitoring

v4.0 series

(2)

Copyright Notice

This online help system (the "System") is for your informational purposes only and is subject to change or withdrawal by CA at any time.

This System may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This System is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. This System may not be disclosed by you or used for any purpose other than as may be permitted in a separate agreement between you and CA governing your use of the CA software to which the System relates (the “CA Software”). Such agreement is not modified in any way by the terms of this notice. Notwithstanding the foregoing, if you are a licensed user of the CA Software you may make one copy of the System for internal use by you and your employees, provided that all CA copyright notices and legends are affixed to the reproduced copy.

The right to make a copy of the System is limited to the period during which the license for the CA Software remains in full force and effect. Should the license terminate for any reason, it shall be your responsibility to certify in writing to CA that all copies and partial copies of the System have been destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS SYSTEM “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS SYSTEM, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The manufacturer of this System is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

Legal information on third-party and public domain software used in this product is documented in the Third-Party Licenses and Terms of Use

(3)

Contact CA

Contact CA Support

For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources:

■ _{Online and telephone contact information for technical assistance and customer}

services

■ _{Information about user communities and forums} ■ _{Product and documentation downloads}

■ CA Support policies and guidelines

■ Other helpful resources appropriate for your product

Providing Feedback about Product Documentation

Send comments or questions about CA Technologies product documentation to

[email protected].

To provide feedback about general CA Technologies product documentation, complete our short customer survey which is available on the support website at

(4)

(5)

Contents 5

Chapter 1: ntevl 4.0

7

ntevl Overview ... 7

Chapter 2: ntevl Probe Deployment

11

Supported Platforms ... 11

System Requirements ... 11

Software Requirements ... 11

Probe Deployment Information ... 12

Installation Notes ... 12

Chapter 3: Upgrades and Migrations

13 Chapter 4: ntevl Configuration

15

Probe Configuration Interface Installation for ntevl ... 15

Probe Defaults ... 16

Probe Configuration ... 16

Setup Tab ... 17

Status Tab ... 36

Parameters in a Posted Message ... 37

Chapter 5: Edit Probe Configuration

39

View Event Details... 42

Regular Expression Construct Rules ... 44

Chapter 6: Operation and Use

47 Chapter 7: ntevl QoS Metrics

49 Chapter 8: Known Issues

51

(6)

(7)

Chapter 1: ntevl 4.0 7

Chapter 1: ntevl 4.0

This description applies to ntevl probe version 4.0.

This section contains the following topics:

ntevl Overview (see page 7)

Documentation Changes (see page 8)

ntevl Overview

An event is a significant activity on a system or application which requires user

attention. Microsoft Windows logs all such events and make them available to the user through the Event Viewer tool. This process helps the user to identify and troubleshoot the hardware or software issues on the system.

As a system administrator, you can use the NT Event Log Monitoring probe for viewing the event logs. The probe lets you create a monitoring profile for filtering the events that you want to monitor and generate alarms for unexpected events. The probe also generates QoS for storing historical event data and generates trends over time for analyzing the system and application performance.

Note: The NT Event Log Monitoring probe monitors the event logs of the host system

only where the probe is deployed. The probe does not have any option for adding a network system for monitoring the events.

The NT Event Log Monitoring probe now supports the following non-English locales:

■ B-Portuguese

■ Chinese (traditional and simplified)

(8)

ntevl Overview

8 Probe Guide for NT Event Log Monitoring

Documentation Changes

This table describes the version history for this document.

Version Date What's New?

4.0 September

2014 ■ Updated the Properties Tab and Status Tab _topics.

■ Added the Language String Configuration Tab and Subsystems Configuration Tab topics.

■ Removed the Configure Locale Specific Severity

String topic.

3.9 June 2014 _■ _{Updated the Software Requirements topic.} 3.9 December 2013 _■ _{Updated the Event Selection Tab section.}

■ Updated the Alarm/Post Tab section.

■ Added the View Event Details section.

■ Added the Configuring Locale Specific Severity

String section.

■ Updated the Operator filed description of the

Variables Tab section.

3.8 December 2012 _■ _{Added functionality to monitor Operational and} Admin event logs (introduced from

Vista/Windows 2008 onwards).

