IBM Enterprise Console - Manuals

Format File . . . . . . . . . . . . . 131 Non-English Format Files . . . . . . . 132 Registry Variables . . . . . . . . . . . . 132 Low Memory Registry Variables . . . . . . 134 Adapter Administrator Roles for Windows NT . . 134 Starting the Adapter . . . . . . . . . . . 135 Stopping the Adapter. . ...

Preface The IBM ® Tivoli Enterprise Console ® Adapters Guide provides detailed descriptions for the currently available IBM Tivoli ® Enterprise Console adapters. Who Should Read This Guide This guide is for IBM Tivoli Enterprise Console administrators who configure eventadapters and IBM Tivoli Enter...

Publications This section lists publications in the IBM Tivoli Enterprise Console library and anyother related documents. It also describes how to access Tivoli publications onlineand how to make comments on Tivoli publications. IBM Tivoli Enterprise Console Library The following documents are avail...

Accessing Publications Online Publications in the product libraries are included in PDF or HTML formats, orboth, on the product CD. To access publications using a Web browser, open theinfocenter.html file, which is located in the appropriate publications directory onthe product CD. When IBM publishe...

other information that you must use literally appear in bold.Names of windows, dialogs, and other controls also appear inbold . Italics Variables and values that you must provide appear in italics. Wordsand phrases that are emphasized also appear in italics. Monospace Code examples, output, and syst...

Chapter 1. Understanding Adapters Event adapters are software programs that collect information, perform localfiltering, and convert relevant events into a format that can be used by the IBMTivoli Enterprise Console product. Because adapters are located on or near theirevent sources and can perform ...

The following figure shows an example of the IBM Tivoli Enterprise Consoleproduct and Tivoli Management Framework component relationships in a networkwith endpoints. How Events Get to the Event Server From a Managed Node For network management OpenView adapters, events are sent from the managednode ...

The event server can receive events in both UTF-8 encoding or the encoding of theevent server host. The event server automatically determines the type of encoding(UTF-8 or non-UTF-8) of an event by evaluating a particular flag in the event data. The adapter automatically reads the format file from t...

Attribute Name Contents status The status of an event. It is initially set to OPEN or to a defaultvalue specified by the event class. Possible values during an eventlifetime are as follows: ACK An administrator or rule has acknowledged the event. CLOSED An administrator or rule has fixed the problem...

File Type Description Configuration Defines configuration options for adapters. Error Defines error logging and tracing options for theadapter. Format Defines the format of messages and matches them toevent classes for the UNIX log file, NetWare log file,OS/2, and Windows and Windows NT event logada...

The boundaries between events in the cache file are indicated by a terminating ^Acharacter at the end of each event. Configuration File Most adapters come with a configuration file containing configuration options andfilters. This file is read by an adapter when it is started. By modifying this file...

Some adapters have additional keywords specific to them. See each specificadapter chapter for descriptions of these keywords. Adapters do not issue errormessages for misspelled keywords or keywords set to a value that is not valid. Donot use blank spaces in keyword statements unless enclosed in sing...

For information about how to use filtering keywords to send, cache, anddiscard events, see “Event Filtering” on page 14. This keyword is optional. getport_timeout_seconds Specifies the number of seconds to wait before re-sending the UDP call fora port, if no response is heard. It re-transmits until ...

This option allows an adapter to send all events to the primary eventserver even if the primary event server is stopped briefly, such as whenloading a new rule base. If you use this option to wait for restarting an event server, set the valuefor a period of time longer than necessary for the event s...

non-TME adapters that send events to a Windows event server or a TivoliAvailability Intermediate Manager (AIM), specify one value for each eventserver defined with the ServerLocation keyword. The ServerPort keyword is optional when the event server is running onUNIX, but mandatory when running on Wi...

Regular Expressions in Filters: You can also use Tcl regular expressions in filtering statements. The format of a regular expression is re:’ value_fragment ’ . Note: Tivoli Event Integration Facility uses an exception to the Tcl regularexpression syntax. The backslash character ( \ ) in Tivoli Event...

