I've successfully managed to get ntevl messages to go to the sysloggtw probe by creating an alarm and having the nas repost the alarm with the subject of SYSLOG-OUT which is then picked up by the sysloggtw probe and sent to a remote syslog daemon. My problem is that I have too many of these ntevl alarms and (even though I close them 30 seconds after arrival) they are causing my transactionlog.db to grow extremely large.
I need to find a better way of handling these messages without creating an alarm that will be stored on the nas. I tried having ntevl post the original message to the bus using SYSLOG-OUT, but that doesn't work. The SYSLOG-OUT message needs to be formatted just like an alarm message is formatted. If you post directly to the bus from ntevl the message is formatted in a way that sysloggtw can't process properly and the message is lost.
I then tried posting to a queue to have logmon read and create an alarm for any matches; however, that didn't seem to work either. The message is empty.
I was thinking about maybe using the alarm_enrichment probe and routing rules, but I want to make sure it only routes the ntevl alarms to a new subject.
I also considered using a PPR script but I can't access nimbus.post() from a PPR script.
How can I take an event log message and convert it to an alarm format for sysloggtw to forward to my remote daemon without bogging down my nas transaction tables?
Maybe ems can do what I need, but I have zero experience using it? Creating Event and Alarm Rules with the XML Rule Catalogs - CA Unified Infrastructure Management Probes - CA Technologie…