■ Added support to monitor other windows event apart from Application, Security, and System only.

■ Added Probe Defaults.

■ The Source field is renamed to Source/Publisher

Name.

3.7 October 2012 _■ _{Added support for converting event description} to a localized form.

■ Added a check box - Run command on match, containing two fields, Command executable and

Command arguments.

(9)

ntevl Overview

Documentation Changes 9 Related Documentation

Documentation for other versions of the ntevl probe The Release Notes for the ntevl probe

Monitor Metrics Reference Information for CA Unified Infrastructure Management Probes

(10)

(11)

Chapter 2: ntevl Probe Deployment 11

Chapter 2: ntevl Probe Deployment

This section contains prerequisites, system requirements, and deployment information for the ntevl probe.

Supported Platforms (see page 11)

System Requirements (see page 11)

Software Requirements (see page 11)

Probe Deployment Information (see page 12)

Installation Notes (see page 12)

Supported Platforms

Refer to the Compatibility Support Matrix for the latest information about supported platforms. See also the Support Matrix for Probes for more specific information about the probe.

System Requirements

The ntevl probe must be installed on systems with the following minimum resources:

■ Memory: 2-4 GB of RAM. The OOB configuration of the probe requires 256 MB of RAM

■ _{CPU: 3-GHz dual-core processor 32, or 64 bit}

Software Requirements

The ntevl probe requires the following software environment:

■ _{Nimsoft Monitor Server 7.1 to 7.6 or CA Unified Infrastructure Management 8.0 or}

later

■ Robot 7.1 or later

■ Probe Provisioning Manager (PPM) probe version 2.38 or later (for Admin Console GUI only)

■ Java Virtual Machine 1.6 or later

(12)

Probe Deployment Information

There are three ways to distribute archive packages. You can distribute the package within the web-based Admin Console (for supported probes), from within Infrastructure Manager, or use the standalone Distribution application. See Probe Deployment for more information on deploying probes.

Installation Notes

The NT Event Log Monitoring probe monitors the event logs for new messages and generates alarm messages according to your setup. You can configure the probe for triggering each time a new message is added to the event log or you can check the event log for new messages at a fixed interval, which will reduce the system load generated by the probe. Consider the following points while installing the NT Event Log Monitoring:

■ Restart the probe when the time zone is changed or when "Automatically adjust clock for daylight saving changes" is selected or cleared.

■ _{The Windows event log watcher probe version 3.0x uses WMI to retrieve the event}

(13)

Chapter 3: Upgrades and Migrations 13

Chapter 3: Upgrades and Migrations

At time upgrading the probe from any previous version to 4.00, delete the

(14)

(15)

Chapter 4: ntevl Configuration 15

Chapter 4: ntevl Configuration

The ntevl probe is configured by defining one or more profiles, identifying a set of criteria for event log message selection and how these messages should be treated. This allows you to define different actions for different event log messages.

This probe is configured to generate alerts based on messages from the Windows event logs.

Probe Configuration Interface Installation for ntevl (see page 15)

Probe Defaults (see page 16)

Probe Configuration (see page 16)

Probe Configuration Interface Installation for ntevl

(16)

Probe Defaults

At the time of deploying a probe for the first time on robot, some default configuration will get deployed automatically. These probe defaults could be Alarms, QoS, Profiles and so on which save time to configure the default settings. These probe defaults are available on a fresh install, that is no instance of that probe is already available on that robot in activated or deactivated state.

The NT Event Log Monitoring probe has following default properties:

Setup > Properties

■ Poll Interval: 30 Seconds

■ Alarm Timeout: 10 Seconds

■ Log File: ntevl.log

■ Log File Size: 100 KB

■ Maximum Events to Fetch: 1000

■ Fetch Alarms on Configurator Startup: Selected

■ WMI Query Timeout: 1

■ WMI Timeout Interval Unit: Seconds

■ Alarm List Size: 1000

■ Log Files to be Monitored: System, Application, and Security

Setup > Profiles

■ allevents: Monitors all events of the log file, which are selected for monitoring.

■ allerrors: Monitors all events where the event severity is Error.

■ MSEchange event: Monitors all events where the event source or publisher contains the MSExchange text and the event severity is Error.

