Nimsoft Monitor ntevl Guide v3.6 series
Legal Notices Copyright 2012, CA. All rights reserved. Warranty The material contained in this document is provided "as is," and is subject to being changed, without notice, in future editions. Further, to the maximum extent permitted by applicable law, Nimsoft LLC disclaims all warranties, either express or implied, with regard to this manual and any information contained herein, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. Nimsoft LLC shall not be liable for errors or for incidental or consequential damages in connection with the furnishing, use, or performance of this document or of any information contained herein. Should Nimsoft LLC and the user have a separate written agreement with warranty terms covering the material in this document that conflict with these terms, the warranty terms in the separate agreement shall control. Technology Licenses The hardware and/or software described in this document are furnished under a license and may be used or copied only in accordance with the terms of such license. No part of this manual may be reproduced in any form or by any means (including electronic storage and retrieval or translation into a foreign language) without prior agreement and written consent from Nimsoft LLC as governed by United States and international copyright laws. Restricted Rights Legend If software is for use in the performance of a U.S. Government prime contract or subcontract, Software is delivered and licensed as "Commercial computer software" as defined in DFAR 252.227-7014 (June 1995), or as a "commercial item" as defined in FAR 2.101(a) or as "Restricted computer software" as defined in FAR 52.227-19 (June 1987) or any equivalent agency regulation or contract clause. Use, duplication or disclosure of Software is subject to Nimsoft LLC s standard commercial license terms, and non-dod Departments and Agencies of the U.S. Government will receive no greater than Restricted Rights as defined in FAR 52.227-19(c)(1-2) (June 1987). U.S. Government users will receive no greater than Limited Rights as defined in FAR 52.227-14 (June 1987) or DFAR 252.227-7015 (b)(2) (November 1995), as applicable in any technical data. Trademarks Nimsoft is a trademark of CA. Adobe, Acrobat, Acrobat Reader, and Acrobat Exchange are registered trademarks of Adobe Systems Incorporated. Intel and Pentium are U.S. registered trademarks of Intel Corporation. Java(TM) is a U.S. trademark of Sun Microsystems, Inc. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. Netscape(TM) is a U.S. trademark of Netscape Communications Corporation. Oracle is a U.S. registered trademark of Oracle Corporation, Redwood City, California. UNIX is a registered trademark of the Open Group. ITIL is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.
Contact Nimsoft For your convenience, Nimsoft provides a single site where you can access information about Nimsoft products. At http://support.nimsoft.com/, you can access the following: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads Nimsoft Support policies and guidelines Other helpful resources appropriate for your product Provide Feedback If you have comments or questions about Nimsoft product documentation, you can send a message to support@nimsoft.com.
Contents Chapter 1: General Overview 7 Chapter 2: Probe Deployment 9 Prerequisites and System Requirements... 9 System Requirements... 9 Installation Notes... 9 Probe Deployment Information... 10 Chapter 3: Configuration 10 The Setup/Properties Tab... 10 The Setup/Profiles Tab... 12 The Setup/Exclude Tab... 18 The Status Tab... 20 Parameters in a Posted Message... 24 Chapter 4: Editing the Probe Configuration 28 Arguments... 30 Chapter 5: QoS Threshold Metrics 30 QoS Metrics... 30 Contents 5
Chapter 1: General Overview This description applies to ntevl version 3.6. The Windows NT event log watcher probe generates alerts based on messages from the Windows event logs. This section contains the following topics: Documentation Changes (see page 8) Chapter 1: General Overview 7
Prerequisites and System Requirements Documentation Changes This table describes the version history for this document. Version Date What's New? 3.6 May 2012 Added support for converting event description to a localized form. Related Documentation Documentation for other versions of the ntevl probe Getting Started with Nimsoft Probes Nimsoft Probes Reference 8 ntevl Guide
Chapter 2: Probe Deployment This section contains the following topics: Prerequisites and System Requirements (see page 9) Probe Deployment Information (see page 10) Prerequisites and System Requirements The Windows NT event log watcher probe requires Nimsoft Robot version 3.00 (or higher). The Windows NT event log watcher probe version 3.0x uses the WMI service to retrieve the event logs. This service must be enabled. System Requirements The ntevl probe runs on the following: Windows x86 Windows x86_64 Itanium2 - IA64 XP, 2003, Vista, Win 7, 2008 XP, 2003, Vista, Win 7, 2008, 2008 R2 2003, 2008 Installation Notes Restart the probe when the time zone is changed or when "Automatically adjust clock for daylight saving changes" is selected or cleared. The Windows event log watcher probe version 3.0x uses WMI to retrieve the event logs. Accessing windows event logs using WMI may severely affect the performance of the Windows 2000 system. If the probe is deployed on Windows 2000 system, the probe will raise an alarm and will stop execution. Probe version 2.33 does not use WMI for retrieving the event log and can be used for monitoring event logs on Windows 2000 system. The ntevl probe monitors the event logs for new messages and generates Nimsoft alarm messages according to your setup. You may set up the probe to trigger each time a new message is added to the event log or you can choose to check the eventlog for new messages at a fixed interval, which will reduce the system load generated by the probe. Chapter 2: Probe Deployment 9