3. Create Filter and FilterCache statements to match the specific events thatyou want cached. v To discard specific events: 1. Set FilterMode to OUT. 2. Create Filter and FilterCache statements to match the specific events thatyou want discarded. v To cache all events (the default behavior): 1. Set ...

Rule File Some adapters come with a rule file describing the classes of events the adaptersupports. This file is not used by the adapter itself, but serves as a mandatory linkbetween the adapter and the event server. The event server must load this filebefore it is able to understand events received...

-date1 $1 -date2 $2 date PRINTF("%s %s", date1, date2) ENDFORMAT NT_Share_Dir_Missing FOLLOWS NT_Base %t %s %s %s %s %s %s The server service was unable to recreate the share %s because the directory %s no longer exists. sharename $8 directoryname $9 ENDFORMAT NT_Service_Start FOLLOWS NT_Bas...

4: ATTR(=,"ifDescr"); 5: ATTR(=,"ifType"); 6: ATTR(=,"locIfReason"); FETCH 1: IPNAME($SOURCE_ADDR); MAP hostname = $F1; sub_origin = $V4; status = CLOSED; interface_index = $V3; interface_description = $V4; interface_type = $V5; reason = $V6; END Error File It is possible to ...

KERNEL A general kernel operation. SELECT A selection process. FETCH A fetch process. MAP A mapping process. DRIVER A driver main program. DRVSPEC An SNMP specific driver part. TECIO An event server I/O. error_level Specifies the type of error to look for or the type of trace toperform. Valid values...

Troubleshooting Adapters The following sections list troubleshooting guidelines for the different types ofadapters. Adapter Startup Errors If the adapter fails to start, look in the /tmp directory for the tecadEH.log file. Youmight be able to learn why the adapter failed from reading this file. The ...

The AS/400 adapter package also consists of the following commands, which arecopied into QSYS upon installation of the product: STRTECADP Starts an AS/400 adapter. ENDTECADP Ends an AS/400 adapter. Before starting the event server and an AS/400 alert adapter, check theconfiguration file to determine...

JobDescription Specifies an AS/400 job description that is to be used whenstarting the adapter. The default is QGPL/QDFTJOBD. LanguageID Specifies the AS/400 language ID in which alerts are to be sent tothe event server. If a value is specified for this keyword, theAS/400 secondary language must be ...

If you use the default filter provided, copy it into library QUSRSYS and modify itthere. Integrating with an Existing Alert Filter You might have alert filters that are already in use on your AS/400 system. Thesefilters have been set up with the appropriate selection and action entries to filteraler...

STRTECADP Starts an AS/400 adapter. SYNOPSIS STRTECADP EVTADP (name) CFGFILE(filename) DESCRIPTION The AS/400 adapter runs as a batch job. The STRTECADP command starts anAS/400 adapter. Authorization QSYSOPR *USE PUBLIC *EXCLUDE Note: To grant other users authority to this command, use the following...

Stopping the Adapter The AS/400 adapter includes the ENDTECADP command that enables you to stopadapters individually or to stop all started adapters. The command is described onthe following pages. Chapter 2. AS/400 Alert Adapter 29

ENDTECADP Stops the AS/400 adapter. Context ENDTECADP EVTADP (name | *ALL) [OPTION(*CNTRLD | *IMMED)] [DELAY(seconds)] Comments The AS/400 adapter runs as a batch job. The ENDTECADP command stops anAS/400 adapter. Authorization QSYSOPR *USE PUBLIC *EXCLUDE Note: To grant other users authority to thi...

Examples The following command stops the AS/400 alert adapter, started with the adaptername ALERTADP. ENDTECADP EVTADP(ALERTADP) The following command stops the AS/400 alert adapter, started with the adaptername MYCFG, in a controlled manner with a delay time of 60 seconds. ENDTECADP EVTADP(MYCFG) O...

You can set the severity of an AS/400 alert event on the event console as follows,based on the AS/400 alert type field specified in the message description: Alert Type Default Severity 01 (permanent loss of availability) CRITICAL 04 (operator intervention required) CRITICAL 09 (unavailable network c...

Logging Events in Test Mode The file to which events are logged in test mode (instead of being sent to an eventserver) is created with a record length of 240 bytes if it does not exist. Because anevent written to this file does not wrap to a new line if it is longer than 240 bytes,it is truncated. T...

