Remote-monitoring event log trap action-definition file
- Organization of this page
Format
retry-times number-of-retries retry-interval retry-interval open-retry-times number-of-retries-for-event-log-collection open-retry-interval retry-interval-for-event-log-collection trap-interval monitoring-interval matching-level comparison-level filter-check-level filter-check-level # filter filter log-type [id=event-ID] [trap-name=log-file-trap-name] conditional-statement-1 conditional-statement-2 : conditional-statement-n end-filter
File
Use any file.
Storage directory
- In Windows
-
Any folder
- In UNIX
-
Any directory
Description
This file defines the actions of the event log trapping function for remote monitoring. Its contents of the file are referenced when the remote monitoring event log trapping function is started.
If you use UTF-8 as the encoding to save a file, save the file without attaching a BOM (byte order mark).
When the definitions are applied
The settings for the remote-monitoring event log trap action-definition file take effect at the following times:
-
When a reload or restart operation is executed from the Display/Edit Profiles window
For details about the Display/Edit Profiles window, see 4.9 Display/Edit Profiles window in the manual JP1/Integrated Management - Manager GUI Reference.
-
When the jcfaleltstart or jcfaleltreload command is executed
For details about the jcfaleltstart command, see jcfaleltstart (Windows only)in Chapter 1. Commands. For details about the jcfaleltreload command, see jcfaleltreload (Windows only) in Chapter 1. Commands.
-
When JP1/IM - Manager is restarted
Information that is specified
- retry-times
-
Specify a value from 0 to 86,400 for the number of retries to be attempted when a connection to an event service cannot be established due to a temporary communication failure. If this parameter is omitted, no retry operation is performed. If the specified number of retries has been attempted but none have been successful, an error occurs. By combining retry-times and retry-interval, you can set a time equal to or longer than 24 hours, but if you do so and 24 hours or more passes after a retry attempt starts, retry processing stops.
- retry-interval
-
Specify a value from 1 to 600 (seconds) for the interval between retries to be performed when a connection to an event service could not be established due to a temporary communication failure. If this value is omitted, 10 seconds is assumed.
- open-retry-times
-
Specify a value from 1 to 3,600 as the number of times to retry the event log collection processing when the processing fails or the connection to the monitored host fails. If this value is omitted, a retry count of 3 times is assumed. When the specified number of retries is exceeded, the monitoring of log files stops.
- open-retry-interval
-
Specify a value from 3 to 600 (seconds) as the interval between retries when the event log collection processing fails or the connection to the monitored host fails. If this value is omitted but a value is specified for trap-interval, the value specified for trap-interval is assumed. If trap-interval is not specified, 300 seconds is assumed. The retry interval is the length of time before a retry is attempted after an error occurs.
- trap-interval
-
Specify a value from 60 to 86,400 (seconds) as the interval for monitoring event logs. If this value is omitted, 300 (seconds) is assumed. Event log traps monitor event logs at a fixed interval. When the version of JP1/Base is 11-00 or later, trap-interval is not required to be set.
- matching-level
-
Specify the comparison level of an event log and the definition if the explanatory text of an event log cannot be read because the message DLL or the category DLL is not set correctly when the message or category attribute is specified for a filter. If 0 is specified, the items are not compared, but are compared with the next filter. If 1 is specified, the items are compared. If this parameter is omitted, 0 is assumed.
- filter-check-level
-
Specify the check level when an invalid log type (a type non-existent in the system) or an invalid regular expression is specified for a filter. If 0 is specified and a filter contains an invalid log type or regular expression, the applicable filter is disabled. If at least one valid filter exists, the remote-monitoring event log trap is started or loaded successfully. If there is no valid filter, the remote-monitoring event log trap fails to start or reload. If 1 is specified and the filter has at least one invalid log type or regular expression, the remote-monitoring event log trap fails to start or reload.
If this parameter is omitted, 0 is assumed.
- filter to end-filter
-
- log-type
-
Specify the type of event log to be monitored.
Example:
Application
Security
System
DNS Server
Directory Service
File Replication Service
DFS Replication
When the same log type is specified for multiple filters, the condition is satisfied if the conditions for any one of the filters are met.
- [id=event-ID]
-
Specify an event ID for registering a JP1 event on an event server. Write the ID in hexadecimal notation and separate the first four bytes (basic code) and the last four bytes (extended code) of the event ID by a colon (:). When entering hexadecimal notation, use uppercase A to F. Note that the last four bytes (the four bytes after the colon) can be omitted, in which case 0 is assumed for the omitted value. Zeros (0) are also inserted for any non-specified digits, beginning on the left side, if either the first or last four bytes have fewer than eight digits. Use a user-specifiable value from 0:0 to 1FFF:0 and 7FFF8000:0 to 7FFFFFFF:0. There can be no space or tab between id= and the value. However, there must be a space between log-type and log-file-trap-name. If you omit this value, event ID 00003A71 is assumed. Event ID format examples are provided below.
