Remote-monitoring event log trap action-definition file
- Organization of this page
Format
retry-times number-of-retries retry-interval retry-interval trap-interval monitoring-interval matching-level comparison-level filter-check-level filter-check-level # filter filter log-type conditional-statement-1 conditional-statement-2 : conditional-statement-n end-filter
File
Use any file.
Storage directory
- In Windows
-
Any folder
- In UNIX
-
Any directory
Description
This file defines the actions of the event log trapping function for remote monitoring. Its contents of the file are referenced when the remote monitoring event log trapping function is started.
This file is compatible with the action definition file of the event log trapping function for JP1/Base. For details about changing the monitoring configuration of the remote monitoring event log trapping function to the monitoring configuration of the event log trapping function for JP1/Base, see 2.3 Notes on changing the monitoring configuration from remote to agent in the Job Management Partner 1/Integrated Management - Manager Administration Guide.
When the definitions are applied
The settings for the remote-monitoring event log trap action-definition file take effect at the following times:
-
When a reload or restart operation is executed from the Display/Edit Profiles window
For details about the Display/Edit Profiles window, see 4.9 Display/Edit Profiles window in the manual Job Management Partner 1/Integrated Management - Manager GUI Reference.
-
When the jcfaleltstart or jcfaleltreload command is executed
For details about the jcfaleltstart command, see jcfaleltstart (Windows only)in 1. Commands. For details about the jcfaleltreload command, see jcfaleltreload (Windows only) in 1. Commands.
-
When JP1/IM - Manager is restarted
Information that is specified
- retry-times
-
Specify a value from 0 to 86,400 for the number of retries to be attempted when a connection to an event service cannot be established due to a temporary communication failure. If this parameter is omitted, no retry operation is performed. If the specified number of retries has been attempted but none have been successful, an error occurs. By combining retry-times and retry-interval, you can set a time equal to or longer than 24 hours, but if you do so and 24 hours or more passes after a retry attempt starts, retry processing stops.
- retry-interval
-
Specify a value from 1 to 600 (seconds) for the interval between retries to be performed when a connection to an event service could not be established due to a temporary communication failure. If this value is omitted, 10 seconds is assumed.
- trap-interval
-
Specify a value from 60 to 86,400 (seconds) as the interval for monitoring event logs. If this value is omitted, 300 (seconds) is assumed. Event log traps monitor event logs at a fixed interval.
- matching-level
-
Specify the comparison level of an event log and the definition if the explanatory text of an event log cannot be read because the message DLL or the category DLL is not set correctly when the message or category attribute is specified for a filter. If 0 is specified, the items are not compared, but are compared with the next filter. If 1 is specified, the items are compared. If this parameter is omitted, 0 is assumed.
- filter-check-level
-
Specify the check level when an invalid log type (a type non-existent in the system) or an invalid regular expression is specified for a filter. If 0 is specified and a filter contains an invalid log type or regular expression, the applicable filter is disabled. If at least one valid filter exists, the remote-monitoring event log trap is started or loaded successfully. If there is no valid filter, the remote-monitoring event log trap fails to start or reload. If 1 is specified and the filter has at least one invalid log type or regular expression, the remote-monitoring event log trap fails to start or reload.
If this parameter is omitted, 0 is assumed.
- filter to end-filter
-
- log-type
-
Specify the type of event log to be monitored.
Example:
Application
Security
System
DNS Server
Directory Service
File Replication Service
DFS Replication
When the same log type is specified for multiple filters, the condition is satisfied if the conditions for any one of the filters are met.
- conditional-statement
-
The following explains the conditional-statement:
When a value other than type is specified for the attribute:
attribute-specification regular-expression-1 regular-expression-2 regular-expression-3...
When type is specified for the attribute
type log-type-1 log-type-2 log-type-3...
The above condition is satisfied if any of regular expressions (or log type) listed after the attribute specification exists. Note that the AND condition is applied to the conditional statements in the filter, and the OR condition is applied between filters.
- Attribute settings
-
The following table explains the attribute settings.
Attribute name
Description
type
Log type
source
Source
category
Category
id
Event ID
user
User
message
Description
computer
Computer name
Note
When message is set as the attribute, an event log that contains Description related to xxx was not found (wording used when a message DLL is not found) as part of its description will not be able to generate a message. As a result, an error indicating that filter conditions matching is not possible occurs, and the log is excluded as a trap target. If character strings to be trapped are contained in the inserted paragraph, the log is not trapped.
- Regular expressions
-
A regular expression is expressed as a character string enclosed in single quotation marks (') and is specified as 'xxxxx'. In the form !'...', with an exclamation mark preceding the initial single quotation mark, the character string is any string other than the specified character string. If you want to specify a single quotation mark (') as part of a regular expression, enter an escape sequence such as \'. Regular expressions can be specified only when the log type is not type.
- Log types
-
The following table lists and describes the log types.
Log type
Description
Event level
Information
Information
Information
Warning
Warning
Warning
Error
Error
Error
Audit_success
Successful audit
Notice
Audit_failure
Failed audit
Notice
Example definition
- Example definition 1: OR and AND conditions
-
- Example definition for the OR condition
-
When the log type is system log, and TEXT, MSG, or -W is contained in the description.
filter "System" message 'TEXT' 'MSG' '-W' end-filter
If you separate conditions with a space or a tab, the OR condition is applied.
- Example definition for the AND condition
-
When the log type is system log, and TEXT, MSG, and -W are all contained in the description.
filter "System" message 'TEXT' message 'MSG' message '-W' end-filter
If you separate conditions with a linefeed, the AND condition is applied. After a linefeed, start a new line with the attribute name.
- Example definition 2: Setting multiple filters
-
Trap event logs whose log type is application log and that satisfy the following condition:
- filter-1
-
Type: Application log
Category: Error
Description: Contains -E and JP1/Base.
- filter-2
-
Type: Application log
Category: Warning
Description: Contains -W or warning.
#filter-1 filter "Application" type Error message '-E' message 'JP1/Base' end-filter #filter-2 filter "Application" type Warning message '-W' 'warning' end-filter
- Example definition 3: Using regular expressions
-
Traps event logs that satisfy the following conditions:
-
Type: Application log
-
Category: Error
-
Event ID: 111
-
Description: Contains -E or MSG, but not TEXT.
filter "Application" type Error id '^111$' message '-E' 'MSG' message !'TEXT' end-filter
If you want to set event ID 111 as a condition, specify the regular expression id '^111$'. Specifying id '111' creates a condition that means that the value 111 is included in the ID. Therefore, an event ID such as 1112 or 0111 satisfies the condition. If an exclamation mark (!) is inserted before the first single quotation mark, any data that does not match the specified regular expression is selected. The regular expression is fixed to the extended regular expression of JP1/Base. For details about extended regular expressions, see the description about the regular expression syntax in the Job Management Partner 1/Base User's Guide.
-
- Example definition 4: Do not convert specific event logs
-
Do not trap event logs whose log type is system log, whose event level is warning, and which satisfy the following conditions:
-
Source: AAA
-
Event ID: 111
-
Description: Contains TEXT.
#Event logs for which source is AAA are not trapped.
filter "System" type Warning source !'AAA' end-filter #Event logs for which source is AAA, and event ID is a value other than 111 are trapped. filter "System" type Warning source 'AAA' id !'^111$' end-filter #Event logs for which source is AAA and event ID is 111, but whose description does not include TEXT are trapped. filter "System" type Warning source 'AAA' id '^111$' message !'TEXT' end-filter
-