CRTJOBD JOBD(QGPL/STARTADP) JOBQ(QSYSNOMAX) TEXT(’Start TEC adapter after IPL.’) RQSDTA(’CALL QGPL/STRADPCL’) 3. Add an auto start job entry in QSYSWRK using the previous job description: ADDAJE SBSD(QSYSWRK) JOB(TECAMSGQ) JOBD(QGPL/STARTADP) This program runs at the start of QSYSWRK subsystem and e...

Configuration File To create the configuration file, perform the following steps: 1. Copy the adapter files using the following commands: CPYF FROMFILE(QUSRSYS/CFG_ALERT) TOFILE(QUSRSYS/MYFILE) FROMMBR(*ALL) TOMBR(*FROMMBR) CRTFILE(*YES) 2. Update the configuration file to show the keywords pointing...

A backup copy of each of these files also resides in the CFG_MSG file in libraryQTMETECA01 . Before starting the event server and an AS/400 message adapter, check theconfiguration file to determine if it defines the preferred adapter behavior. Configuration File The configuration file for the AS/400...

STRTECADP Starts an AS/400 adapter. Flags STRTECADP EVTADP (name) CFGFILE(filename) Comments The AS/400 adapters run as a batch job. The STRTECADP command starts anAS/400 adapter. Authorization QSYSOPR *USE PUBLIC *EXCLUDE To grant other users authority to this command, use the following commands on...

ENDTECADP Stops the AS/400 adapter. Context ENDTECADP EVTADP (name | *ALL) [OPTION(*CNTRLD | *IMMED)] [DELAY(seconds)] Comments The AS/400 adapters run as a batch job. The ENDTECADP command stops anAS/400 adapter. Authorization QSYSOPR *USE PUBLIC *EXCLUDE To grant other users authority to this comm...

Events Listing The following shows the class names and severities of all events defined for theAS/400 message adapter. You can use it to get a sense of how AS/400 messagesare mapped to IBM Tivoli Enterprise Console events and to determine if you wantto make any changes. The events are defined in the...

Troubleshooting the AS/400 Adapter If a problem occurs with the AS/400 adapter, you can perform problemdetermination by investigating the job the adapter is running in. Each time youstart an AS/400 adapter, a batch job is started. You can view the adapter job byissuing the following command: WRKJOB ...

Starting an AS/400 Adapter after an IPL Two methods can be used to automatically start an AS/400 message adapter afteran IPL: v Adding an autostart job to a job queue v Modifying the AS/400 start-up program to call the STRTECADP command Adding an Autostart Job to QSYSWRK 1. Create a CL program that ...

DONE: RETURN CHGVAR VAR(&CPYR) VALUE(&CPYR) ENDPGM 3. Create the program and put it in the QSYS library: CRTCLPGM PGM(QSYS/program-name) SRCFILE(QGPL/QCLSRC) SRCMBR(program-name) Note: The start-up program runs under user profile QPGMR. By default,QPGMR does not have authority to change the ...

Chapter 4. NetWare Log File Adapter The following sections contain reference information about the NetWare log fileadapter. NetWare Log File Adapter Reference Information The log file adapter for NetWare forwards events from a NetWare server to theevent server. The NetWare log file adapter can be re...

Prefiltering NetWare Events You can improve the performance of the NetWare log file adapter by filteringevents, so that only important events are processed. This is called prefiltering andapplies only to events logged to the SYS$LOG.ERR file. To use the prefiltering mechanism, you specify the prefil...

previous line count is read. For example, the file has one line. After thepoll interval elapses, the file is overwritten with two lines. Only the secondline is read on the next polling. The adapter polls the SYS:SYTEM\SYS$LOG.ERR file by default.Additional files can be specified with the LogSources ...

The following example shows a formatted IBM Tivoli Enterprise Console eventderived from an error message issued by the NetWare Directory Service (DS): 7-16-98 5:08:46 pm:DS-5.73-12 Severity=10 Locus=2 Class=5 Synthetic Time is being issued on partition “NOVELL_TREE.” For details about format files, ...

