Manuals / IBM / Computer Equipment / Network Router

IBM Enterprise Console manual Format File, EventId, Source, EventType

Models: Enterprise Console

1 194

Download 194 pages 8.78 Kb

Page 143

Log Specifies one or more of the Windows NT event logs to prefilter. Valid values are System, Security, Application, or any combination of these separated by commas. The default is all three event logs.

EventId

Specifies the event number assigned by Windows NT. You can specify up to sixteen event numbers. Multiple event numbers must be separated by commas.

Source

The source that logged the event to the Windows NT event log. You can specify up to sixteen sources. Multiple sources must be separated by commas.

EventType

The classification of the event assigned by Windows NT. Valid values are as follows:

vError

vWarning

vInformation

vAuditSuccess

vAuditFailure

vUnknown

The following examples show prefiltering statements. The first statement is on multiple lines due to space restrictions.

PreFilter:Log=Application;Source=MyApp;EventId=1000,2000, \ 3000;EventType=Warning,Information;

PreFilter:Log=Security;

PreFilter:Log=Application;Source=TECNTAdapter;

Format File

The format file contains message format descriptions and their mapping to BAROC events. The message fields of a Windows NT event are matched against the format descriptions in this file and when a match succeeds, the corresponding event is generated by the adapter. The format file contains predefined mappings for some common Windows NT events and can be customized to add any new messages.

A Windows NT event is written to an ASCII message in the following sequence:

vThe date expressed as month, day, time, and year.

vThe event category, expressed as an integer.

vThe event type (Error, Warning, Information, AuditSuccess, AuditFailure, Unknown).

vThe Windows NT security ID; any spaces in this field are replaced by an underscore if the proper registry variable is set.

vThe Windows NT source; any spaces in this field are replaced by an underscore if the proper registry variable is set.

vThe Windows NT event identifier.

vThe message text.

The subfields, except the message text field, are derived from the event header in the Windows NT event object. The output message after formatting is bound

