IBM Enterprise Console manual Troubleshooting the Windows NT Event Log Adapter

Troubleshooting the Windows NT Event Log Adapter

Perform the following steps to troubleshoot the Windows NT event log adapter:

1.Stop any Windows NT event log adapters that are currently running by pressing the Esc key in the command window session that is running the Windows NT event log adapter. Pressing the Ctrl+c key combination in the command window session that is running the Windows NT event log adapter also stops the adapter.

2.Start the adapter in debug mode: tecad_nt –d–cConfig_File

3.Generate test events and see if the adapter receives them. Do this by starting and stopping a service that logs to the Windows NT Event Manager. For example, you can use Windows NT Control Panel Services to stop the FTP Server and then start it. This adds an event entry in Windows NT Security Log that is picked up by the Windows NT event log adapter.

Another effective way to generate and monitor Windows NT events is to run Windows NT User Manager application (located in the Administrative Tools folder). Select Audit from the Policies menu and choose from the different activities that Windows NT can monitor. You want these items to be audited and then picked up by the Windows NT event log adapter.

Yet another method is to set up an alert in Windows NT Performance Monitor (located in the Administrative Tools folder) to go off every 30 seconds when the CPU usage is less than 100%.

4.When events arrive, the adapter prints messages to the screen indicating the class and the attribute values in the class.

If you do not see any messages, the adapter is not receiving events from the Windows NT event logs.

For example, you should see a message that the FTP server has registered as a trusted login process. If you do not see this message, run Windows NT User Manager application (located in the Administrative Tools folder), select Audit from the Policies menu and choose Restart, Shutdown, and System events to be audited for Success and Failure. Then stop and restart the Windows NT FTP server as described in steps 1 and 2.

5.If you see the messages, the adapter is receiving events and processing them. Run the wtdumprl command on the event server and verify that the messages are actually showing up in the reception log. If not, the events were not received by the event server or there is a problem with the event server reception process. Check the adapter configuration file to verify that ServerLocation and ServerPort are properly defined. If the event class appears in any filter entry in the configuration file, it will not be sent to the event server. The administrator who started the adapter must have the required roles if you are running the TME version of the adapter. For a TME adapter, running the odstat command can offer some clues as to what failed.

6.If the reception log has a PARSING_FAILED error, the BAROC definition of the class does not match the event that is being received from the adapter. Usually the error messages pinpoint the problem.

7.If the previous steps do not indicate any problem and you do not see the new events in the IBM Tivoli Enterprise Console product, there might be a problem with the event group filters. Make sure the class filters match the classes in the BAROC files.

8.Change all /dev/null entries in the .err file to the file name you want. Stop and restart the adapter, send an event through, and then look in the trace file to see what processing was done on the event.

Chapter 11. Windows NT Event Log Adapter 139