Example:
The following three specifications have the same meaning:
0000011A:00000000
11A:0
11A
- [trap-name=log-file-trap-name]
-
Specify a log file trap name to determine the corresponding filter for the registered JP1 event converted from the event log. The first character of log-file-trap-name must be an alphanumeric character. Uppercase and lowercase are distinguished. Do not add a space or tab. If this parameter is omitted, the extended attribute E.JP1_TRAP_NAME is not created at the time of JP1 event conversion.
- conditional-statement
-
The following explains the conditional-statement:
When a value other than type is specified for the attribute:
attribute-specification regular-expression-1 regular-expression-2 regular-expression-3...
When type is specified for the attribute
type log-type-1 log-type-2 log-type-3...
The above condition is satisfied if any of regular expressions (or log type) listed after the attribute specification exists. Note that the AND condition is applied to the conditional statements in the filter, and the OR condition is applied between filters.
- Attribute settings
-
The following table explains the attribute settings.
Attribute name
Description
type
Log type
source
Source
category
Category
id
Event ID
user
User
message
Description
computer
Computer name
Note
When message is set as the attribute, an event log that contains Description related to xxx was not found (wording used when a message DLL is not found) as part of its description will not be able to generate a message. As a result, the log is excluded as a trap target. If character strings to be trapped are contained in the inserted paragraph, the log is not trapped.
In the above case, make sure that the message DLL mentioned in the event log description is properly configured in accordance with the Windows event log mechanism. If the message DLL is not properly configured, the log might fail to be trapped because the description cannot be read from the event log. If you want to trap a message with no message DLL, set the matching-level parameter to 1.
For details about the log information that can be monitored, see 6.6.3 Log information that can be monitored in the JP1/Integrated Management - Manager Overview and System Design Guide.
- Regular expressions
-
A regular expression is expressed as a character string enclosed in single quotation marks (') and is specified as 'xxxxx'. In the form !'...', with an exclamation mark preceding the initial single quotation mark, the character string is any string other than the specified character string. If you want to specify a single quotation mark (') as part of a regular expression, enter an escape sequence such as \'. Regular expressions can be specified only when the log type is not type.
- Log types
-
The following table lists and describes the log types.
Log type
Description
Event level
Information
Information
Information
Warning
Warning
Warning
Error
Error
Error
Audit_success
Successful audit
Notice
Audit_failure
Failed audit
Notice
Example definition
- Example definition 1: OR and AND conditions
-
- Example definition for the OR condition
-
When the log type is system log, and TEXT, MSG, or -W is contained in the description.
filter "System" message 'TEXT' 'MSG' '-W' end-filter
If you separate conditions with a space or a tab, the OR condition is applied.
- Example definition for the AND condition
-
When the log type is system log, and TEXT, MSG, and -W are all contained in the description.
filter "System" message 'TEXT' message 'MSG' message '-W' end-filter
If you separate conditions with a linefeed, the AND condition is applied. After a linefeed, start a new line with the attribute name.
- Example definition 2: Setting multiple filters
-
Trap event logs whose log type is application log and that satisfy the following condition:
- filter-1
-
Type: Application log
Category: Error
Description: Contains -E and JP1/Base.
- filter-2
-
Type: Application log
Category: Warning
Description: Contains -W or warning.
#filter-1 filter "Application" type Error message '-E' message 'JP1/Base' end-filter #filter-2 filter "Application" type Warning message '-W' 'warning' end-filter
- Example definition 3: Using regular expressions
-
Traps event logs that satisfy the following conditions:
-
Type: Application log
-
Category: Error
-
Event ID: 111
-
Description: Contains -E or MSG, but not TEXT.
filter "Application" type Error id '^111$' message '-E' 'MSG' message !'TEXT' end-filter
If you want to set event ID 111 as a condition, specify the regular expression id '^111$'. Specifying id '111' creates a condition that means that the value 111 is included in the ID. Therefore, an event ID such as 1112 or 0111 satisfies the condition. If an exclamation mark (!) is inserted before the first single quotation mark, any data that does not match the specified regular expression is selected. The regular expression is fixed to the extended regular expression of JP1/Base. For details about extended regular expressions, see the description about the regular expression syntax in the JP1/Base User's Guide.
-
- Example definition 4: Do not convert specific event logs
-
Do not trap event logs whose log type is system log, whose event level is warning, and which satisfy the following conditions:
-
Source: AAA
-
Event ID: 111
-
Description: Contains TEXT.
#Event logs for which source is AAA are not trapped.
filter "System" type Warning source !'AAA' end-filter #Event logs for which source is AAA, and event ID is a value other than 111 are trapped. filter "System" type Warning source 'AAA' id !'^111$' end-filter #Event logs for which source is AAA and event ID is 111, but whose description does not include TEXT are trapped. filter "System" type Warning source 'AAA' id '^111$' message !'TEXT' end-filter
-