DX Infrastructure Management

Expand all | Collapse all

ntevl to syslog options

  • 1.  ntevl to syslog options

    Posted 02-06-2019 05:24 PM

    I've successfully managed to get ntevl messages to go to the sysloggtw probe by creating an alarm and having the nas repost the alarm with the subject of SYSLOG-OUT which is then picked up by the sysloggtw probe and sent to a remote syslog daemon. My problem is that I have too many of these ntevl alarms and (even though I close them 30 seconds after arrival) they are causing my transactionlog.db to grow extremely large.

    Successful message that is reposted from the nas and is read by my remote syslog daemon properly

    I need to find a better way of handling these messages without creating an alarm that will be stored on the nas. I tried having ntevl post the original message to the bus using SYSLOG-OUT, but that doesn't work. The SYSLOG-OUT message needs to be formatted just like an alarm message is formatted. If you post directly to the bus from ntevl the message is formatted in a way that sysloggtw can't process properly and the message is lost.

    DrNimbus view of the ntevl posted message

    I then tried posting to a queue to have logmon read and create an alarm for any matches; however, that didn't seem to work either. The message is empty.

    DrNimbus view of the logmon alarm generated from reading the queue where the ntevl message was posted

    I was thinking about maybe using the alarm_enrichment probe and routing rules, but I want to make sure it only routes the ntevl alarms to a new subject.

     

    I also considered using a PPR script but I can't access nimbus.post() from a PPR script.

     

    How can I take an event log message and convert it to an alarm format for sysloggtw to forward to my remote daemon without bogging down my nas transaction tables?

     

    Maybe ems can do what I need, but I have zero experience using it? Creating Event and Alarm Rules with the XML Rule Catalogs - CA Unified Infrastructure Management Probes - CA Technologie… 



  • 2.  Re: ntevl to syslog options

    Posted 02-06-2019 10:11 PM


  • 3.  Re: ntevl to syslog options

    Posted 02-07-2019 10:00 AM

    I was hoping more for a solution within UIM. Since we are an MSP, that is going to require purchasing and installing additional software on multiple customer servers to collect the necessary data and that is what I was trying to avoid. We know there is a simple existing method for converting event log messages to alarms, I just want to change the subject from alarm to SYSLOG-OUT so I can avoid routing them to the nas.



  • 4.  Re: ntevl to syslog options

    Posted 02-08-2019 02:19 PM

    Ok I have to say this made my head hurt today. But I think I have found a solution for you that bypasses NAS as you would like.

    The real problem is that NTEVL by default when you use the Post Method function send the message in a trable format.

    Logmon does not understand this format. When logmon is reading a message from a queue it is ONLY looking for a field called message. The post from NTEVL does not have this by default.

     

    My work around take advantage of the NEW ability to send event logs over to the CA LOG analytics.

    Below is my ntevl profile I have setup for testing:

    I used IM to set this profile up but you should be able to use AC2. MCS can not be used for this.

     

       <Tosyslog>
          active = yes
          description = <Enter your description>
          level = information
          logs = application
          severity = *
          source = MYEVENTSOURCE
          category = *
          event_id = 1
          user = *
          computer = *
          message = *
          send_alarm = no
          alarm_message = $source($event_id - $category): $message
          i18n_token = as#system.ntevl.src_id_cat_1
          send_subject = yes
          subject = ntevllogmon
          subsystem =
          suppress = no
          suppression_key =
          send_to_axa = 1
          tenant_id = 1
          tags =
          exclusive = no
          qos_count = no
          qos_interval = 3600
          time_frame =
          evt_count =
          evt_count_condition =
          runcommandonmatch = 0
          commandexecutable =
          commandarguments =
          separator =
       </Tosyslog>

     

    • The two keys highlighted above will need to be added/modified using raw config.
    • This profile will then post an Alarm style message to the message bus with the new subject of ntevllogmon
    • I then created an ATTACH queue on the hub with ntevllogmon as the subject.
    • Next I setup logmon to reac the ATTACH queue I had just created and this is the profile from this one

      <TestSysoutqueue>
          active = yes
          interval = 5 sec
          scanfile = ntevllogmon
          fileencoding =
          scanmode = queue
          alarm = no
          qos = no
          message = yes
          subject = SYSLOG-OUT
          user =
          reccur_directory = no
          reccur_directory_level = 10
          resetFile = no
          initialfileptr = 2
          resumefileptr = 4
          command_timeout_active = no
          command_timeout =
          command_severity = 2
          command_timeout_alarm = 0
          alarmFOpenFail = no
          clearFOpenFailRestart = no
          monitor_exit_code = No
          max_alarm_sev = 5
          max_alarms =
          max_alarm_msg =
          password =
          <watchers>
             <ntevllogmon>
                active = yes
                match = *
                level = information
                subsystemid =
                message = Test:${var}
                i18n_token =
                restrict =
                expect = no
                abort = no
                sendclear = no
                count = no
                separator = ,
                suppid =
                source =
                target =
                qos =
                runcommandonmatch = no
                alarm_on_first_match = no
                commandexecutable =
                commandarguments =
                pattern_threshold_severity = information
                pattern_threshold_message =
                timeout = 1
                pattern_threshold =
                expect_message =
                expect_level =
                regexfromexternalfile = no
                patternfilepath =
                token =
                variable_threshold =
                variable_threshold_message =
                variable_threshold_severity = information
                variable_threshold_supp =
                <variables>
                   <var>
                      definition = 12
                      operator = eq
                   </var>
                </variables>
             </ntevllogmon>
          </watchers>
       </TestSysoutqueue>

     

    The highlighted string above is the column number in the new message with the message fields from the ntevl probe.

     

    As I do not have a syslog damaen to send this to I could not test to that final stage but the sysloggtw did see this message and pick it up and process it.

     

    I hope this helps!!!!



  • 5.  Re: ntevl to syslog options

    Posted 02-08-2019 05:13 PM

    Hi Gene_Howard.

     

    I implemented these items; however the logmon message still is empty.

     

    This did change the format of the ntevl message though.

     

    DrNimbus view of the ntevl posted message with AXA parameters

     

    The logmon message looks no different than my earlier screenshot from DrNimbus.



  • 6.  Re: ntevl to syslog options

    Posted 02-12-2019 03:47 PM

    Gene_Howard - Any additional ideas?



  • 7.  Re: ntevl to syslog options

    Posted 02-15-2019 01:42 PM

    Sorry been a crazy week here in support.

    can you attach your ntevl.cfg for me  to review?

    or email it to me?

     

    thanks



  • 8.  Re: ntevl to syslog options

    Posted 02-20-2019 04:29 PM

    Hi Gene_Howard,

     

    It turns out I had a type: sent_to_axa instead of send_to_axa. Once I changed that, there was only one problem with your suggestion: the definition should be 14 for the message. 12 is the opcode.

     

    Ultimately, I opted for sending the entire message though so that it could be parsed for the hostname as well. It seems that replacing the source does not work.

     

    Thank you very much for this, it was extremely helpful!