Alert_class NetWare Definition 6 System failure 7 Request error 8 Not found 9 Bad format 10 Locked 11 Media failure 12 Item exists 13 Station failure 14 Limit exceeded 15 Configuration error 16 Limit almost exceeded 17 Security audit information 18 Disk information 19 General information 20 File com...

tecadnw4.nlm Starts the NetWare log file adapter in non-service mode. Flags Load tecadnw4 [–c ConfigFile] [–d] Description Loading tecadnw4.nlm starts the adapter. To stop the adapter, run the followingfrom the command line: unload tecadnw4 Authorization: None is required. Arguments: –c ConfigFile S...

Troubleshooting the NetWare Log File Adapter Perform the following steps to troubleshoot the NetWare log file adapter: 1. Stop the NetWare log file adapter that is currently running by unloadingtecadnw4.nlm : unload tecadnw4 2. Start the adapter in debug mode: load tecadnw4 -d -c Config_File 3. Gene...

Chapter 5. OpenView Adapter The IBM Tivoli Enterprise Console adapter for the Hewlett-Packard OpenView(HPOV) product forwards events from OpenView to the event server. The adapteris registered with the startup configuration of the OpenView operating systemusing ovaddobj, so it is started along with ...

Incoming Messages Format Messages received from the ovtrapd process consist of SNMP Trap-PDUs asdefined in RFC 1157 (SNMPv l). OpenView-specific events are defined as enterprise-specific traps and have thefollowing content: enterprise 1.3.6.1.4.1.11.2.17 for OpenView events agent-addr SNMP agent or ...

on the adapter in proportion to the number of events discarded by the NNMcircuit settings and therefore not forwarded to the adapter. If you are runningNNM 5 or earlier, the adapter calls OVsnmpTrapOpen to open a session; withNNM 6 or later, the adapter calls OVsnmpEventOpen. Only OVsnmpEventOpenall...

v Example 2: Adapter tracing is turned on by specifying output files in the .err file instead of /dev/null.You can find the NNM version and the specified filter value in the messagesdisplayed when you start the adapter. The messages are similar to the followingexample: Initializing T/EC interface .....

v To find details about event arrivals for the circuits and streams, use thefollowing command: ecsmgr -stats v To turn on tracing to see the OpenView events received, use the followingcommand: ecsmgr -log_events input on This trace file is located in $OV_LOG/ecs/<ecs-instance#>/ecsin.evt# v To...

Adapter Files The OpenView adapter package consists of the following files in the followingdirectories: v $TECADHOME/bin tecad_hpov.cfg The installation configuration script. tecad_hpov The adapter executable file. tecad_hpov.sh The adapter shell script to set the environment and call the adapterexe...

HPOVFilter= filter Specifies the events the adapter receives from OpenView NNM 6. Thisvalue is ignored with OpenView NNM 5. The adapter can accept up to4096 bytes for this parameter; you must enter the value in one continuousline of input with no intervening line returns. Do not enclose the value in...

4:ATTR(=, ’openViewData3"); 5:ATTR(=, "openViewData4"); MAP origin=$V3; sub_origin=$V4; severity=WARNING; OV_status=2; # Marginal Keywords The OpenView adapter supports the use of the following keywords in classdefinition statements. These keywords can be useful if you want to customizee...

Each line of this file has the following form: "name" "object identifier" For example "sysUpTime" "1.3.6.1.2.1.1.3" "ifIndex" "1.3.6.1.2.1.2.2.1.1" "whyReload" "1.3.6.1.4.1.9.2.1.2" Note: Object identifiers must appear in increasing ord...

Events Listing The following table shows the class names and severities of all events defined forthe OpenView adapter. You can use it to get a sense of how OpenView events aremapped to IBM Tivoli Enterprise Console events and to determine if you want tomake any changes. The events are defined in the...

Event Class Default Severity OV_Unmanage_Node WARNING OV_Unmanage_Segment WARNING HPOV_Event WARNING OV_ARP_Chg_New_Phys_Addr WARNING OV_ARP_Phys_Chg_Same_Src WARNING OV_AppUngracefulExit WARNING OV_Application_Alert WARNING OV_Application_Down WARNING OV_Application_Up WARNING OV_Bad_Forw_To_Host W...

