DX Unified Infrastructure Management

  • Private Community
 View Only

  • 1.  NTEVL probe not generating alerts for events configured in probe

    Posted Mar 26, 2018 05:31 AM

    We have a issue where NTEVL probe no generating alert for the configured events in the probe.

     

    we have checked and configuration is absolutely fine and corresponding event is also there in windows event logs.

     

    Please let us know what could be the reason of this.

     

    Regards,

    Manish Sharma



  • 2.  Re: NTEVL probe not generating alerts for events configured in probe

    Posted Mar 26, 2018 10:23 AM

    Are you sure you checked at least one of the files to read from? Is there anything interesting in the probe logs? Do you have any error? What's the probe status?



  • 3.  Re: NTEVL probe not generating alerts for events configured in probe

    Posted Mar 26, 2018 10:32 AM

    Hi Chris,

     

    That is why its so weird that there is nothing we found which would help us to identify the issue, probe is working absolutely fine and there is nothing in the logs which would say that there was some issue with probe or with configured monitoring of this particular event

    .

    There are lots of events profile configured in the monitoring and they are working absolutely fine and generating alerts, we have this issue with this particular event ( event is 1) which is being captured in event logs of server but UIM is not generating any alert for same event.

     

    We have changed run type to event from poll so that event would get updated whenever there would be any new event and also changes source from all ( * ) to application, we are observing now.

     

    Could you please suggest if you have any other solution which we can implement to fix this alerting issue.

     

     

    Regards,

    Manish Sharma



  • 4.  Re: NTEVL probe not generating alerts for events configured in probe

    Posted Mar 26, 2018 10:45 AM

    Can you share the cfg file of the probe please?



  • 5.  Re: NTEVL probe not generating alerts for events configured in probe

    Posted Mar 26, 2018 11:05 AM
      |   view attached

    PFA cfg of ntevl probe.

    also PFB profile details below which did not generated alert when event id 1 captured by windows event log.

     

    Event id : 1

    Log : Application

    Source : Opalis4

    Message String : /(HANDSOM Backup BI file has exceeded size limit of.*)/

     

    Regards

    Attachment(s)

    zip
    ntevl.cfg.zip   3 KB 1 version


  • 6.  Re: NTEVL probe not generating alerts for events configured in probe

    Posted Mar 26, 2018 11:26 AM

    That's what I thought: in the "Setup” of the probe, you need to specify which logfiles you want to put a watcher on (ie. you want to continually read to look for corresponding events). In the configuration you shared, there are only 3 files monitored:

     

    <logs>

       system = System

       application = Application

       security = Security

    </logs>

     

    You should go into the Setup of the probe through IM (or AC, or MCS, whatever) to add the custom logfiles you need to have a handle on (here, the "opalis” one).



  • 7.  Re: NTEVL probe not generating alerts for events configured in probe

    Posted Mar 26, 2018 11:38 AM

    Thanks a lot for your findings, just want to bit clear on your suggestion.

     

    So we need to specify the opilas source in log tab along with Application, system and security an select that in the log, please confirm as we are already using opilas4 in the source field.

     

    Earlier we were using ( * ) in the log, i believe that would capture all the events irrespective of the type of the log, so it wont work in this case? 

     

    Please elaborate little bit so that i can make the required changes and inform the team that what was reason of this alerting issue.

     

    Thank you very much again for your time to having a look in this issue.

     

     

    Regards,

    Manish Sharma



  • 8.  Re: NTEVL probe not generating alerts for events configured in probe

    Posted Mar 26, 2018 11:45 AM

    Actually, the probe works the following way :

     

    • In the Setup of the probe, you specify all the log files you want it to look after.
    • After that, in the Watcher, you specify the "Source” but this one corresponds to the "Source” field of the EventLog format. So it needs to match the "Source” field of the message you see in the Event Viewer (no matter which files it comes from).

     

    The probe starts to read and read in real-time all the new lines added in any of the files you specified in the "Setup”. For each new message, it compares that to all the Watchers. If one match is found, it follow the rules defined in the Watcher.

     

    BTW: if you don't want to read anything from certain specific files, I heavily suggest you remove them from the Setup of the probe. Especially the security file which could be *very* verbose and can considerably slow down the probe processing.