Probe Configuration

(17)

Probe Configuration

Setup Tab

When you double-click the probe name in Infrastructure Manager, the GUI for ntevl probe is displayed with Setup tab (Profiles sub tab) opened, by default.

This tab contains the below listed sub tabs:

■ _Properties ■ Profiles

■ Exclude

■ _{Language String Configuration} ■ Subsystems Configuration

(18)

Probe Configuration

Properties Tab

(19)

Probe Configuration

The Properties tab contains the following fields:

Probe Active

If selected, activates the probe. To deactivate it, clear the check box.

Description Delimiter

Adds any ASCII character including special characters to replace with new line character of the event log message. For example, the event log message consists of three lines and the description delimiter is #; then the probe returns Line 1 Text #

Line 2 Text # Line 3 Text in the alarm message. Remove Recurring Delimiter

If selected, removes a repetition of delimiter. For example, there is an empty line in the event log message then only one delimiter is used.

Run Type

Allows you to select Event to trigger the probe every time Windows NT puts a new message into the event log. Select Poll and specify a Poll Interval and Alarm

Timeout to check at regular intervals.

Note: The recommendation is to use the Event mode for processing events in real

time. In Poll mode, there is additional overhead in creating query each time. You might experience momentary increase in CPU usage if number of events

(20)

Probe Configuration

20 Probe Guide for NT Event Log Monitoring Logging

Allows you to specify the file (Log File) to which the probe logs information about its internal activity and the level of details written to the log file (Log Level). Log as little as possible during normal operation (to minimize disk consumption), and increase the amount of detail when debugging. You can also configure maximum size (Log Size) of the log file in KB. The probe takes the back-up of the log file, clears the log content, and write new logs to the file when log file size reaches the limit.

Post Event Log Message Setup Default Post Subject

Defines the default event log post message subject. A subject, which is used internally in CA UIM for alarm messages, cannot be used in this field:

■ alarm ■ alarm_new ■ alarm_update ■ alarm_close ■ alarm_assign ■ alarm_stats ■ QOS_MESSAGE ■ QOS_DEFINITION

In case, any of the given subject is used then the probe uses the evl_ as the message subject. If the field is left blank, probe uses ntevl as the default post message subject.

Note: This field only defines the default post message subject, select the Post Message option in the Profiles > Alarm/Post tab for sending the message. You

can even override the message subject at profile level.

Column Prefix

(21)

Probe Configuration

Chapter 4: ntevl Configuration 21 Fetch Event Setup

Maximum Events to Fetch

Specifies the maximum number of events that are fetched from the event log in the Status tab. The default value is 1000, if no value is provided in this field. The limit is defined to avoid timeout situations when fetching events from the probe.

Fetch Alarms on Configurator Startup

Fetches all alarms at configuration start-up (select the Status tab to see the alarm list). By default, this option is enabled.

If the option is not checked, this list will be empty at configurator start-up, and you have to click the Refresh button the Status tab to fetch the alarms.

Output Encoding

Specifies the character encoding for generating alarms and QoS messages when the probe is deployed in a non-English locale. The recommendation is to use same encoding as the monitored system, unless necessary.

System Encoding

Specifies the system encoding where the probe is installed.

Note: The probe auto-detects the system and output encoding when these field

values are blank. However, the recommendation is to specify the appropriate encoding in the fields. You can use UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, Shift_JIS, ISO-2022-JP, ISO-2022-CN, ISO-2022-KR, GB18030, GB2312, Big5, EUC-JP, EUC-KR, ISO-8859-1, ISO-8859-2, windows-1250, and windows-1252 encodings.

Alarm List Size

Defines the buffer size for storing the event details that match the monitoring profile criteria. This field is useful when a profile generates an alarm after receiving some matching events. For example, a monitor profile generates an alarm when the matching events count reaches 50. If the event count is up to 49; the probe keeps the events detail in the buffer.

Note: This field value must be greater than or equal to number of monitoring

profiles.

WMI Query Timeout

Defines the time-out interval of WMI query for fetching the monitoring data. The probe uses WMI queries for fetching event log details when hosted on earlier than Windows Server 2008 operating systems.