Probe Deployment Information Probe Deployment Information There are two ways to distribute archive packages. You can distribute the package within Infrastructure Manager or use the standalone Nimsoft Distribution application. See Probe Deployment for more information on deploying probes. Chapter 3: Configuration The ntevl probe is configured by defining one or more profiles, identifying a set of criteria for event log message selection and how these messages should be treated. This allows you to define different actions for different event log messages. The Setup/Properties Tab Field Probe active Description Delimiter Remove Recurring Delimiter Run type Description In order to deactivate the probe, clear the check box. Add any character including special characters to replace the existing character as delimiter. Select the check box to remove repetition of delimiter Select event to trigger the probe every time Windows NT puts a new message into the event log. Select poll and specify a poll interval to check at regular intervals. 10 ntevl Guide
The Setup/Properties Tab Field Logging Post event log message setup Fetch event setup Description Specify the file to which the probe logs information about its internal activity and the level of details written to the log file. Log as little as possible during normal operation (to minimize disk consumption), and increase the amount of detail when debugging. When event log messages are posted, the default message subject is specified here. Do not use the following subjects: alarm alarm_new alarm_update alarm_close alarm_assign alarm_stats QOS_MESSAGE QOS_DEFINITION These are used internally in Nimsoft for alarm messages. The subject can be overridden in a profile. The column prefix is pre-pended to each field name when an event is posted. When the event log messages are received, the fields are identified by this prefix and the field name. Max. events to fetch: This field specifies the maximum number of events that are fetched from the event log in the Status tab. The default if this field does not have a value is 1000. The reason to set a limit is to avoid timeout situations while fetching events from the probe. Fetch alarms on configurator start-up: This option, which by default is enabled, fetches all alarms at configuration start-up (select the Status tab to see the alarm list). If the option is not checked, this list will be empty at configurator start-up, and you have to click the Refresh button the Status tab to fetch the alarms. Chapter 3: Configuration 11
The Setup/Profiles Tab The Setup/Profiles Tab Field <List> Description Description Shows all the defined setup profiles. The check box to the left of the profile name must be checked for the profile to be enabled. Select a profile to display/modify its parameters. The first profile in the list is processed first and then the next one. Right-clicking in the list allows you to move a profile up or down. A text string identifying the watcher. Event selection Event selection criteria No propagation of events Specify regular expressions identifying the eventlog messages you are looking for. An asterisk (*) in one of these fields means all log messages regardless of the contents in the field. Note: You can use localhost in the computer field to get only local messages.you can also use both ranges and commas in the same entry, such as 1-5 and 9-20. If checked, an event matching the selection criteria for a profile will be made unavailable for the other profiles. Note: You can change the order of the profiles and thus the processing order. 12 ntevl Guide
The Setup/Profiles Tab Field Description Alarm/Post Send alarm Alarm message Select this option if you want a Nimsoft alarm message to be sent on recognition of an event log message. In this field you can create/edit an alarm message for the selected profile, and you are allowed to use variables in the messages: $profile: Name of the Profile for which alarm/qos is generated $description: User-defined description $variable: User-defined variable Event selection criteria: $source: The source from where the event is logged, e.g., [Service Control Manager] $event_id: The ID of the particular event $category: Category name of the particular event, e.g., [Management]; [Disk] $log: The event log name, e.g. [System]; [Application] $severity: The event Severity level $severity_str: The severity code name for e.g. [error] [information] $user: Username $computer: Computer name $time_stamp: Date Timestamp $message: Message description fetched from event logger $evldata: The variable $evldata can be used to get the data associated with the event. If there is no data present "None" will be added to the message. Chapter 3: Configuration 13
