ntevl Source / Publisher name and how to generate alarms with description
search cancel

ntevl Source / Publisher name and how to generate alarms with description

book

Article ID: 124174

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) Unified Infrastructure Management for Mainframe CA Unified Infrastructure Management SaaS (Nimsoft / UIM) DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

When an entry is defined for the given Windows event in the Source / Publisher field in ntevl it is not generating an alarm message when the event occurs.

Environment

- UIM 8.5.1, 20.x
- ntevl v4.32

Cause

- ntevl help documentation regarding multiple fields' usage/valid syntax/regex is a bit unclear
- inconsistent results due to configuration settings and an ntevl memory issue fixed in 4.32 HF1
- Upon reboot, the ntevl.pos file was getting corrupted.

Resolution

-> First, download and deploy ntevl 4.32-HF1 or higher

In the Event Selection Criteria section:

1. Source / Publisher Name

For the filter, the following variations work as expected, for example: 

Literal String-> Microsoft-Windows-WER-SystemErrorReporting 
or 
Slashes-> /Microsoft-Windows-WER-SystemErrorReporting/ 
or 
Asterisks-> *Microsoft-Windows-WER-SystemErrorReporting* 

it matches the event without fail and with no issues.

2. Message String

Even though the ntevl Techdoc Help documentation states: 
"Message String: defines the alarm message to be generated when the event selection criteria matches an event." That statement is a bit misleading.

>>>The message string field is expecting the message string or part of a message string of a VALID Windows Event ID. Then the alarm description will update and no event errors regarding message format will be shown in the log. For instance, here is a portion of a message string for Event ID 999, and some other examples:

/An unexpected error has caused a DPM service failure/

or

/.*An unexpected error.*/

or

*

3. Computer
In this case you cannot use localhost for the Computer field. Use either an asterisk OR <hostname_string>* or the FQDN of the local computer. 

For example these work: 


or 
/<partial_string>*/ for example, /myhost*/ 
or 
<FQDN> for example, thishost.company.com

Make sure the ntevl probe is Active and the profile is still selected (activated) before testing and creating the event to generate the alarm.


Additionally,

Under "Disable continuous update of position file" under the ntevl Properties Tab, make sure it is still selected but increase the value of "Position file update interval" from 1 to 10.

Recommend also enabling:
"Enable Position File Backup Interval" which allows the probe to back up the position file.
Position File Backup Interval: defines the time interval when the probe backs up the position file. This setting is NOT enabled by default.



IMPORTANT note in the ntevl Help documentation: 
The probe keeps the backup of the position file during an unexpected system reboot or system crash. In such cases, reboot alarms occur, but it is possible to get duplicate alarms for the specified time interval. 

ntevl AC Configuration (broadcom.com)

Additional Information

In the ntevl probe, when deployed OOTB, the Properties section contains the following settings when run type of 'Poll' is selected (which is the default):

Poll Interval  is 30 seconds is the default. Specifies the time interval to update the events list. Note: Reduce this interval to generate alarms frequently. A shorter interval can also increase the system load.

Alarm Timeout   10 seconds (default)
Specifies the duration when the probe does NOT generate multiple alarms for the same event log. We recommend specifying a LOWER value than the Poll Interval.

Run Type-> Poll versus Event

Polling can be very expensive to do resource-wise if your Windows logs are large (which is common). It is much more efficient to use the "event" selection to get messages as the probe then subscribes to updates from the event service and therefore only consumes resources when there's an actual message process - as opposed to polling where you are constantly querying the log to see if any new messages have been added.

>>>So depending on the setting, you may get one alarm and then no other within the given time frame specified. When testing ntevl event alarming, you may want to empty the 'Alarm Timeout' value to assess results quickly.
***Note: Leave this field blank to generate alarms at event occurrence.***

 



Here is an example of an eventcreate message that can be used in testing a given event/event ID, e.g., 999.

C:\>eventcreate /t error /id 999 /l Application /d "An unexpected error has caused a DPM service failure. Restart the DPM service." /so MSDPM

SUCCESS: An event of type 'error' was created in the 'Application' log with 'MSDPM' as the source.

Notes on Source/Publisher

Enter the Provider name (from Windows Event properties) under Source/Publisher Name field as ntevl filter criteria.


The Provider name will be available under the Details tab in the Windows event properties as shown below:

 

Source/Publisher Name is mapped with Provider name, but NOT Source.

Attachments

1558689944200000124174_sktwi1f5rjvs16g40.png get_app
1558689942324000124174_sktwi1f5rjvs16g3z.png get_app
1558689939222000124174_sktwi1f5rjvs16g3y.png get_app
Powered by Wolken Software