Note: The WMI service must be enabled on the host system for this option to work. WMI Timeout Interval Unit

(22)

Probe Configuration

22 Probe Guide for NT Event Log Monitoring Available Log Files

Provides a list of available Log files, which you can select for monitoring. Select any of the log files and click the >> button to start monitoring. This option is available only for Vista and later version of Windows operating systems (OS).

Log Files to be Monitored

Displays a list of log files being monitored by the probe. The log files Application, Security and System are added by default and cannot be removed. However, you can add/remove other log files from the Available Log Files list view. This option is available for Vista and later version of Windows OS only.

Note: The ntevl probe does not monitor the Debug and Analytic logs.

Profiles Tab

When you select the Profiles tab, the GUI is displayed which contains the list of profiles in the left pane and some sub tabs in the right pane. These sub tabs are used to configure the selected profile.

The Profiles tab contains the following fields:

<List>

Displays all the defined setup profiles. The check box to the left of the profile name must be checked to enable the profile. Select a profile to display/modify its parameters.

The first profile in the list is processed first and then the next one. Right-clicking in the list allows you to create, copy, delete profile, move up, and move down a profile.

Important! Do not use slash (/) in the profile name, else the probe trims the profile

name from the slash (/) character and discards the profile properties. For example, if the profile name is My/Profile then the probe only saves My as the profile name. Description

A text string identifying the watcher.

The four sub tabs in the Profiles tab are listed below:

■ Event selection (see page 23)

■ Alarm / Post (see page 25)

(23)

Probe Configuration

Event Selection Tab

(24)

Probe Configuration

The Event Selection tab contains the following fields:

Event Selection Criteria

Defines the event selection criteria for filtering the event list and identifying the event for monitoring. An asterisk (*) in one of these fields means that the profile processes all log messages regardless of the contents in the field.

No Propagation of Events

Excludes an event matching the selection criteria of one monitoring profile with other profiles. This option is helpful to avoid multiple alarms for same event that matches with multiple profiles.

Note: The probe processes each monitoring profile in their creation order.

Right-click the profile and move it up or down for changing their processing order.

Log

Specifies the log file from where the probe monitors the event. The event log files, which are selected in the Properties tab (see page 18) are displayed here.

Computer

Defines the computer name on which the event has occurred.

Note: You can use localhost in the Computer field to get only local messages.

You can also use both ranges and commas in the same entry, such as 1-5 and 9-20.

Source/Publisher Name

Defines the source or the publisher from where the event has logged.

Severity

Specifies the event severity.

Note: The audit success and audit failure severity options are applicable only

for Windows earlier than Vista and 2007. Microsoft has moved these options to the keyword field from Windows Vista and 2007 onwards. The severity level of these events is shown as Informational in the event viewer. The current implementation of the ntevl probe does not support monitoring on basis of the

keyword field. User

Defines the Windows user account for which the event is generated.

Category

(25)

Probe Configuration

Chapter 4: ntevl Configuration 25 Event ID

Defines the event ID you are monitoring. Use * for monitoring all events of the selected log file.

Note: The Event ID field does not support regular expressions. Message String

Defines the alarm message text when the event selection criteria matches an event.

Run Command on Match

Allows you to run the command when an event matches the selected criteria.

Command Executable

Specifies the command to execute when an event matches the profile. You can use the Browse button to configure a batch file path. For example, you can execute a script for sending an email to the support executive for resolving the issue.

Command Arguments

Defines the parameters which are required for executing the command or the batch file. For example, define the email ID of the support executive for sending an email. This field is optional.

(26)

Probe Configuration

The Alarm / Post tab contains the following tabs:

Send Alarm

If selected, sends a alarm message on recognition of an event log message.

Alarm Message

Creates/edits an alarm message for the selected profile, and you are allowed to use variables in the messages:

■ $profile: Name of the Profile for which alarm/QoS is generated.

■ $description: User-defined description.

■ $variable: User-defined variable.

■ $source: The source from where the event is logged, for example, [Service Control Manager].

■ $event_id: The ID of the particular event.

■ $category: Category name of the particular event, for example, [Management] and [Disk].

■ $log: The event log name, for example, [System] and [Application].

■ $severity: The event Severity level of the event.

■ $severity_str: The severity code name, for example, [error] and [information].

■ $user: Username of the event.

■ $computer: Host name of the system on which the event is generated.

