AnsweredAssumed Answered

ntevl to syslog options

Question asked by dgill_gocloudwave.com on Feb 6, 2019
Latest reply on Feb 20, 2019 by dgill_gocloudwave.com

I've successfully managed to get ntevl messages to go to the sysloggtw probe by creating an alarm and having the nas repost the alarm with the subject of SYSLOG-OUT which is then picked up by the sysloggtw probe and sent to a remote syslog daemon. My problem is that I have too many of these ntevl alarms and (even though I close them 30 seconds after arrival) they are causing my transactionlog.db to grow extremely large.

Successful message that is reposted from the nas and is read by my remote syslog daemon properly

I need to find a better way of handling these messages without creating an alarm that will be stored on the nas. I tried having ntevl post the original message to the bus using SYSLOG-OUT, but that doesn't work. The SYSLOG-OUT message needs to be formatted just like an alarm message is formatted. If you post directly to the bus from ntevl the message is formatted in a way that sysloggtw can't process properly and the message is lost.

DrNimbus view of the ntevl posted message

I then tried posting to a queue to have logmon read and create an alarm for any matches; however, that didn't seem to work either. The message is empty.

DrNimbus view of the logmon alarm generated from reading the queue where the ntevl message was posted

I was thinking about maybe using the alarm_enrichment probe and routing rules, but I want to make sure it only routes the ntevl alarms to a new subject.

 

I also considered using a PPR script but I can't access nimbus.post() from a PPR script.

 

How can I take an event log message and convert it to an alarm format for sysloggtw to forward to my remote daemon without bogging down my nas transaction tables?

 

Maybe ems can do what I need, but I have zero experience using it? Creating Event and Alarm Rules with the XML Rule Catalogs - CA Unified Infrastructure Management Probes - CA Technologie… 

Outcomes