Job Management Partner 1/Base User's Guide

Action definition file for event log trapping (Windows only)

Format

server event-server-name retry-times retry-count retry-interval retry-interval trap-interval monitoring-interval matching-level comparison-level filter-check-level filter-check-level jp1event-send JP1-event-issuance # filter filter log-type condition-statement-1 condition-statement-2 : condition-statement-n end-filter

File name

ntevent.conf

Storage destination directory

installation-folder\conf\event\

Description

Specifies the conditions for converting event log data into JP1 event and the event-log monitoring interval.

Application of settings

To apply the settings, start the event log trapping service or reload the action definition file for event log trapping by executing the jeveltreload command. For details on the jeveltreload command, see jeveltreload (Windows only) in 13. Commands.

Definition details

An action definition file for event log trapping (ntevent.conf) consists of a destination event server name, retry setting, and one or more filters. Comments are marked with hash marks and disregarded.

server event-server-name

Specify the name of the destination event server for registering JP1 event converted from the event log. Specify a server name that is no more than 255 bytes. Enclose the event server name with double quotation marks. You can only specify an event server that runs on the local host. When no event server is specified, the local host name is assumed.

retry-times retry-count

Specify the number of retries to perform when a connection to the event service fails due to a temporary communication error. Specify a number from 0 to 86400. By default, retry processing is not performed.

retry-interval retry-interval

Specify the retry interval when a connection to the event service fails due to a temporary communication error. This parameter is valid only when you specify a value of 1 or greater in retry-times. The retry interval is the length of time from when the trap fails to connect to the event service until when it next tries to establish connection. This interval does not include the time required for the connection processing. Specify a number from 1 to 600 (seconds). The default is 10.

trap-interval monitoring-interval

Specify the interval over which to monitor the event log. The event log trapping function monitors the event log in real time and also at set intervals. Specify a number from 1 to 180 (seconds). The default is 10.

matching-level [0|1]

Specify the comparison level for the event log and definitions when the explanation about the log entry cannot be read because you specified the message or category attribute in a filter condition but the message DLL or category DLL is not properly configured. When 0 is specified, the next filter condition will be compared skipping the current one. When 1 is specified, the current filter condition is compared. The default is 0.

filter-check-level [0|1]

Specify a checking level when an invalid log type (log type that does not exist in the system) or invalid regular expression is found in a filter condition. Invalidate the filter condition when 0 is specified and the filter condition contains an invalid log type or invalid regular expression. If there are one or more valid filter conditions, the service will start up and the settings will be reloaded successfully. If there are no valid filter conditions, the service will not startup and the settings will not be reloaded. When 1 is specified and one or more of the filter conditions contains an invalid log type or invalid regular expression, the service will not start up and the settings will not be reloaded. The default is 0.

jp1event-send [0|1]

Specify whether to output a message when the event log acquisition fails while monitoring the event log. When 0 is specified, a JP1 event is not output even if the event log acquisition fails. When 1 is specified, a JP1 event (00003A73) is output when the event log acquisition fails. Monitoring might be resumed after the JP1 event indicating failure of event log acquisition. In this case, a JP1 event (00003A74) is output. The default is 0.

Note that a message is output to the integrated trace log regardless of the setting of this parameter. For details on JP1 events, see 15.3 JP1 event details.

Filter syntax

A filter is a set of condition statements for converting event log data into JP1 events. The condition statements within a filter are AND conditions, and those between filters are OR conditions. If you specify multiple filters, conversion is performed when any one of the filters is satisfied. You must specify at least one filter condition. The following figure shows the syntax conventions of a filter.

Figure 14-6 Filter syntax conventions (action definition file for event log trapping)

Log type

Specify the type of event logs to be monitored. The log type is the name of each log listed in the Windows Event Viewer. Enclose the log type with double quotation marks.

Log types specifiable (six types):

"Application"

"Security"

"System"

"DNS Server"

"Directory Service"

"File Replication Service"

When the same log type is specified in multiple filters, the event log will be monitored if any one of the filters succeeds.

Condition statement format

In condition-statement, specify one of the attribute names listed in the table below and the items displayed in the corresponding event viewer.

Table 14-11 Attribute names that can be specified in filter condition statements

Attribute name	Meaning
type	Log types
source	Information about the source displayed in the Event Viewer Details window
category#	Information about the category displayed in the Event Viewer Details window
id	Information about the event ID displayed in the Event Viewer Details window
user	User name displayed in the Event Viewer Details window
message#	Explanatory information displayed in the Event Viewer Details window
computer	Computer name displayed in the Event Viewer Details window

#:

• Make sure that the message DLL containing the explanation about the event log entry is configured properly according to the Windows event log conventions. If the message DLL is not properly configured, the event log trapping function might not trap those entries because it cannot read the explanation in the event log. If you want to trap messages that do not contain the message DLL or category DLL, specify 1 for the matching-level parameter.
• If the message DLL is not properly configured, a warning will appear in the event viewer indicating that the explanation was not found, possibly because the message DLL file does not exist. This warning is output by the event viewer. As such, it is not trapped by the event log trapping function.
• If log data is converted into a JP1 event without the message DLL, the character string output after the above warning is enclosed in double quotation marks, and then registered. A comma (,) is used to separate multiple character strings. If log data is converted without a category DLL, the applicable value is registered as a category enclosed with brackets.

The coding format is shown below.

type log-type-1 log-type-2 log-type-3...

Specify log types. When multiple types are specified, the condition will be satisfied when a match is found with any one of the specified types. The severity level of a JP1 event after conversion depends on the log type. The following table lists the specifiable log types and the corresponding JP1 event severity.