■ $time_stamp: Date Timestamp when the event is generated.

■ $message: Message description available in the event logger.

■ $record_id: The record number which is assigned to the event when the event is logged.

■ $evlData: The variable $evlData can be used to get the data associated with the event. If no data is present, None is added to the message.

Level

Specifies the severity level of the generated alarms. You can select from

eventlog for using the same severity level as the eventlog message.

Note: The critical level is supported at Windows Server 2008 only and for an error type event probe generates a Minor severity alarm.

Subsystem

(27)

Probe Configuration

However, using any custom subsystem ID is not recommended as it can give an unexpected view of the QoS data on USM.

Set Suppression Key, Optional key

Activates the message suppression feature, which avoids the multiple instances of the same alarm-event (variables can be used). By default, the alarm

description is used for suppressing alarms and probe sends only one alarm with the same description in one interval. You can also define the custom

suppression key for suppressing the alarms.

If you want to receive separate alarms, clear this check box.

Time Frame

Defines the time interval during which the probe monitors the events and keeps the matching events in buffer. This field is different from Poll Interval which is configured in the Properties tab.

Event Count Operator

Defines the operator for thresholding the event count, which matches the profile during a given time frame.

Event Count

Defines the event count for comparing with the actual event count in buffer and generate alarm when the threshold breaches.

For example, the Time Frame is 5 min, Event Count Operator is > (greater than) and Event Count is 4. Now, the probe scans the event log messages in a slot of 5 min and whenever the matching events count is more than 4; the probe generates an alarm.

Post Message

Select this option if you want the event log message data to be posted as an alarm with the given subject.

Post Subject

Defines the custom Message Subject for the selected profile. This subject overrides the default subject, which is ntevl or as defined in the Default Post

Subject field of the Properties tab.

You can use variables in the messages.

(28)

Probe Configuration

QoS Tab

The fields in the above dialog are explained below:

Number of Events Found in Time Interval

Sends QoS messages on number of events detected within the specified time interval.

Time Interval

The time interval (in seconds) for event detection used by the QoS option described above. The default time frame value is 3600 seconds.

Variables Tab

The Variables tab is used for defining the variables with a set of conditions for each profile. These conditions populate the variable value on real time from the selected event log message. These variables are then used for generating the alarm messages.

Note: You can define multiple variables for each profile where each variable name is

(29)

Probe Configuration

The Variables tab contains the following fields:

Variable List

Lets you view the existing variables list and select any variable for editing the variable definition.

Field Separator

Defines a field separator character for the event message text. This field is useful for segregating the event message text in multiple columns and then use those column numbers in the Variable Settings dialog. For example, if your event message text is ABCD:EFGH:IJKL:MNOP and the separator is : (colon) then probe segregates the message text in four different columns (1-4). You can use these column numbers for fetching the appropriate text to the variable.

Note: The non-English characters are not supported as a field separator. Follow these steps to create a variable:

1. Select the profile check box on the left hand pane to activate it.

(30)

Probe Configuration

Name

Defines the name for the variable. Duplicate variable names are not allowed. By default, var is displayed.

Source Line

The source line of the variable where the threshold alarm needs to be defined. Select the FROM and TO positions.

Source FROM position

■ Extracting from a source file: Define from which position in the source line defined to extract the variable, either a column or a character.

(31)

Probe Configuration

Chapter 4: ntevl Configuration 31 Source TO position

■ Extracting from a source file: Define to which position in the source line defined to extract the variable, either a column or a character.

■ Extracting from a match expression:

Ignore 'to' is automatically selected (as the only valid option). Threshold alarm definition

Operator

Select a comparison operator from the drop-down list. You can also select the RE option for using the regular expressions.

Note: The >, <, >=, and <= operators support only integer and float type

values. These operators do not work with string values. The = operator only works with string values.

Threshold

Set the threshold value for the variable.

Example: If the threshold does not match with the message description of an event,

then the probe generates an alarm.

3. Enter and select the required fields and click OK.

The newly created variable is displayed in the Variables grid.

Notes:

■ To edit a variable, right-click on it and select Edit option from the context menu.

■ _{To delete a variable, right-click on it and select Delete option from the context}

(32)

Probe Configuration

Exclude Tab

The Exclude tab enables you to specify the profiles that should be excluded by the ntevl probe.