Chapter 11. Windows NT Event Log Adapter 131

Image 143

IBM Enterprise Console manual Format File, EventId, Source, EventType

Contents

GC32-0668-01 Adapters GuideIBM Tivoli Enterprise Console VersionPage GC32-0668-01 Adapters GuideIBM Tivoli Enterprise Console VersionFirst Edition September Chapter 1. Understanding Adapters ContentsPreface Chapter 2. AS/400 Alert Adapteriv IBM Tivoli Enterprise Console Adapters Guide Appendix C. Class Definition vi IBM Tivoli Enterprise Console Adapters Guide What This Guide Contains PrefaceWho Should Read This Guide Related Publications PublicationsIBM Tivoli Enterprise Console Library Prerequisite PublicationsConventions Used in this Guide Accessing Publications OnlineProviding Feedback about Publications Contacting Customer SupportMonospace Operating System-dependent Variables and Pathsbold ItalicsHow Events Get to the Event Server From an Endpoint Chapter 1. Understanding AdaptersAdapter Overview How Events Get Sent to the Event ServerThe TME adapters currently supported for an endpoint are the following How Events Get to the Event Server From a Non-TME Adapter Internationalization Support for EventsHow Events Get to the Event Server From a Managed Node Event Attributes Event InformationAttribute Name serverpath listofstrings Stores information describing the rule engines that an event hasv datereception v eventhandle v serverhandle Adapter FilesCache File Example Configuration FileFile Location File FormatBufEvtPath AdapterErrorFile=pathAdapterCdsFile=path BufEvtMaxSizeFilterMode FilterCachegetporttotaltimeoutusec getporttimeoutsecondsgetporttimeoutusec getporttotaltimeoutsecondsServerPort ServerLocation1. Set FilterMode to IN Event FilteringTestMode 1. Set FilterMode to IN Event Buffer Filtering2. Set BufferEvents to YES BAROC FileExample Example Rule FileFormat File ExampleExample Class Definition Statement FileUTILS Error Filemodulename errorlevel outputfile ERRORFETCH Initial FilesKERNEL SELECTManaged Node Adapters Troubleshooting AdaptersAdapter Startup Errors All Adapters22 IBM Tivoli Enterprise Console Adapters Guide Non-TME AdaptersQSYS.LIB/QUSRSYS.LIB/CFGALERT.FILE/ALRCDS.MBR The CDS file Chapter 2. AS/400 Alert AdapterAdapter Files QSYS.LIB/QUSRSYS.LIB/CFGALERT.FILE/ALRCFG.MBRBufEvtPath Configuration FileENDTECADP AdapterCdsFileKeywords SELECT Statement ExampleFETCH Statement Example Class Definition Statement File$ALERTCDPT Configuring the AS/400 Alert Filters Default Alert FilterPERMANENT, TEMPORARY, or IMPENDING PROBLEM $HOSTNAME $ADAPTERHOSTSNANODECRTDTAQ DTAQlibrary/name TYPE*STD MAXLEN592 FORCE*NO SEQ*FIFO Integrating with an Existing Alert FilterStarting the Adapter DESCRIPTION AuthorizationSTRTECADP SYNOPSISStopping the Adapter Authorization ENDTECADPContext CommentsENDTECADP EVTADPALERTADP ExamplesENDTECADP EVTADPMYCFG OPTION*CNTRLD DELAY60 Event Class Events ListingEvent Class Structure Default EventSeverity Default EventEvent Class Alert Type Troubleshooting the AS/400 AdapterDefault Severity Adding an Autostart Job to QSYSWRK Logging Events in Test ModeTCP/IP Considerations Starting an AS/400 Adapter after an IPLQSECOFR Changing the AS/400 Startup ProgramMultiple AS/400 Alert Adapters To create the configuration file, perform the following steps Configuration File38 IBM Tivoli Enterprise Console Adapters Guide POSTEMSGContext ExamplesQSYS.LIB/QUSRSYS.LIB/CFGMSG.FILE/MSGCDS.MBR The CDS file Chapter 3. AS/400 Message AdapterAdapter Files QSYS.LIB/QUSRSYS.LIB/CFGMSG.FILE/MSGCFG.MBR40 IBM Tivoli Enterprise Console Adapters Guide Configuration FileAdapterCdsFile JobDescriptionFETCH Statement Example MAP Statement ExampleClass Definition Statement File SELECT Statement ExampleIMMED $ADAPTERHOST$ALERTOPTION DEFER$MSGSEVERITY $MSGFILENAME$MSGFILELIBRARY $MSGLIBRARYUSED$SUBORIGIN $SENDPROGRAMNAME$SENDTIME $SENDUSERPROFILEStarting the Adapter Comments FlagsAuthorization STRTECADPChapter 3. AS/400 Message Adapter Stopping the AdapterENDTECADP AuthorizationENDTECADP EVTADPname *ALL OPTION*CNTRLD *IMMED DELAYseconds DELAYsecondsENDTECADP EVTADPSYSOPR ENDTECADP EVTADPMYAPP OPTION*CNTRLD DELAY60Examples hostname Events ListingEvent Class