Table 14-12 Log types specifiable in type and the corresponding JP1 event severity

Log type	Contents	JP1 event severity
Information	Information	Information
Warning	Warning	Warning
Error	Error	Error
Audit_success	Audit succeeded	Notice
Audit_failure	Audit failed	Notice

Log types not listed in the above table cannot be specified in type. In addition, when converting log data to something other that a listed type, the JP1 event severity level is set to Information.

Attribution names other than type

attribute-name 'regular-expression-1' 'regular-expression-2' 'regular-expression-3'...

Using regular expressions, specify an attribute name other than type. Enclose the regular expression with single quotation marks. Sets exclusion conditions by writing an exclamation mark in front of the value enclosed with single quotation marks. This specifies data that does not match the regular expression to be converted. The regular expressions that you can use depend on the OS. For details on the syntax of regular expressions, see F. Syntax of Regular Expressions.

Notes

• You can specify a combination of values for the retry count and retry interval that causes the system to continue retrying for more than 24 hours. When retry processing exceeds 24 hours, however, the system aborts retrying and stops the event log trapping service.
• The retry functionality can be used to prevent the Windows media sense functionality from stopping the service.
• When the filter-check-level is set to 0 (or is unspecified) and a filter condition is invalidated, the KAVA3025-W or KAVA3026-W message is output to the event log and integrated trace log. (For file reloading, the message is output only to the standard error output.) Only 10 or fewer messages are output for invalidated filters.
• When the filter-check-level is set to 0 (or is unspecified) and there are no valid filter conditions, the KAVA3027-E or KAVA3028-E message (reloading) is output to the event log and integrated trace log. (For file reloading, the message is output to the event log, integrated trace log, and standard error output.)

Supplied action definition file for event log trapping

According to the setting in the supplied action definition file for event log trapping (ntevent.conf), if a connection to the event service fails, the event log trap will retry three times, once per 10-second interval. As conditions for conversion to JP1 events, the defaults also specify that Warning and Error entries output to the System log or Application log are to be converted into JP1 events. The following table shows the settings of the provided file:

 
retry-times 3
retry-interval 10
 
filter "System"
    type Warning Error
end-filter 
 
filter "Application"
    type Warning Error
end-filter 

When the action definition file for event log trapping (ntevent.conf) and forwarding settings file (forward) are used by default, if a JP1 event fails to transfer, the error message KAJP1037-E will be output to the event log and converted into a JP1 event. The converted JP1 event is then resent, and another transfer error will occur.

To prevent the event transfer from looping, change the setting in the action definition file, so that the message KAJP1037-E will not be trapped. A setting example is shown below:

 
retry-times 3
retry-interval 10
 
filter "System"
type Warning Error
end-filter 
 
# Trap event log entries with severity level Error or Warning
# that were not output by the JP1/Base Event service.
filter "Application"
    type Warning Error
    source !'JP1/Base Event'
end-filter 
 
# Trap event log entries with severity level Error or Warning
# from the JP1/Base Event service, except entries with ID 1037.
filter "Application"
    type Warning Error
    source 'JP1/Base Event'
    id !'1037'
end-filter 
 

Examples of defining a filter

Definition examples1: Using OR and AND conditions

Definition example using an OR condition

Select data entries of the System log type containing any one of the strings TEXT, MSG, or -W in the explanatory information.

 
filter "System"
    message 'TEXT' 'MSG' '-W' 
end-filter 
 

Specify an OR condition by separating conditions using spaces and tag characters.

Definition example using an AND condition

Select data entries of the System log type containing all of the strings TEXT, MSG, and -W in the explanatory information.

 
filter "System"
    message 'TEXT'
    message 'MSG'
    message '-W'
end-filter 
 

Specify an AND condition by separating conditions using a linefeed character. After inserting a linefeed character, write the condition starting from the attribute names.

Definition example 2: Using multiple filters

Trap event log entries that have the Application log type and that satisfy the following conditions.

Filter 1:

• Type: Application log:
• Type: Error
• Explanation: Contains -E and JP1/Base.

Filter 2:

• Type: Application log:
• Type: Warning
• Explanation: Contains -W or warning.

 
# Filter 1
filter "Application"
    type Error
    message '-E'
    message 'JP1/Base'
end-filter 
# Filter 2
filter "Application"
    type Warning
    message '-W' 'warning'
end-filter 

Definition example 3: Using regular expressions

Trap event log entries that satisfy the following conditions.

• Type: Application log
• Type: Error
• Event ID: 111
• Explanation: Contains -E or MSG, and does not contain TEXT.

 
filter "Application"
    type Error
    id '^111$'
    message '-E' 'MSG'
    message !'TEXT'
end-filter 

To specify the event ID 111 condition using a regular expression, specify id '^111$'. If you specify id '111', the event ID must contain 111, so event IDs 1112 and 0111 will also satisfy the condition. Writing an exclamation mark in front of the value enclosed with quotation marks selects data that does not match the regular expression. For details on regular expressions, see F. Syntax of Regular Expressions.

Definition example 4: Excluding specific event log entries

Trap event log entries that have System log type and a Warning severity level, but exclude entries that satisfy the following conditions.

• Source: AAA
• Event ID: 111
• Explanation: Contains TEXT.

# Do not trap event log entries from source AAA.
filter "System"
    type Warning
    source !'AAA'
end-filter 
# Trap all event log entries from source AAA, 
# except those with an event ID of 111.
filter "System"
    type Warning
    source 'AAA'
    id !'^111$'
end-filter 
# From source AAA, trap all event log entries 
# whose event ID is 111 and do not contain TEXT 
# in the explanatory information.
filter "System"
    type Warning
    source 'AAA'
    id '^111$'
    message !'TEXT'
end-filter 

[Contents][Back][Next]

All Rights Reserved. Copyright (C) 2009, Hitachi, Ltd.