50790402 Segment Marginal 50790403 Network Normal 50790404 Network Marginal 50790405 Segment Added 50790406 Segment Deleted 50790407 Network Added 50790408 Network Deleted 50790409 Connection Added 50790410 Connection Deleted 50790411 Change Polling Period 50790412 Forced Poll 50790418 Manage Node 5...

Chapter 6. OS/2 Adapter The IBM Tivoli Enterprise Console adapter for OS/2 forwards events from anOS/2 system to the event server. The adapter is registered with the startupconfiguration of OS/2 so that the adapter is started with all the other applicationsthat are automatically started when OS/2 is...

If a file truncates while the adapter is active, the adapter automaticallyresets its internal pointer to the beginning of the file. If during the pollinginterval the file is overwritten, removed, or recreated with more lines thanthe previous poll, only the number of lines greater than the previous l...

You can also manually start the adapter by entering the following commandsequence from the OS/2 command line: sh %LCF_BINDER%/../TME/TEC/ADAPTERS/BIN/tecadini.sh start Stopping the Adapter You can manually stop the endpoint adapter by sourcing the endpointenvironment, and then entering the following...

Numeric Value Literal Value 6 HARMLESS Troubleshooting the OS/2 Adapter Perform the following steps to troubleshoot the OS/2 adapter: 1. Stop the OS/2 adapter that is currently running. See “Stopping the Adapter” onpage 81 for details. 2. Add a LogSources=c:\check.txt entry in the configuration file...

Chapter 7. SNMP Adapter The Simple Network Management Protocol (SNMP) adapter for the IBM TivoliEnterprise Console product forwards events from SNMP traps to the event server. This chapter explains how to configure and start the SNMP adapter. SNMP Driver The SNMP adapter serves the function of colle...

Before starting the adapter, check each adapter file to determine if it defines thebehavior you want from the adapter. Configuration File The configuration file defines the behavior of the adapter, which runs as a serverdaemon. The configuration file can have the common keywords described in“Configu...

Cold Start The endpoint adapter is automatically started as a step in the adapter installationprocess when the adapter configuration profile (ACP) is distributed using theAdapter Configuration Facility (ACF). Manually start the adapter on the endpoint with the following command: init.tecad_snmp star...

Event Class Event Severity Port_Type_Changed_CBT WARNING Lock_Status_Changed_CBT WARNING Port_Security_Violation_CBT WARNING Port_Violation_Reset_CBT WARNING Env_Temperature_CBT WARNING Cisco_Trap WARNING Reload_Cisco WARNING TCP_Connection_Close_Cisco HARMLESS The tecad_snmp.baroc file contains a c...

BEGINIMPORTSenterprises FROM RFC1155-SMI OBJECT-TYPE FROM RFC-1212 TRAP-TYPE FROM RFC1215; -- Network Computing Inc. nci OBJECT IDENTIFIER ::= { enterprises 768 } -- LANAlert alert packets lanalert OBJECT IDENTIFIER ::= { nci 2 } -- Agent-independent data items lanalert-data OBJECT IDENTIFIER ::= { ...

Change alerts are generated when a condition changes state. These types of alertsare forwarded to any consoles and gateways that are currently attached to theagent management server. Change alerts cannot be cleared, since neither the agentor the management server maintains information about the aler...

VARIABLES { managementServerName, nodeName, eventID, alertText } These are denoted in the tecad_snmp.cds file as follows: 3:ATTR(=,"managementServerName"); 4:ATTR(=,"nodeName"); 5:ATTR(=,"eventID"); 6:ATTR(=,"alertText"); You would add the following entry to the tecad...

–d Starts the adapter in debug mode. This argument prevents the daemonfrom forking itself. –c configuration_file Specifies the location of the configuration file. If –c is not specified, then the adapter searches$TECADHOME/etc/tecad_snmp.conf if the environment variable TECADHOME is set, or /etc/Tiv...

Chapter 8. IBM Tivoli Enterprise Console Gateways Although not an adapter, the IBM Tivoli Enterprise Console gateway is similar inthat it is software that uses the TME interface of Tivoli Event Integration Facility tocommunicate with the event server. Like an adapter, it can be configured with aconf...