Follow these steps to create an entry:

1. Right-click in the left-hand section and select New from the context menu.

(33)

Probe Configuration

2. Enter a name for the entry and click OK.

The entry gets added at the left-hand pane. Also, the fields in the right-hand pane get enabled.

The Exclude tab contains the following fields:

<List>

Shows all the defined exclude profiles. Select a profile to display/modify its parameters.

Event selection criteria

Specify regular expressions identifying the eventlog messages you are looking for. An asterisk (*) in one of these fields means all log messages regardless of the contents in the field.

Note: You can also use, both, ranges and commas in the same entry, such as

1-5, 9-20.

Events matching all the criteria in an exclude profile will be excluded from monitoring by the defined profiles.

The Event ID field does not support regular expressions. Use format as shown in the examples below:

(34)

Probe Configuration

Language String Configuration Tab

The NT Event Log Monitoring probe displays all event severity as Information, when deployed in a non-English locale. When the probe is installed on Windows Vista or Windows Server 2008 R2 or a later version, Windows returns event severity string in their specific locales and the probe is not able to compare these values with an equivalent English string.

The Language String Configuration tab lets you configure the locale-specific severity strings when the probe is deployed in a non-English locale. This tab contains the following fields:

Critical

Defines an appropriate string for identifying the event severity as Critical. For example, define critique for the French locale.

Information

Defines an appropriate string for identifying the event severity as Information. For example, define informations for the French locale.

Warning

Defines an appropriate string for identifying the event severity as Warning. For example, define avertissement for the French locale.

Verbose

Defines an appropriate string for identifying the event severity as Verbose. For example, define verbeux for the French locale.

Error

Defines an appropriate string for identifying the event severity as Error. For example, define erreur for the French locale.

Audit Success

Defines an appropriate string for identifying the event severity as Audit Success. For example, define Échec de l'audit for the French locale.

Audit Failure

(35)

Probe Configuration

Subsystems Configuration Tab

The Subsystems Configuration tab lists the existing alarm subsystem ID for each monitored log file. You can also define a new subsystem ID for any custom log file, which is selected for monitoring. The default configuration of the probe monitors Security, Application, and System log files, with the following subsystem IDs:

■ 1.1.11.1.1

■ _1.1.11.1.2 ■ _1.1.11.1.3

Important! Do not delete or modify any of the default subsystem IDs.

You can right click the subsystem ID list and select New for adding a subsystem ID.

Subsystem Key

Defines a subsystem key for the appropriate log file. This key must be identical to the corresponding log file name and contain only small characters. For example, use

microsoft-iis-configuration/administrative for the Microsoft-IIS-Configuration/Administrative log file. Subsystem Value

Defines a different alarm subsystem ID for each monitored log file. The

recommendation is to use the default subsystem ID pattern (1.1.11.1.X) for other log files too. This pattern is mandatory to view the metric details under the Event

Log node of the Unified Management Portal (UMP).

Note: You can also define an appropriate name of newly defined subsystem value in

(36)

Probe Configuration

Status Tab

The Status tab lets you view the events of the log files which are selected for monitoring in the Setup > Properties tab. This tab displays latest event logs when the total event count is greater than the Maximum Events to Fetch field value. In case, the alarm list remains empty at start-up, click the Refresh button to fetch the event list. You can control the default behavior for fetching event by configuring the Fetch Alarms on

Configurator Startup option in the Setup > Properties tab.

Important! The probe throws the Failed to get events error while fetching the event list

when the event count is higher, for example, 1000 or more. The actual event count varies due to your system configuration and performance. In such case, reduce the value of Maximum Events to Fetch field in the Properties tab.

The following right-click menu selections are available:

■ _{Refresh: Fetch the event log messages again.}

■ New profile: Create a monitoring profile using values from the current event. ■ Exclude from monitoring: Create an exclude profile using values from the current

event.

