Ok I have to say this made my head hurt today. But I think I have found a solution for you that bypasses NAS as you would like.
The real problem is that NTEVL by default when you use the Post Method function send the message in a trable format.
Logmon does not understand this format. When logmon is reading a message from a queue it is ONLY looking for a field called message. The post from NTEVL does not have this by default.
My work around take advantage of the NEW ability to send event logs over to the CA LOG analytics.
Below is my ntevl profile I have setup for testing:
I used IM to set this profile up but you should be able to use AC2. MCS can not be used for this.
<Tosyslog>
active = yes
description = <Enter your description>
level = information
logs = application
severity = *
source = MYEVENTSOURCE
category = *
event_id = 1
user = *
computer = *
message = *
send_alarm = no
alarm_message = $source($event_id - $category): $message
i18n_token = as#system.ntevl.src_id_cat_1
send_subject = yes
subject = ntevllogmon
subsystem =
suppress = no
suppression_key =
send_to_axa = 1
tenant_id = 1
tags =
exclusive = no
qos_count = no
qos_interval = 3600
time_frame =
evt_count =
evt_count_condition =
runcommandonmatch = 0
commandexecutable =
commandarguments =
separator =
</Tosyslog>
- The two keys highlighted above will need to be added/modified using raw config.
- This profile will then post an Alarm style message to the message bus with the new subject of ntevllogmon
- I then created an ATTACH queue on the hub with ntevllogmon as the subject.
- Next I setup logmon to reac the ATTACH queue I had just created and this is the profile from this one
<TestSysoutqueue>
active = yes
interval = 5 sec
scanfile = ntevllogmon
fileencoding =
scanmode = queue
alarm = no
qos = no
message = yes
subject = SYSLOG-OUT
user =
reccur_directory = no
reccur_directory_level = 10
resetFile = no
initialfileptr = 2
resumefileptr = 4
command_timeout_active = no
command_timeout =
command_severity = 2
command_timeout_alarm = 0
alarmFOpenFail = no
clearFOpenFailRestart = no
monitor_exit_code = No
max_alarm_sev = 5
max_alarms =
max_alarm_msg =
password =
<watchers>
<ntevllogmon>
active = yes
match = *
level = information
subsystemid =
message = Test:${var}
i18n_token =
restrict =
expect = no
abort = no
sendclear = no
count = no
separator = ,
suppid =
source =
target =
qos =
runcommandonmatch = no
alarm_on_first_match = no
commandexecutable =
commandarguments =
pattern_threshold_severity = information
pattern_threshold_message =
timeout = 1
pattern_threshold =
expect_message =
expect_level =
regexfromexternalfile = no
patternfilepath =
token =
variable_threshold =
variable_threshold_message =
variable_threshold_severity = information
variable_threshold_supp =
<variables>
<var>
definition = 12
operator = eq
</var>
</variables>
</ntevllogmon>
</watchers>
</TestSysoutqueue>
The highlighted string above is the column number in the new message with the message fields from the ntevl probe.
As I do not have a syslog damaen to send this to I could not test to that final stage but the sysloggtw did see this message and pick it up and process it.
I hope this helps!!!!