2. Determine the number of gateways and the resulting number of events thatthey can send to the event server.The example environment contains two gateways, where gateway A isresponsible for Web commerce servers and gateway B is responsible for thesecretaries’ systems. Divide the average capacity of ...

Worksheets and Calculations Table 1 and Table 2 summarize the values for this example. You can use thesetables as worksheets to assemble the values you measure and calculate for yourenvironment. All numerical values are expressed in events per second, exceptwhere noted. Table 1. Example values for c...

The following example illustrates how the Windows path notation can beexpanded: c:\winnt\system32\drivers\etc\Tivoli\tec\tec_gateway.conf The configuration file defines the behavior of the gateway. The configuration filecan have the common keywords described in “Keywords” on page 9, as well asthe fo...

acknowledgement from the event server. The default value is 30seconds. This keyword works with the GatewayTMEAckEnabledkeyword for event delivery. GatewayQueueSize Specifies, in bytes, the size for the buffers containing eventswaiting to be forwarded to event servers. If any of these buffers fillbef...

Chapter 9. UNIX Log File Adapter The TME UNIX log file adapter receives raw log file information from the UNIXsyslogd daemon, formats it, and sends it to the IBM Tivoli Enterprise Console gateway. The IBM Tivoli Enterprise Console gateway then sends the information tothe event server. The non-TME UN...

Stopping the Adapter Use the init.tecad_logfile stop command to manually stop the adapter. Always usethis command to ensure that the syslogd daemon is correctly configured to stopsending messages to the adapter. If the adapter is stopped with any other method,the syslogd daemon might exit because th...

Adapter Files The UNIX log file adapter package consists of the following files: tecad_logfile.cfg The installation script. init.tecad_logfile The adapter startup and shutdown script. Never stop the adapterusing signals. Use this script to ensure that the syslogd daemonremains running and functional...

PollInterval Specifies the frequency, in seconds, to poll each file listed in theLogSources field for new messages. The default value is 120 seconds. UnmatchLog Specifies a file to log discarded events that cannot be parsed into an IBMTivoli Enterprise Console event class by the adapter. The discard...

Event Class Default Severity NFS_No_Response WARNING NIS_No_Response WARNING Server_OK HARMLESS NFS_OK HARMLESS NIS_OK HARMLESS Default Rules The UNIX log file adapter has a set of default rules that can be installed toenhance event server operation. Rules can enable the server to perform functionss...

hour. You can edit this rule to change the time or the list of classes. Refer to theIBM Tivoli Enterprise Console Rule Builder’s Guide for information about editingrules.– Logfile_Amd– Logfile_Cron– Logfile_Oserv– Logfile_Date_Set The event server also comes with some additional rules that you can i...

Chapter 10. Windows Event Log Adapter The adapter for the Microsoft Windows event log forwards events from a Windowssystem to the event server. It is registered with the start-up configuration ofWindows 2000 or Windows NT so that the adapter is started with all the otherapplications that are automat...

tecad_win.baroc The BAROC file. postemsg.exe The command line interface program to send an event to an eventserver. tecad_win.err The error file. Before starting the event server, check the configuration file to determine if itdefines the preferred adapter behavior. Configuration File The configurat...

If a file truncates while the adapter is active, the adapterautomatically resets its internal pointer to the beginning of the file.If during the polling interval the file is overwritten, removed, orrecreated with more lines than the previous poll, only the numberof lines greater than the previous li...

The following example shows a PreFilter statement with a regularexpression. This prefilter statement matches all Application Logevents with a source name that contains TEC_ somewhere in its name: PreFilter:Log=Application;Source=re:’TEC_.*’; The following example shows a prefilter statement with a m...

The WINEVENTLOGS statement is a comma-delimited list withno spaces that can contain the following values: Application,Directory (Directory service), DNS, FRS, Security, System, All, and None. In the following WINEVENTLOGS statement, the System,Security, and File Replication service event logs are mo...

Registry Variables Registry variables are used to control the operation of the Windows event logadapter. Changes made to registry variables take effect immediately; there is noneed to stop and restart the adapter. Use the registry editor (regedt32) provided byWindows to view and modify registry vari...