Structure subsourceWRKJOB JOBname Troubleshooting the AS/400 AdapterLogging Events in Test Mode TCP/IP ConsiderationsChanging the AS/400 Startup Program Starting an AS/400 Adapter after an IPLAdding an Autostart Job to QSYSWRK DONE RETURN CHGVAR VAR&CPYR VALUE&CPYR ENDPGM Using FTP to Execute AS/400 CommandsMultiple AS/400 Message Queues Configuration File54 IBM Tivoli Enterprise Console Adapters Guide Adapter Files Chapter 4. NetWare Log File AdapterNetWare Log File Adapter Reference Information Error FileEventId Prefiltering NetWare EventsConfiguration File SourcePreFilterMode Format FilePollInterval PreFilternwmsgid Events ListingEvent Class Structure nwmsgversionalertclass alertlocus60 IBM Tivoli Enterprise Console Adapters Guide The following NetWare events are defined in the BAROC fileTECADNW4.NLM Examples tecadnw4.nlmFlags DescriptionTroubleshooting the NetWare Log File Adapter 64 IBM Tivoli Enterprise Console Adapters Guide Determining the OpenView NNM Version Chapter 5. OpenView AdapterOpenView Driver Reception of OpenView Messagesagent-addr Incoming Messages FormatEvent Correlation With NNM enterpriseChapter 5. OpenView Adapter Determining the OVsnmpEventOpen Filter ValueTesting Event Correlation With NNM Testing ToolsThis trace file is located in $OVLOG/ecs/ecs-instance#/ecsin.evt# Event Correlation ExampleAdapter Files WellBehavedDaemon OpenView Event ExampleClass Definition Statement File HPOVFilter=filter$ENTERPRISE Object Identifier FileKeywords $COMMUNITYname object identifier LRF FileStarting and Stopping the Adapter Error Filesubsource Events ListingEvent Class Structure sourceEvent Class Default SeverityNode Marginal OpenView Traps SNMP TrapsOpenView Traps 50462720 Warnings50790403 Troubleshooting the OpenView Adapter50790402 Segment Marginal78 IBM Tivoli Enterprise Console Adapters Guide The adapter installation assist executable file Chapter 6. OS/2 AdapterConfiguration File install.exeUnmatchLog Format FileStarting the Adapter source OS2 subsource OS2 Stopping the AdapterEvents Listing Event Class StructureTroubleshooting the OS/2 Adapter Reception of SNMP Messages Server ConfigurationChapter 7. SNMP Adapter SNMP DriverKeywords SNMP Event ExampleConfiguration File Class Definition Statement File$AGENTADDR Error FileObject Identifier File Starting and Stopping the AdapterEvents Listing Cold StartWarm Start Stopping the AdapterProxy agent that forwarded the event to the adapter adapterhostHost on which the adapter runs forwardingagentEnterprise-specific Traps Rules ListingSNMP Traps Generic Traps v tecadsnmp.baroc v tecadsnmp.cds v tecadsnmp.oid Creating a New SNMP Trap EventBAROC File Changes 90 IBM Tivoli Enterprise Console Adapters Guide Agent-independent DataSYNTAX INTEGER 0..4294967295 ACCESS not-accessible Page Class Definition Statement File Changes Object Identifier File Changes Troubleshooting the SNMP Adapter94 IBM Tivoli Enterprise Console Adapters Guide c configurationfileExample Chapter 8. IBM Tivoli Enterprise Console GatewaysControlling Event Traffic at the Gateway 3. Calculate the value for the EventSendThreshold keyword Microsoft Windows Worksheets and CalculationsConfiguration File UNIX$TIVOLIHOME/tec/$ACTYPE.cache@ EventServer#region on endpoints tec/gatewaycache@EventServer#tmr-centralUNIX /etc/Tivoli/tec/cache@EventServer#region Windows $DBDIR/cache.dat@EventServer#region on managed nodesMaxGWCacheSizeMegs GatewayTMEAckEnabledGatewayQueueSize GatewaySendIntervalThe default value is @EventServer Starting the Adapter Event Server ConfigurationChapter 9. UNIX Log File Adapter init.tecadlogfile -s start stop AdapterID Running Multiple UNIX Log File AdaptersStopping the Adapter tecadlogfile.cfg Configuration Filelogdefault.rls Adapter FilesEvents Listing Error FileFormat File Class Definition Statement FileEvent Class Default Severity106 IBM Tivoli Enterprise Console Adapters Guide Default SeverityEvent Class Event Class Default SeverityPrinterPaperOut PrinterTonerLow PrinterOffline PrinterOutputFull Default RulesPrinterPaperOut PrinterTonerLow PrinterOffline PrinterOutputFull PrinterPaperJam PrinterDoorOpenLogfileAmd LogfileCron LogfileOserv LogfileDateSet Troubleshooting the UNIX Log File AdapterRepeatedLoginFailure RepeatedLoginFailureFrom RootLoginSuccessFrom 110 IBM Tivoli Enterprise Console Adapters Guide tecadwins.exe Chapter 10. Windows Event Log AdapterAdapter Files tecinstlwin.cmdHostnameIsAdapterHost Configuration FileDEFAULT tecadwin.barocPreFilterLog=lognameEventId=value EventType=valueSource=value NumEventsToCatchUpPreFilterLog=ApplicationSource=re’TEC.