The Setup/Profiles Tab Field Level Description Select the severity level the generated alarms. Select "From eventlog" to use the same severity level as the eventlog message. Note: The "critical" level is supported by Windows Server 2008 only. Subsystem A descriptive text name for the subsystem (variables may be used). Set suppression key Activate messages suppression features, to avoid multiple instances of the same alarm-event (variables may be used). Time frame Event Count Operator Event count Post message Post Subject Time interval during which the events will be monitored, and if necessary, the alarms will be generated. By default, this field is empty. Set the operator for the event count. Note: Please use the alarm count operators with care in order to not produce too few/many alarms. The number of events that will be counted to generate an alarm, during the specified Time frame. Select this option if you want the event log message data to be posted as a Nimsoft message with the given subject. Note that the field names of the message will be pre-pended with the Column prefix specified in Setup/Properties. In this field you can create/edit a custom Message Subject for the selected profile. This overrides the default subject. You are allowed to use variables in the messages. $variable: User-defined variable 14 ntevl Guide
The Setup/Profiles Tab Field QoS Number of events found in time interval Time interval Description When checked, QoS messages will be sent on number of events detected within the specified time interval (see below). The time interval (in seconds) for event detection used by the QoS option described above. The Variables tab enables you to define one or more variables for each profile. There is no limit on the number of variables that can be defined for each profile. Also, note that duplicate variable names are not allowed. Chapter 3: Configuration 15
The Setup/Profiles Tab To create a variable, select the (highlight) the profile from the left hand list. In the Variables tab, right-click in the grid and select New from the context menu. The Variable settings dialog opens. Enter the values as described below: Field Name Source Line Description Name for the variable in the Name field. Duplicate variable names are not allowed. By default, var is displayed. The source line of the variable where the threshold alarm needs to be defined. Select the FROM and TO positions. Source FROM/TO positions Column Set the Column number for which you wish to define the variable. Note: The column numbering starts with 0 (zero). 16 ntevl Guide
The Setup/Profiles Tab Field Description Character Position Set the Character Position of the Threshold. Note: The character position starts with 0 (zero). Match Expressio n This button allows you to set the operator based threshold expression. Note: The Threshold expression should EXACTLY match the event description. Threshold alarm definition Operator Select a comparison operator from the drop-down menu. You can also choose re if you want to use regular expressions. Threshold Set the threshold value for the variable. Example: If you set the threshold value for column 0 equal to 10, then an alarm will be generated every time the value in column 0 equals 10. The newly created variable is displayed in the Variables grid. Chapter 3: Configuration 17
The Setup/Exclude Tab To edit a variable, right-click on it and select Edit option from the context menu. To delete a variable, right-click on it and select Delete option from the context menu. The Setup/Exclude Tab The Exclude tab enables you to specify the profiles that should be excluded by ntevl probe. 18 ntevl Guide
The Setup/Exclude Tab To create an entry, right-click in the left-hand section and select New from the context menu. Exclude entry name dialog opens. Enter a name for the entry and click OK. Chapter 3: Configuration 19
The Status Tab Field <List> Event selection criteria Description Shows all the defined exclude profiles. Select a profile to display/modify its parameters. Specify regular expressions identifying the eventlog messages you are looking for. An asterisk (*) in one of these fields means all log messages regardless of the contents in the field. Note: You can also use both ranges and commas in the same entry, such as 1-5,9-20. Events matching all the criteria in an exclude profile will be excluded from monitoring by the defined profiles. The Event ID field does NOT support regular expressions. Use format as shown in the examples below: * 114 1,5,10 1,10-12 115-120 The Status Tab The ntevl probe extracts the current values of the system, application and security event-logs by default. You can add custom event logs here. Note: Only the latest messages appear (determined by the number specified in the Max events to fetch field under Setup/Properties) of so that more event log messages may be present in the actual event log. Also, note the Fetch alarms on configurator start-up option on the Setup tab. By default, this option is enabled, which fetches all alarms at configuration start-up. 20 ntevl Guide
The Status Tab If the option is not checked, the alarm list will be empty at configurator start-up and you have to click the Refresh button on the Setup tab to fetch the alarms. The following right-click menu selections are available: Refresh: Fetch the event log messages again. New profile: Create a monitoring profile using values from the current event. Exclude from monitoring: Create an exclude profile using values from the current event. Clear log: Remove all event messages from the current event log. Chapter 3: Configuration 21