DirectoryEventsProcessedTimeStamp Contains the time stamp for the corresponding event identified by thevalue of the DirectoryEventsProcessed variable. DNSEventsProcessed Contains the highest event number in the Windows DNS Server Log thatthe adapter has processed. The adapter uses this variable to k...

SecurityEventsProcessedTimeStamp Contains the time stamp for the corresponding event identified by thevalue of the SecurityEventsProcessed variable. SystemEventsProcessed Contains the highest event number in the Windows event log that theadapter has processed. The adapter uses this variable to keep ...

Any values, which you do not set, use the default values when you enable thisfeature. The adapter only checks these values at startup. Adapter Administrator Roles for Windows Both the service and non-service version of TME adapters on Windows run underthe local SYSTEM account (the built-in Windows a...

Event Class Structure Event classes are defined hierarchically, with child classes inheriting attribute valuedefaults from the parent. The Windows event classes follow a simple hierarchy. The adapter fills in the following attribute default values. The attributes are usedin event group filters. sour...

tecad_win Starts the Windows event log adapter in non-service mode. SYNOPSIS tecad_win.exe [–d] [–c ConfigFile] [–L none | EventLog ...] DESCRIPTION The tecad_win command starts the Windows event log adapter in non-servicemode. You can use the non-service mode for diagnostic purposes or to view even...

Troubleshooting the Windows Event Log Adapter Perform the following steps to troubleshoot the Windows event log adapter: 1. Stop the Windows event log adapter that is currently running by pressing theEsc key in the command window session that is running the Windows event log adapter. Pressing the Ct...

Chapter 11. Windows NT Event Log Adapter The adapter for the Microsoft Windows NT event log forwards events from aWindows NT system to the event server. It is registered with the start-upconfiguration of Windows NT so that the adapter is started with all the otherapplications that are automatically ...

If during the polling interval the file is overwritten, removed, orrecreated with more lines than the previous poll, only the numberof lines greater than the previous line count is read. For example,the file has one line. After the poll interval elapses, the file isoverwritten with two lines. Only t...

The PreFilter keyword is optional. All Windows NT log events aresent to the adapter if prefilters are not specified andPreFilterMode=OUT . For additional information about prefiltering Windows NT logevents, see “Prefiltering Windows NT Log Events” on page 130. PreFilterMode Specifies whether Windows...

against a format description. A formatted error message from the Windows NTservice control manager can look like the following example: Jan 15 15:06:19 1998 0 Error N/A Service_Control_Manager 7024 \ The UPS service terminated with service-specific error 2481. For details about format files, see “Fo...

drive:\adapter_dir, where drive and adapter_dir are the drive and directory,respectively, that contain the adapter executable files and run-time files.Only change the TECInstallPath variable if you move the adapterexecutable files and run-time files after you have installed the adapter. Low Memory R...

tecad_nt Starts the Windows NT event log adapter in non-service mode. SYNOPSIS tecad_nt.exe [–d] [–c ConfigFile] [–L none | EventLog ...] DESCRIPTION The tecad_nt command starts the Windows NT event log adapter in non-servicemode. You can use the non-service mode for diagnostic purposes or to view e...

Troubleshooting the Windows NT Event Log Adapter Perform the following steps to troubleshoot the Windows NT event log adapter: 1. Stop any Windows NT event log adapters that are currently running bypressing the Esc key in the command window session that is running theWindows NT event log adapter. Pr...

Appendix A. Files Shipped with Adapters Notes: 1. The NetView for OS/390 ® adapters are delivered with Tivoli NetView for OS/390 as part of the Event/Automation Service. Although these adapters areshipped as part of that product, the BAROC files and rule files for them areshipped with the IBM Tivoli...

Appendix B. Format File Reference This appendix contains details about format files. The format file usually has an extension of .fmt; see each specific adapter chapterfor exact file names. To use non-English characters in a format string, you mustenter the non-English characters in the local encodi...

Format Specifications The format file is made up of one or more format specifications. A formatspecification has the following parts: v Format headerThe keyword FORMAT followed by the event class name. This is optionallyfollowed by the FOLLOWS keyword and a previously defined class name, asshown in ...