(37)

Probe Configuration

Parameters in a Posted Message

The messages are posted to a table called EventLogMessages containing the following fields:

Parameter Type Value

column prefixwatcher Text The name of the profile finding the event log message column prefixlog Text The event log containing the event

column prefixseverity Text The event type column prefixseverity_str Text Event severity

column prefixsource Text Identification of the application generating the event column prefixcategory Text The event category

column prefixevent_id Number A numeric event identifier

column prefixuser Text The user running the application that generated the event column prefixcomputer Text The computer name on which the event was generated column prefixdescription Text Expanded event description

column prefixdata Text None column

prefixtime_stamp_epoc

Number The time the event was generated column prefixtime_stamp Date/Time The time the event was generated column prefixvariable Text Value of the variable created in the profile

Note: Depending on the number of variables created in the profile the parameters gets

displayed.

(38)

(39)

Chapter 5: Edit Probe Configuration 39

Chapter 5: Edit Probe Configuration

(40)

Probe Configuration

The following dialog appears:

Probe

The probe name. This field is non-editable.

Type

The type of execution. By default, timed option is selected.

You can deactivate the setting by de-selecting the Active check box.

Command

The process that will execute the reboot. By default, it is ntevl.exe.

Arguments

Optional arguments that can be passed to the probe. For the list of available arguments, see Arguments (see page 41) section.

Working Directory

The probe’s working directory path. By default, the path is \probes\system\reboot.

Configuration File

(41)

Probe Configuration

Chapter 5: Edit Probe Configuration 41 Data File

Specify the name if the probe data file, if required.

Time Specification

Specify the time range within which the probe activity should be carried out.

Execution

Specify the time interval at which the reboot should be executed. You can specify the start time or frequency (in minutes). Choose Ignore option to nullify this field.

Group

Specifies the probe grouping. By default, it is Systemgroup.

Description

A brief description of the probe activity. By default, the description text is Windows

NT Event Log watcher. Log File

Name of the log file for the probe. By default, it is ntevl.log. This section contains the following topics:

Arguments (see page 41)

Arguments

Parameter Description

-p < port> Communications port to use -d<log level> Set log level

-l <log file> Specify log file

-e <evl log file> File for logging internal messages -c <config file> File used for general and watcher setup -f <position file> File used for storing event log positions -V Print version information

-z Set current event log positions

-Z Set current event log positions and run the probe normally

(42)

Probe Configuration

View Event Details

The probe configuration lets you view the event details that you are monitoring. These event details are used for deciding the monitoring parameters of the event.

Follow these steps:

1. Click the Status tab.

2. Select the event log file from the Event log drop-down list.

Note: The Event log drop-down list displays only those log files, which are selected

in the Log Files to be monitored list.

The probe displays the list of events, which are available in the selected log file. 3. Double-click the appropriate event in the list.

(43)

Probe Configuration

The General tab of the Event Properties dialog displays the event description. 4. Click the Details tab for displaying the XML view of the event.

Note: The XML view is available with Windows Vista and Windows 2008 onwards

only. 5. Click Close.

(44)

Probe Configuration

Regular Expression Construct Rules

Constructing regular expression and pattern matching requires meta characters. The probe supports Perl Compatible Regular Expression (PCRE) which are enclosed within forward slash (/). For example, the expression /[0-9A-C]/ matches any character in the range 0 to 9 in the target string.

You can also use simple text with wild card operators for matching the target string. For example, the *test* expression matches the text test in target string.

The following table lists various rules and constructs for creating regex and pattern matching.

S. No. Meta Charac ter

Description Examples for expression enclosed with "/"

Examples for expression enclosed without "/" 1. [ ] Square Bracke ts Matches one character within square brackets at once. ■ [12]: matches

first for 1 and if not found, matches for 2 in the target string. ■ [0123456789] : matches any character in the range 0 to 9 in the target string.

[12]: matches for 12 in the

target string.

2. - Dash Defines range for

the target string when used within square brackets. For example, [0123456789] can be written as [0-9]. [0-9A-C]: matches for 0 to 9 and A to C (but not a to c) in the target string.

[0-9A-C]: matches the

entire string [0-9A-C] with the target string.

3. ^ Circum flex or Caret Negates the expression when used within square brackets. ■ [^Ff]: matches for anything except upper or lower case of F. ■ [^a-z]: matches for anything except lower case a to z.

[^Ff]: matches the entire

(45)

Probe Configuration

4. ^ Circum flex or Caret

Matches the target string only at the beginning.

