Hitachi

JP1 Version 12 JP1/Integrated Management 2 - Manager Command, Definition File and API Reference


Remote-monitoring event log trap action-definition file

Organization of this page

Format

retry-times number-of-retries
retry-interval retry-interval
open-retry-times number-of-retries-for-event-log-collection
open-retry-interval retry-interval-for-event-log-collection
trap-interval monitoring-interval
matching-level comparison-level
filter-check-level filter-check-level
# filter
filter log-type [id=event-ID] [trap-name=log-file-trap-name]
    conditional-statement-1
    conditional-statement-2
      :
    conditional-statement-n
end-filter

File

Use any file.

Storage directory

In Windows

Any folder

In UNIX

Any directory

Description

This file defines the actions of the event log trapping function for remote monitoring. Its contents of the file are referenced when the remote monitoring event log trapping function is started.

If you use UTF-8 as the encoding to save a file, save the file without attaching a BOM (byte order mark).

When the definitions are applied

The settings for the remote-monitoring event log trap action-definition file take effect at the following times:

Information that is specified

retry-times

Specify a value from 0 to 86,400 for the number of retries to be attempted when a connection to an event service cannot be established due to a temporary communication failure. If this parameter is omitted, no retry operation is performed. If the specified number of retries has been attempted but none have been successful, an error occurs. By combining retry-times and retry-interval, you can set a time equal to or longer than 24 hours, but if you do so and 24 hours or more passes after a retry attempt starts, retry processing stops.

retry-interval

Specify a value from 1 to 600 (seconds) for the interval between retries to be performed when a connection to an event service could not be established due to a temporary communication failure. If this value is omitted, 10 seconds is assumed.

open-retry-times

Specify a value from 1 to 3,600 as the number of times to retry the event log collection processing when the processing fails or the connection to the monitored host fails. If this value is omitted, a retry count of 3 times is assumed. When the specified number of retries is exceeded, the monitoring of log files stops.

open-retry-interval

Specify a value from 3 to 600 (seconds) as the interval between retries when the event log collection processing fails or the connection to the monitored host fails. If this value is omitted but a value is specified for trap-interval, the value specified for trap-interval is assumed. If trap-interval is not specified, 300 seconds is assumed. The retry interval is the length of time before a retry is attempted after an error occurs.

trap-interval

Specify a value from 60 to 86,400 (seconds) as the interval for monitoring event logs. If this value is omitted, 300 (seconds) is assumed. Event log traps monitor event logs at a fixed interval.

matching-level

Specify the comparison level of an event log and the definition if the explanatory text of an event log cannot be read because the message DLL or the category DLL is not set correctly when the message or category attribute is specified for a filter. If 0 is specified, the items are not compared, but are compared with the next filter. If 1 is specified, the items are compared. If this parameter is omitted, 0 is assumed.

filter-check-level

Specify the check level when an invalid log type (a type non-existent in the system) or an invalid regular expression is specified for a filter. If 0 is specified and a filter contains an invalid log type or regular expression, the applicable filter is disabled. If at least one valid filter exists, the remote-monitoring event log trap is started or loaded successfully. If there is no valid filter, the remote-monitoring event log trap fails to start or reload. If 1 is specified and the filter has at least one invalid log type or regular expression, the remote-monitoring event log trap fails to start or reload.

If this parameter is omitted, 0 is assumed.

filter to end-filter
log-type

Specify the type of event log to be monitored.

Example:

Application

Security

System

DNS Server

Directory Service

File Replication Service

DFS Replication

When the same log type is specified for multiple filters, the condition is satisfied if the conditions for any one of the filters are met.

[id=event-ID]

Specify an event ID for registering a JP1 event on an event server. Write the ID in hexadecimal notation and separate the first four bytes (basic code) and the last four bytes (extended code) of the event ID by a colon (:). When entering hexadecimal notation, use uppercase A to F. Note that the last four bytes (the four bytes after the colon) can be omitted, in which case 0 is assumed for the omitted value. Zeros (0) are also inserted for any non-specified digits, beginning on the left side, if either the first or last four bytes have fewer than eight digits. Use a user-specifiable value from 0:0 to 1FFF:0 and 7FFF8000:0 to 7FFFFFFF:0. There can be no space or tab between id= and the value. However, there must be a space between log-type and log-file-trap-name. If you omit this value, event ID 00003A71 is assumed. Event ID format examples are provided below.