Matches one constant in the message. The optional length is a decimal numberof any size and allows the constant to be truncated to the length if the constantactual length is greater than the specifier length. v % [length]s* Matches zero or more constants in the system log message. The optional lengt...

Windows NT Example The following example is a Windows NT message: Jan 15 15:06:19 1998 0 Error N/A Service_Control_Manager 7024 \ The UPS service terminated with service-specific error 2481. The variable parts are the time stamp (Jan 15 15:06:19 1998), possibly the securityID (N/A), the event ID (70...

The mapping part of a format specification consists of zero or more lines thatcontain a BAROC file attribute name followed by a value specifier. The valuespecifiers can be one of the following types: $ i Where i indicates the position of a component specifier in a format string.Each component specif...

Additional Mapping Considerations Specify only one mapping for each BAROC file attribute. A mapping can be inherited from a more generic format specification (using theFOLLOWS keyword) or can be explicitly defined on the format specification that directly matches the message. Because the adapter doe...

The log file adapter will attempt to match this system log message to the mostspecific format specification. In this case, the event matches theRoot_Login_Success_From format specification. The event created by the log file adapter will therefore have an event class of Root_Login_Success_From. Thefo...

PRINTF statement in the Root_Login_Success_From class, its value would have been ttyp6. This is because the msg attribute is inherited as the third componentspecification in the event, even though the third component in the originatingclass (Logfile_Base) would have yielded the value sawmill login: ...

Windows event log win_gencds / language /tecad_win.fmt tecad_win.cds Windows NT event log nt_gencds / language /tecad_nt.fmt tecad_nt.cds 3. Restart the adapter: NetWare log file See “TECADNW4.NLM” on page 61. OS/2 See “Starting the Adapter” on page 80. UNIX log file See “Starting the Adapter” on pa...

Appendix C. Class Definition Statement File Reference A class definition statement (CDS) file specifies SELECT, FETCH, and MAPstatements for all event classes supported by adapters that utilize a CDS file. Thisprovided file is required for most adapters and has the same format for alladapters that u...

$msg = PRINTF("Job %s for user %s is on message wait", $F1, $F2); END Table 3 describes each statement in the example: Table 3. Explanation of operators in example code Code Explanation SELECT ATTR(=,$MSG), VALUE( PREFIX ,"Job"); A match occurs when any message arrivingwith the Class...

If the class name equals *DISCARD*, any incoming event matching the SELECTstatement is discarded. Note that an event is also discarded if it does not matchany class definition statement. However, if a particular type of incoming eventmust always be discarded (for example, routine events that are of ...

SELECT statements and their associated clauses are evaluated in the order they appear in the CDS file. If all the clauses of a SELECT statement are evaluatedsuccessfully, the incoming event matches the corresponding class. After an event is matched with a class because of successful SELECT statement...

There can be one or more clauses within a FETCH statement. Each clause has thefollowing format: n : expression ; where n is the identification number of a clause within a FETCH statement andexpression is an expression specifying the value to assign the pseudo-variable $Fn.Pseudo-variables are the ou...

source=NET; sub_source=SNMP-TRAP; origin=$SOURCE_ADDR; ENDCLASS Authentication_Failure_Cisco SELECT 1: ATTR(=,$ENTERPRISE), VALUE(PREFIX, "1.3.6.1.4.1.9"); 2: $TYPE = 4; 3: ATTR(=,"authAddr"); FETCH 1: IPNAME($SOURCE_ADDR); MAP hostname = $F1; originating_address = $V3; END # For Cis...

Class Definition Statement File Syntax Diagrams This section describes the syntax for statements allowed within a CDS file. Thesyntax is shown in BNF-like notation where the vertical bar (|) characterrepresents alternatives, and optional parts are contained within braces ({}). * * FILE CONTENT */ &l...

Notices This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area...

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk. IBM may use ...

IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, canno...

Glossary The following cross-references are used in this glossary: See: This refers the reader to (a) a related term, (b) a term that is the expanded form of anabbreviation or acronym, or (c) a synonym or more preferred term. Obsolete term for: This indicates that the term should not be used and ref...