7 Replies Latest reply: Jun 8, 2006 10:20 AM by tdowdall RSS

Forward windows event log content to BEM.

Thanatos

Hi !

I got a serious problem here.
I'm currently integrating our windows agents into the BEM.
I've already done the stuff to manage event, but I want to send more informations form the content of the windows event message, in all application and system log, to the BEM.

I've tried to activate the "forward filtered event log" form the KM OS.
I've effectively got new event from NT_EVENTLOG catalog, class NTEVents.
But they never arrive to the BII4patrol !!!

I don't know if it comes from a sort of internal agent filter, or from the code of the BII.
:O


So I've tried to modify the notify scripts for the NT_EVENTLOG, (I've found something about this in this forum).
And I got the others events AND a copy of type NOTIFY_EVENT, from AS_EVENTSPRING catalog, class NOTIFY_EVENT.
This time too, they never arrive !!!
I don't understand because I already use NOTIFY_EVENT in my BEM.
I permits us to refresh the original events, and it works perfectly well.


The only hint I found is: I need to be in the Patrol Operator Console at the KM NT_OS level to see those events via the EVENT MANAGER !
If I'am a the level machine (one level higher...) even when I use the "ALL EVENT" filter, I can't see them ....
:?

If someone ot an idea ! I've already spent two days on this problem ...

  • 1. RE: Forward windows event log content to BEM.
    rasto danis

    there are many things that could take part at this problem: first of all check bii4p configuration file that this event class in not excluded,if not turn on debug & tracing on bii4p and check logs if something comes into bii4p, another thing that can be checked is bii4p configuration profile (through bii4p config tool - check what severities & classes are passed and proper km's are loaded - there is option to send all events from agent but than you got many unwanted alarms and that option should help only during debug... if you succeeded to get event at least into bii4p... if bii4p will receive events than problem should be seeked in IM rules ... good luck !

  • 2. RE: Forward windows event log content to BEM.
    Thanatos

    Thanks for your quick answer !

    Already done this !

    I've suppressed the event filter from BII4Patrol.
    I'started the BII4Patrol in trace mode (src).

    In my BII profile i've set 'all agents', so I trap all the events form all KM.

    In the trace of my BII, I never seen my events coming.

    It's odd, because we use custom for Unix log, and we receive in PEM those events, catalog LOGGeneral, event LOG.

    In my opinion, there's a event filter stuff somewhere in the agent...

    :?:

    Nicolas.

  • 3. RE: Forward windows event log content to BEM.
    rasto danis

    try to set in profile's general tab filter categories and in common attributes of that agent set all agent events (also check severity number of that event ! -standard filter is set to 2 or higher)

  • 4. RE: Forward windows event log content to BEM.
    jezhou

    You can set the debug log on Console server side to see if the event is received and forwarded to BII4P. To do so you need start the console server from command line:
    1. Stop running console server
    2. From Command Prompt type:
    set CC_TRACE_LEVEL=5
    set LT_TRACE_LEVEL=5
    3. restart console server from Command Prompt
    4. start the client
    5. The console server will log the event details in two files:
    $PATROL_ROOT/log/cserver/layout/PATROL_CSERVER_xxx/. The files will be lt_trace-youProfileName and cc_trace-youProfileName respectively.

    Examin the trace files to see where the event goes:
    lt_trace will show event received from Agent
    cc_trace will show CommonConnect received the event and send out

    Thanks,
    Jean

  • 5. RE: Forward windows event log content to BEM.
    Thanatos

    Thanks !

    I see my events through the BII4Patrol profile, out of the cserver.

    My problem is surely coming from the BII, maybe it can't parse the event because of the format.

    Need to check the internal variables for notify, and adding the missing informations in the vent details (join it for information)

    NOTIFY_EVENT Message: Date 27/04/2006 Source: Print Time: 10:36:51 Category: None Type: Warning Event ID: 20 User: AUTORITE NT\SYSTEM Computer DWD1004179Record Number: 5152Description:Le pilote d'imprimante HP LaserJet 4300 PCL 6 pour Windows NT x86 Version-3 a été ajouté ou mis à jour. Fichiers :- UNIDRV.DLL UNIDRVUI.DLL HPC43006.GPD UNIDRV.HLP PCL5ERES.DLL HPLJ21P6.GPD PCLXL.DLL PCLXL.GPD P6FONT.GPD PJL.GPD P6DISP.GPD TTFSUB.GPD UNIRES.DLL STDNAMES.GPD HPCUI05.DLL HPCXRD05.DLL HPBMIAPI.DLL HPBOID.EXE HPBOIDPS.DLL HPBPRO.EXE HPBPROPS.DLL HPPAPTS0.DLL HPPASNM0.DLL HPPAPML0.DLL HPZIPM12.EXE HPZIPT12.DLL HPZINW12.EXE HPZISN12.DLL HP6MAC05.GPd HPCLJX05.HLp HPBMMON.DLL HPDOMON.DLL HPBHEALR.DLL HPC43006.XMl HPCSCH05.DTD HPC4300C.INi HPCSTR05.DLL HPCEVT05.DLL HPJCMN2U.DLL HPJIPX1U.DLL HPSMAC05.GPD hplj4300.cfg hpcdmc32.dll hpbcfgre.dll HPZIPR12.DLL.
    Event Details: dwd1004179,10.12.37.142,3181,3181,NT,dwd1004179,,,__NA__,ALARM,0,Thu Apr 27 10:37:14 2006,10:37:14,Romance Standard Time,,,,,,,NT 5.1 Service Pack 1,,,,,V3.6.50.11i,C:
    PROGRA1
    BMCSOF
    1
    Patrol3
    ,,,,,
    Notification File: <null>

    I give it a try

  • 6. RE: Forward windows event log content to BEM.
    rasto danis

    oh i missed that you are using also NOTIFY_EVENT ? there is common problem with this - you have to create your own bii4p configruration file (name it f.e. myconfig then modify it via config tool to remove line "AS_EVENTSPRING:NOTIFY_EVENT" (be sure it's removed by looking at file in Patrol7/log/cserver/cc_client_config). then modify in bii4p_start.opts line with cfgid to appear like:
    -cfgid myconfig

    restart bii4p and try to play with it

  • 7. RE: Forward windows event log content to BEM.
    tdowdall

    In the short term you could use the Windows Impact Event Log Adapter on the clients CD in the ADAPS folder.  Then fix this issue and revert to the Agent only method.

    T.