Remote-monitoring event log trap action-definition file

Organization of this page

Format
File
Storage directory
Description
When the definitions are applied
Information that is specified
Example definition

Format

retry-times number-of-retries
retry-interval retry-interval
trap-interval monitoring-interval
matching-level comparison-level
filter-check-level filter-check-level
# filter
filter log-type
    conditional-statement-1
    conditional-statement-2
      :
    conditional-statement-n
end-filter

To Page Top

File

Use any file.

To Page Top

Storage directory

In Windows: Any folder
In UNIX: Any directory

To Page Top

Description

This file defines the actions of the event log trapping function for remote monitoring. Its contents of the file are referenced when the remote monitoring event log trapping function is started.

This file is compatible with the action definition file of the event log trapping function for JP1/Base. For details about changing the monitoring configuration of the remote monitoring event log trapping function to the monitoring configuration of the event log trapping function for JP1/Base, see 2.3 Notes on changing the monitoring configuration from remote to agent in the Job Management Partner 1/Integrated Management - Manager Administration Guide.

To Page Top

When the definitions are applied

The settings for the remote-monitoring event log trap action-definition file take effect at the following times:

When a reload or restart operation is executed from the Display/Edit Profiles window

For details about the Display/Edit Profiles window, see 4.9 Display/Edit Profiles window in the manual Job Management Partner 1/Integrated Management - Manager GUI Reference.
When the jcfaleltstart or jcfaleltreload command is executed

For details about the jcfaleltstart command, see jcfaleltstart (Windows only)in 1. Commands. For details about the jcfaleltreload command, see jcfaleltreload (Windows only) in 1. Commands.
When JP1/IM - Manager is restarted

To Page Top

Information that is specified

retry-times

Specify a value from 0 to 86,400 for the number of retries to be attempted when a connection to an event service cannot be established due to a temporary communication failure. If this parameter is omitted, no retry operation is performed. If the specified number of retries has been attempted but none have been successful, an error occurs. By combining retry-times and retry-interval, you can set a time equal to or longer than 24 hours, but if you do so and 24 hours or more passes after a retry attempt starts, retry processing stops.

retry-interval

Specify a value from 1 to 600 (seconds) for the interval between retries to be performed when a connection to an event service could not be established due to a temporary communication failure. If this value is omitted, 10 seconds is assumed.

trap-interval

Specify a value from 60 to 86,400 (seconds) as the interval for monitoring event logs. If this value is omitted, 300 (seconds) is assumed. Event log traps monitor event logs at a fixed interval.

matching-level

Specify the comparison level of an event log and the definition if the explanatory text of an event log cannot be read because the message DLL or the category DLL is not set correctly when the message or category attribute is specified for a filter. If 0 is specified, the items are not compared, but are compared with the next filter. If 1 is specified, the items are compared. If this parameter is omitted, 0 is assumed.

filter-check-level

Specify the check level when an invalid log type (a type non-existent in the system) or an invalid regular expression is specified for a filter. If 0 is specified and a filter contains an invalid log type or regular expression, the applicable filter is disabled. If at least one valid filter exists, the remote-monitoring event log trap is started or loaded successfully. If there is no valid filter, the remote-monitoring event log trap fails to start or reload. If 1 is specified and the filter has at least one invalid log type or regular expression, the remote-monitoring event log trap fails to start or reload.

If this parameter is omitted, 0 is assumed.

filter to end-filter

log-type

Specify the type of event log to be monitored.

Example:

Application

Security

System

DNS Server

Directory Service

File Replication Service

DFS Replication

When the same log type is specified for multiple filters, the condition is satisfied if the conditions for any one of the filters are met.

conditional-statement

The following explains the conditional-statement:

When a value other than type is specified for the attribute:

attribute-specification regular-expression-1 regular-expression-2 regular-expression-3...

When type is specified for the attribute

type log-type-1 log-type-2 log-type-3...

