UIM - Some ntevl profiles are not generating an alarm
search cancel

UIM - Some ntevl profiles are not generating an alarm

book

Article ID: 232397

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

We are using ntevl and we are having an issue with a profile that is not generating alarms. 

The log indicates that it matches fine, but is generating an error message.

Dec 13 12:48:33:250 [8384] ntevl: Level is :Error
Dec 13 12:48:33:250 [8384] ntevl: Variable not found.Event found, trap sent: select: Application: 406298
Dec 13 12:48:33:250 [8384] ntevl: EvtFormatMessage failed: message or message id not found
Dec 13 12:48:33:250 [8384] ntevl: Error getting Task category for event DETAILS: Publisher: ###### EventID: 100
Dec 13 12:48:33:250 [8384] ntevl: Level is :Error
Dec 13 12:48:33:250 [8384] ntevl: Variable not found.Event found, trap sent: select: Application: 406299
Dec 13 12:48:33:250 [8384] ntevl: EvtFormatMessage failed: message or message id not found
Dec 13 12:48:33:250 [8384] ntevl: Error getting Task category for event DETAILS: Publisher: ##### EventID: 1
Dec 13 12:48:33:250 [8384] ntevl: Level is :Error
Dec 13 12:48:33:250 [8384] ntevl: Variable not found.Event found, trap sent: select: Application: 406300

 

Another scenario seen is that even though a certain Event is seen in Event log the match does not occur and following may be seen in the log:

 

Jul 26 13:17:25:203 [13976] ntevl: Event skipped: Name_of_profile2: 235579596 
Jul 26 13:17:25:203 [6792] ntevl: Event skipped: Name_of_profile3: 235579597 
Jul 26 13:17:25:203 [13976] ntevl: Name_of_profile4 235579596 
Jul 26 13:17:25:203 [6792] ntevl: EName_of_profile5 235579597 
Jul 26 13:17:25:203 [13976] ntevl: EName_of_profile6 235579596 

Environment

Release : UIM 20.x

Component : UIM - NTEVL any version

Cause

Matching Criteria is case-Sensitive

Resolution

SCENARIO 1

This issue can be observed if there is a mismatch of how the specific log is defined in the "logs" section in the Configuration file. 

For example, if in the "logs" for application is defined in the CFG as "application" (Screenshot on the left) instead of "Application" (screenshot on the right) the alarm is not sent. 

The probe expect the Application log to be defined as "Application" and not application. 

Check the probe configuration and check if this is occurring. 

If so replace "application" with "Application"

 

Example:

from:

 

<logs>
   system = System
   application = application
   windows powershell = Windows PowerShell
</logs>

 

to:

 

<logs>
   system = System
   application = Application
   windows powershell = Windows PowerShell
</logs>

 

SCENARIO 2

 

Watcher is defined as below: 

 

<AWatcher_Profile >
      active = yes
      description = Match on Event 1234
      level = critical
      logs = System
      severity = 1
source = Netlogon

 

 

Event is raised:

 

As "NETLOGON" does not march "Netlogon" match will not occur. 

The match must be case-sensitive. 

 

 

Powered by Wolken Software