Example:

The following three specifications have the same meaning:

0000011A:00000000

11A:0

11A

[trap-name=log-file-trap-name]

Specify a log file trap name to determine the corresponding filter for the registered JP1 event converted from the event log. The first character of log-file-trap-name must be an alphanumeric character. Uppercase and lowercase are distinguished. Do not add a space or tab. If this parameter is omitted, the extended attribute E.JP1_TRAP_NAME is not created at the time of JP1 event conversion.

conditional-statement

The following explains the conditional-statement:

When a value other than type is specified for the attribute:

attribute-specification regular-expression-1 regular-expression-2 regular-expression-3...

When type is specified for the attribute

type log-type-1 log-type-2 log-type-3...

The above condition is satisfied if any of regular expressions (or log type) listed after the attribute specification exists. Note that the AND condition is applied to the conditional statements in the filter, and the OR condition is applied between filters.

Attribute settings

The following table explains the attribute settings.

Attribute name

Description

type

Log type

source

Source

category

Category

id

Event ID

user

User

message

Description

computer

Computer name

Note

When message is set as the attribute, an event log that contains Description related to xxx was not found (wording used when a message DLL is not found) as part of its description will not be able to generate a message. As a result, the log is excluded as a trap target. If character strings to be trapped are contained in the inserted paragraph, the log is not trapped.

In the above case, make sure that the message DLL mentioned in the event log description is properly configured in accordance with the Windows event log mechanism. If the message DLL is not properly configured, the log might fail to be trapped because the description cannot be read from the event log. If you want to trap a message with no message DLL, set the matching-level parameter to 1.

For details about the log information that can be monitored, see 7.6.3 Log information that can be monitored in the JP1/Integrated Management 2 - Manager Overview and System Design Guide.

Regular expressions

A regular expression is expressed as a character string enclosed in single quotation marks (') and is specified as 'xxxxx'. In the form !'...', with an exclamation mark preceding the initial single quotation mark, the character string is any string other than the specified character string. If you want to specify a single quotation mark (') as part of a regular expression, enter an escape sequence such as \'. Regular expressions can be specified only when the log type is not type.

Log types

The following table lists and describes the log types.

Log type

Description

Event level

Information

Information

Information

Warning

Warning

Warning

Error

Error

Error

Audit_success

Successful audit

Notice

Audit_failure

Failed audit

Notice

Example definition

Example definition 1: OR and AND conditions
Example definition for the OR condition

When the log type is system log, and TEXT, MSG, or -W is contained in the description.

filter "System"
    message 'TEXT' 'MSG' '-W'
end-filter

If you separate conditions with a space or a tab, the OR condition is applied.

Example definition for the AND condition

When the log type is system log, and TEXT, MSG, and -W are all contained in the description.

filter "System"
    message 'TEXT'
    message 'MSG'
    message '-W'
end-filter

If you separate conditions with a linefeed, the AND condition is applied. After a linefeed, start a new line with the attribute name.

Example definition 2: Setting multiple filters

Trap event logs whose log type is application log and that satisfy the following condition:

filter-1

Type: Application log

Category: Error

Description: Contains -E and JP1/Base.

filter-2

Type: Application log

Category: Warning

Description: Contains -W or warning.

#filter-1
filter "Application"
    type Error
    message '-E'
    message 'JP1/Base'
end-filter
#filter-2
filter "Application"
    type Warning
    message '-W' 'warning'
end-filter
Example definition 3: Using regular expressions

Traps event logs that satisfy the following conditions:

  • Type: Application log

  • Category: Error

  • Event ID: 111

  • Description: Contains -E or MSG, but not TEXT.

filter "Application"
    type Error
    id '^111$'
    message '-E' 'MSG'
    message !'TEXT'
end-filter

If you want to set event ID 111 as a condition, specify the regular expression id '^111$'. Specifying id '111' creates a condition that means that the value 111 is included in the ID. Therefore, an event ID such as 1112 or 0111 satisfies the condition. If an exclamation mark (!) is inserted before the first single quotation mark, any data that does not match the specified regular expression is selected. The regular expression is fixed to the extended regular expression of JP1/Base. For details about extended regular expressions, see the description about the regular expression syntax in the JP1/Base User's Guide.

Example definition 4: Do not convert specific event logs

Do not trap event logs whose log type is system log, whose event level is warning, and which satisfy the following conditions:

  • Source: AAA

  • Event ID: 111

  • Description: Contains TEXT.

#Event logs for which source is AAA are not trapped.

filter "System"
    type Warning
    source !'AAA'
end-filter
#Event logs for which source is AAA, and event ID is a value other than 111 are trapped.
filter "System"
    type Warning
    source 'AAA'
    id !'^111$'
end-filter
#Event logs for which source is AAA and event ID is 111, but whose description does not include TEXT are trapped.
filter "System"
    type Warning
    source 'AAA'
    id '^111$'
    message !'TEXT'
end-filter