search cancel

ntevl - seems to be scanning security log after being removed from the config

book

Article ID: 216251

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

ntevl - seems to be scanning security log, even though it has been removed from the config.

security_pos entry still seems to also be in the ntevl.pos file. Should this be removed.?

<setup>
   file replication service_pos = 0
   dns server_pos = 56902
   security_pos = 144599023
   directory service_pos = 11176
   application_pos = 69226
   system_pos = 297817
</setup>

and the ntevl.log shows lots of:

Apr 15 11:38:17:607 [8728] ntevl: Event skipped: AutoCertEnrollFailed6: Security: 144881304
Apr 15 11:38:17:607 [8728] ntevl: Event skipped: DCCertificateEnrollFailed13: Security: 144881304
Apr 15 11:38:17:607 [8728] ntevl: Event skipped: 5827-ADEvent: Security: 144881304

Even though those profiles are configured to use other logs example System/Application.

 

Environment

Release : 20.3

Component : UIM - NTEVL4.32 T6

 

Resolution

  • ntevl probe will read all the events and match with the configuration and based on that do the further processing

In the ntevl logs for security all the events are skipped i.e., no matching profile is found.

The security events should stop after some time ( could be some hours depending on earlier security event volume it was monitoring) after removing this from being monitored in ntevl gui i.e log files to be monitored

Also good practice to enable the backup position feature.

https://knowledge.broadcom.com/external/article?articleId=96827

If you enable backup the ntevl will backup the position file at the configured interval, during the probe restart on reading .pos files it picks up the last updated file.

 

  • ntevl.pos file is a a short-lived temporary file created then deleted by the probe or robot,  

(It holds the last position)

The probe keeps the backup of the position file during unexpected system reboot or system crash. 

In such cases, reboot alarms occur, but it is possible to get duplicate alarms for the specified time interval. 

If security logs to be monitored are removed from ntevl config ,even then it will be inside ntevl.pos file.

But value assigned to security_pos e.g.security_pos = 144599023  will not change i.e it remains same.

If security_pos. is removed will get old or duplicate alarms.