The Status Tab The Custom Events can be added from Raw Configure. To add a custom event: 1. Right-click the probe in Infrastructure Manager and click Deactivate. 2. In the inactive probe, press SHIFT+Right-click and select Raw Configure from the context menu. 3. Select Edit Configuration File... in the Raw Configure dialog. 22 ntevl Guide
The Status Tab 4. In the Raw Configure dialog, select logs in the left pane. Click New Key... 5. Enter the key name and value and click OK. 6. In the left pane, select subsystems and click New Key... Ensure to keep the same key name as the one defined earlier. 7. Enter the key value and then click OK. Chapter 3: Configuration 23
Parameters in a Posted Message 8. Activate the probe and open the GUI. The custom log reflects in Status > Event log list. Parameters in a Posted Message The messages are posted to a table called EventLogMessages containing the following fields: Parameter Type Value column prefixwatcher Text The name of the profile finding the event log message column prefixlog Text The event log containing the event column prefixseverity Text The event type column prefixsource Text Identification of the application generating the event column prefixcategory Text column prefixevent_id Number The event category A numeric event identifier column prefixuser Text The user running the application that generated the event column prefixcomputer column prefixdescription column prefixtime_stamp Text Text The computer name on which the event was generated Expanded event description Date/Time The time the event was generated. 24 ntevl Guide
Parameters in a Posted Message The adogtw probe can be used to receive the posted messages and redirect these to your database. Example: Monitoring up and down status for multiple computers, using two profiles: Create the two profiles UP status and DOWN status by selecting the Profiles tab by right-clicking in the Profile list and selecting New. Select the Activate box for both profiles. To configure the UP status profile: Chapter 3: Configuration 25
Parameters in a Posted Message 1. Select the Event selection tab and specify the event ID for the UP status (50002). 2. Select the Alarm/Post tab. Create an alarm message (e.g. $computer up) and select severity level clear. 3. Set a suppression key (e.g. $computer) to avoid multiple instances of the same alarm message. 4. Configure the DOWN status profile as shown: 26 ntevl Guide
Parameters in a Posted Message 5. Select the Event selection tab and specify the event ID for the DOWN status (50001). 6. Select the Alarm/Post tab create an alarm message (e.g. $computer down) and select severity level warning. 7. Set a suppression key (e.g. $computer) to avoid multiple instances of the same alarm message. 8. Click the Apply button to activate the new profiles and then the OK button to exit the ntevl configuration tool. Chapter 3: Configuration 27
Parameters in a Posted Message Chapter 4: Editing the Probe Configuration To edit the probe configuration, right-click the probe in Infrastructure Manager and select Edit. 28 ntevl Guide
Parameters in a Posted Message The following dialog appears: Field Probe Type Command Arguments Working Directory Configuratio n File Data File Time Specification Execution Group Description The probe name. This field is non-editable. The type of execution. By default, timed option is selected. You can deactivate the setting by de-selecting the Active check box. The process that will execute the reboot. By default, it is ntevl.exe Optional arguments that can be passed to the probe. For the list of available arguments, see "Arguments" section. The probe s working directory path. By default, the path is \probes\system\reboot The name of the probe configuration file. By default, the file is named ntevl.cfg Specify the name if the probe data file, if required. Specify the time range within which the probe activity should be carried out Specify the time interval at which the reboot should be executed. You can specify the start time or frequency (in minutes). Choose Ignore option to nullify this field. Specified the probe grouping. By default, it is Systemgroup. Chapter 4: Editing the Probe Configuration 29
Arguments Field Description Log File Description A brief description of the probe activity. Be default, the description text is " Windows NT Event Log watcher". Name of the log file for the probe. By default, it is ntevl.log Arguments Parameter Description -p < port> Communications port to use -d<log level> Set log level -l <log file> Specify log file -e <evl log file> File for logging internal messages -c <config file> File used for general and watcher setup -f <position file> File used for storing event log positions -V Print version information -z Set current event log positions -Z Set current event log positions and run the probe normally -h Help information Chapter 5: QoS Threshold Metrics Many Nimsoft Monitor probes ship with default QoS threshold values set. The default threshold values provide an idea of the type of values to be entered in the fields and are not necessarily recommended best practice values. To aid in tuning thresholds and reducing false-positive alarms, this section describes the QoS metrics and provides the default QoS thresholds. QoS Metrics The following table describes the checkpoint metrics that can be configured using the ntevl probe: Monitor Name Units Description QOS_EVL_COUNT Count Windows Events 30 ntevl Guide