*’ SpaceReplacementPreFilterMode WINEVENTLOGSEventId Prefiltering Windows Log EventsSource Jan 15 150619 1998 0 Error N/A ServiceControlManager 7024 \The UPS service terminated with service-specific error Format FileDirectoryEventsProcessed Registry VariablesApplicationEventsProcessed ApplicationEventsProcessedTimeStampFileReplicationEventsProcessed DirectoryEventsProcessedTimeStampDNSEventsProcessed DNSEventsProcessedTimeStampSystemEventsProcessed Low Memory Registry VariablesTECInstallPath SecurityEventsProcessedTimeStampStarting the Adapter Adapter Administrator Roles for Windows1. Select Create Administrators from the Administrators icon 3. Type in SYSTEM in the Set Login Names dialoghostname Event Class Structuresource NT subsourceNTPrinterWasSet tecadwin Command EXAMPLES tecadwinSYNOPSIS DESCRIPTIONTroubleshooting the Windows Event Log Adapter 126 IBM Tivoli Enterprise Console Adapters Guide Adapter Files Chapter 11. Windows NT Event Log Adaptertecadnt.err Configuration FileThe error file DEFAULTChapter 11. Windows NT Event Log Adapter HKEYLOCALMACHINE\SYSTEM\ CurrentControlSet\Services\ TECNTAdapter\NumEventsToCatchUp PreFilterLog=lognameEventId=valueEventType=valueSource=value130 IBM Tivoli Enterprise Console Adapters Guide Prefiltering Windows NT Log EventsSpaceReplacement PreFilterModeEventType Format FileEventId Source132 IBM Tivoli Enterprise Console Adapters Guide Non-English Format FilesRegistry Variables ApplicationEventsProcessedSecurityEventsProcessed TECInstallPathApplicationEventsProcessedTimeStamp PollingIntervalLow Memory Registry Variables Adapter Administrator Roles for Windows NT1. Select Create Administrators from the Administrators icon 3. Type in SYSTEM in the Set Login Names dialogEvent Class Structure Starting the AdapterStopping the Adapter Events Listing136 IBM Tivoli Enterprise Console Adapters Guide Default SeverityEvent Class tecadnt Command c ConfigFile tecadnttecadnt.exe -d -c ConfigFile -L none EventLog Authorization none ArgumentsTroubleshooting the Windows NT Event Log Adapter 140 IBM Tivoli Enterprise Console Adapters Guide Appendix A. Files Shipped with Adapters 142 IBM Tivoli Enterprise Console Adapters Guide Appendix A. Files Shipped with Adapters 144 IBM Tivoli Enterprise Console Adapters Guide Format File Location Appendix B. Format File Referencev %lengths Format Specificationsv %t Log File Examplev %lengths v %lengths+on on su ’su su ’susucceeded for succeeded for Mappings Windows NT ExampleLABEL keyword DEFAULT keywordstring constant PRINTF statementAdditional Mapping Considerations The following list describes how values were assigned UNIX log file Activating Changes Made with a Format FileGenerating a New Class Definition Statement File for a TME Adapter NetWare log fileUNIX log file Windows event logWindows NT event log NetWare log fileOperators Appendix C. Class Definition Statement File ReferenceFile Format FETCH Class Definition Statement File DetailsSELECT Note AS/400 adapters do not support KEY parts in CDS files 1$TYPE=4 FETCH Statement1 ATTR=,$TYPE,VALUE=,4 nexpression MAPDEFAULT StatementMAP Statement Examplename objectidentifier Object Identifier to Name TranslationSELECT Class Definition Statement File Syntax Diagramskeydecl = KEY ’’ kop ’,’ vopval ’’ aop = ’=’ PREFIX SUFFIX EXISTS Page 164 IBM Tivoli Enterprise Console Adapters Guide Notices IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A Notices Trademarks168 IBM Tivoli Enterprise Console Adapters Guide Obsolete term for GlossaryPage 5, 6 Index Special characters10, 24 CDS file keywords continued Page files continued Page Page TCP/IP continued Page 180 IBM Tivoli Enterprise Console Adapters Guide Page GC32-0668-01 Program Number 5698-TEC Printed in U.S.A