2.4.9 Converting Windows event logs
The following figure shows how the event log trapping function converts Windows event log entries into JP1 events and registers them in an event database.
|
|
![[Figure]](GRAPHICS/ZU011700.GIF)
To use an event log trap, create an action definition file for event log trapping (ntevent.conf) and then specify the conditions for the log data you want to convert into JP1 events. If the event service is started first, and then the event log trapping service is started, an event log trap is generated and the event log is monitored. All event logs that match the monitoring conditions are converted into JP1 events, which are then registered in the event database.
An event ID and/or trap name can be assigned to each monitoring condition that event log trapping uses to convert log data into JP1 events. The event ID or trap name allows you to determine the monitoring condition that was used for conversion to a JP1 event.
The severity level of a JP1 event converted from an event log entry corresponds to the type of the event log entry.
Although the event service is set to start automatically when the system starts by default, the event log trap service does not start automatically. To start and end the event log trapping service automatically, set it up so that the event log trapping service starts after the event service starts. Use the startup control to do this.
Trapped event log messages can be registered as JP1 events up to 1,023 bytes. If a message exceeds this limit, the message is truncated from the 1,024th byte when the message is converted into a JP1 event. For details about JP1 event attributes, see 17.3.1(26) Details about event ID 00003A71 or the event ID specified in the filter of the action definition file for event log trapping.