The above condition is satisfied if any of regular expressions (or log type) listed after the attribute specification exists. Note that the AND condition is applied to the conditional statements in the filter, and the OR condition is applied between filters.

Attribute settings

The following table explains the attribute settings.

Attribute name	Description
`type`	Log type
`source`	Source
`category`	Category
`id`	Event ID
`user`	User
`message`	Description
`computer`	Computer name

Note

When message is set as the attribute, an event log that contains Description related to xxx was not found (wording used when a message DLL is not found) as part of its description will not be able to generate a message. As a result, an error indicating that filter conditions matching is not possible occurs, and the log is excluded as a trap target. If character strings to be trapped are contained in the inserted paragraph, the log is not trapped.

Regular expressions

A regular expression is expressed as a character string enclosed in single quotation marks (') and is specified as 'xxxxx'. In the form !'...', with an exclamation mark preceding the initial single quotation mark, the character string is any string other than the specified character string. If you want to specify a single quotation mark (') as part of a regular expression, enter an escape sequence such as \'. Regular expressions can be specified only when the log type is not type.

Log types

The following table lists and describes the log types.

Log type	Description	Event level
Information	Information	Information
Warning	Warning	Warning
Error	Error	Error
Audit_success	Successful audit	Notice
Audit_failure	Failed audit	Notice

To Page Top

Example definition

Example definition 1: OR and AND conditions

Example definition for the OR condition

When the log type is system log, and TEXT, MSG, or -W is contained in the description.

filter "System"
    message 'TEXT' 'MSG' '-W'
end-filter

If you separate conditions with a space or a tab, the OR condition is applied.

Example definition for the AND condition

When the log type is system log, and TEXT, MSG, and -W are all contained in the description.

filter "System"
    message 'TEXT'
    message 'MSG'
    message '-W'
end-filter

If you separate conditions with a linefeed, the AND condition is applied. After a linefeed, start a new line with the attribute name.

Example definition 2: Setting multiple filters

Trap event logs whose log type is application log and that satisfy the following condition:

filter-1

Type: Application log

Category: Error

Description: Contains -E and JP1/Base.

filter-2

Type: Application log

Category: Warning

Description: Contains -W or warning.

#filter-1
filter "Application"
    type Error
    message '-E'
    message 'JP1/Base'
end-filter
#filter-2
filter "Application"
    type Warning
    message '-W' 'warning'
end-filter

Example definition 3: Using regular expressions

Traps event logs that satisfy the following conditions:

Type: Application log
Category: Error
Event ID: 111
Description: Contains -E or MSG, but not TEXT.

filter "Application"
    type Error
    id '^111$'
    message '-E' 'MSG'
    message !'TEXT'
end-filter

If you want to set event ID 111 as a condition, specify the regular expression id '^111$'. Specifying id '111' creates a condition that means that the value 111 is included in the ID. Therefore, an event ID such as 1112 or 0111 satisfies the condition. If an exclamation mark (!) is inserted before the first single quotation mark, any data that does not match the specified regular expression is selected. The regular expression is fixed to the extended regular expression of JP1/Base. For details about extended regular expressions, see the description about the regular expression syntax in the Job Management Partner 1/Base User's Guide.

Example definition 4: Do not convert specific event logs

Do not trap event logs whose log type is system log, whose event level is warning, and which satisfy the following conditions:

Source: AAA
Event ID: 111
Description: Contains TEXT.

#Event logs for which source is AAA are not trapped.

filter "System"
    type Warning
    source !'AAA'
end-filter
#Event logs for which source is AAA, and event ID is a value other than 111 are trapped.
filter "System"
    type Warning
    source 'AAA'
    id !'^111$'
end-filter
#Event logs for which source is AAA and event ID is 111, but whose description does not include TEXT are trapped.
filter "System"
    type Warning
    source 'AAA'
    id '^111$'
    message !'TEXT'
end-filter

To Page Top