IBM Enterprise Console manual Troubleshooting the UNIX Log File Adapter

hour. You can edit this rule to change the time or the list of classes. Refer to the IBM Tivoli Enterprise Console Rule Builder’s Guide for information about editing rules.

–Logfile_Amd

–Logfile_Cron

–Logfile_Oserv

–Logfile_Date_Set

The event server also comes with some additional rules that you can install. The $BINDIR/TME/TEC/contrib/rules/security directory contains the security_default.rls file, which provides the following behavior to the event server:

vWhen a host reports a repeated login failure attempt at least two times in a row, e-mail is sent to the e-mail alias tec_security notifying the administrators of the attempted security breach. (The tec_security alias must be added to the e-mail alias file before the messages can be delivered.)

vA rule is included that closes the following event classes after one hour:

–Repeated_Login_Failure

–Repeated_Login_Failure_From

–Root_Login_Success_From

Troubleshooting the UNIX Log File Adapter

Perform the following steps to troubleshoot the UNIX log file adapter:

1.Stop any UNIX log file adapters that are currently running: init.tecad_logfile stop

2.Start the adapter in debug mode. init.tecad_logfile -d start

3.Generate some messages to determine if the adapter receives them. You can send e-mail, perform an su, or perform any action that results in a write to syslog. Alternatively, you can use the logger program to generate messages: logger -t oserv -i execve failed: path: errno 13

This generates an Oserv_Exec_Failed event. The message written by logger should match one of the format specifications in the tecad_logfile.fmt file.

4.When events arrive, the adapter prints messages to the screen indicating the class and the attribute values in the class.

matched CREATED_PROFILE_MANAGER name is ’Profile1’’

If you do not see any messages, the adapter is not receiving events from the log file.

Verify that the syslogd daemon is running and is writing any new messages to the system log files in /var/adm or its equivalent, or to the system console, depending on how syslog.conf has been configured to write out messages. For testing purposes, you can temporarily add the following line to syslog.conf:

*.info <Tab> <filename>

This allows all messages to be written to a file so you can see what messages have arrived. This file grows large quickly, so make this a temporary change only. You need to HUP the syslogd daemon each time you change syslog.conf to put these changes into effect.

Chapter 9. UNIX Log File Adapter 109