^Moz: matches

for string beginning with Moz (Mozilla).

^Moz: matches the entire

string with the target string.

5. $ Dollar

Matches the target string only at the end.

fox$: matches for

silver fox.

fox$: matches the entire

string with the target string. 6. . Period Matches any character(s) following the expression.

ton.: matches for

tons, tone, and tonneau but not wanton.

ton.: matches the entire

7. ? Questi on

Matches the target string when the preceding character occurs for zero times or once. colou?r: matches for color (u is found 0 times) and colour (u is found 1 time).

colou?r: matches the entire

8. * Asteris k

Matches the target string when the preceding character occurs for zero times or more.

tre*: matches for

tree (e is found 2

times), tread (e is found 1 time), and

trough (e is found

0 times).

tre*: matches the entire

9. + Plus or Additio n

Matches the target string when the preceding character occurs for once or more.

tre+: matches for

tree (e is found 2

times), tread (e is found 1 time), but not trough (e is found 0 times).

tre+: matches the entire

1 0 .

{n} Matches the target string when the preceding character occurs n times exactly. [0-9]{3}-[0-9]{4}: matches for 123-4567. [0-9]{3}-[0-9]{4}: matches

the entire string with the target string.

11. {n,m} Matches the target string when the preceding character occurs at least n times but not more than m times.

ba{2,3}b: matches

for baaband,

baaab but not bab or baaaab.

ba{2,3}b: matches the

entire string with the target string.

12. {n, } Matches the target string when the preceding character occurs at least n times.

ba{2,}b: matches

for baab, baaab, and baaaab but not bab.

ba{2,}b: matches the entire

(46)

Probe Configuration

13. \\ Escape Seque nce Matches meta characters with literal. \\\\nimsoft: matches for \\nimsoft.

\\nimsoft: matches the

entire string with the target string. 14. / Forwar d Slash Matches meta characters with literal. //C/: matches for /C in target string /CATech.

/C: matches the entire

string with the target string. 15. "(" or ")" Matches meta characters with literal. $s$: matches for (s) in the target string window(s).

(s): matches the entire

(47)

Chapter 6: Operation and Use 47

Chapter 6: Operation and Use

This section describes how to monitor up and down status for multiple computers, using two profiles.

Create the two profiles UP status and DOWN status by selecting the Profiles tab, right-clicking in the Profile list and then selecting the New option. Select the Activate box for both profiles.

Follow these steps to configure the UP status profile:

1. Select the Event selection tab and specify the Event ID for the UP status (50002). 2. Select the Alarm/Post tab. Create an alarm message (e.g. $computer up) and select

severity level as Clear.

3. Set a suppression key (e.g. $computer) to avoid multiple instances of the same alarm message.

4. Now, configure the DOWN status profile. For this, select the Event selection tab and specify the Event ID for the DOWN status (50001).

5. Select the Alarm/Post tab create an alarm message (e.g. $computer down) and select severity level warning.

6. Set a suppression key (e.g. $computer) to avoid multiple instances of the same alarm message.

(48)

(49)

Chapter 7: ntevl QoS Metrics 49

Chapter 7: ntevl QoS Metrics

The following table describes the checkpoint metrics that can be configured using the ntevl probe:

Monitor Name Units Description

(50)

(51)

Chapter 8: Known Issues 51

Chapter 8: Known Issues

The NT Event Log Monitoring probe has the following limitations:

■ _{The Raw Configure GUI of the probe is not supported for non-English locales}

because it can corrupt the probe configuration file. Use only standard probe GUI for any updates.

■ The probe GUI can throw an error while viewing event details on the Status tab when the Maximum Event to Fetch field value is more than 1000. Follow these steps to resolve the issue:

1. Open the IM probe GUI.

2. Update value of this field to 1000 or less (under the Setup > Properties tab). 3. Restart the probe.

■ _{If monitoring profile contains locale-specific characters, then that monitoring profile}

cannot be viewed in any other locale from the IM probe GUI. You can use the Admin Console GUI to view the profile on a different locale.

■ _{The probe does not support forwarding events monitoring.} ■ Localization is not supported on Windows IA64 platform.

■ _{Do not use same profile name for ntevl and adevl probes, when deployed on same}

robot.