Knowledge Base

Enriching PATROL Events with More Meaningful Information

KB1201 - Jun 14, 2017

Type: Best Practice

Description: How to enrich PATROL events with more meaningful information about the problem.

Additional Keywords: Events, PATROL Events

Related Topics

Introduction

Each time a threshold is breached, events are generated by the PATROL Agent (Events of class 11 or 9) and by the Sentry Software's KMs (STD_41 or specific PATROL events). Because the events generated by the Sentry Software's KMs provide more information about the problem, it is important to ensure that these events are sent to the TrueSight console.

In this article, you will learn how to enrich the standard PATROL events with the information retrieved by the Sentry Software's KMs and have these events displayed in the TrueSight console.   

Procedure

To enrich PATROL events with the information retrieved by the Sentry Software's KMs:

  1. Launch wpconfig
  2. Under EventSetup/Format/BiiP3, verify that the class variable is set to PATROL_EV
    Verifying that the class variable is set to PATROL_EV

    Verifying that the class variable is set to PATROL_EV

  3. Under AgentSetup/integration, verify that the ForwardEventsToIS variable is set to yes
    Verifying that events are forwarded to the Integration Service

    Verifying that events are forwarded to the Integration Service

  4. Under /EventSetup/Format/BiiP3/catalogs/0/types/41, verify that the active variable is set to 1. This configuration will allow Sentry events to be sent to the cell.
  5. Merge the PATROL_EV events:
    • Create a sentry_close41.mrl file which contains the following code: 
      new sentry_close41andspecific_storage :
PATROL_EV ($NEW)
where [ $NEW.status != CLOSED AND $NEW.status != BLACKOUT AND ($NEW.p_class within [41,Studio,HardwareProblem,ConnectorProblem] OR ($NEW.p_class contains 'Problem' AND $NEW.mc_object_class contains 'SEN_'))]
updates PATROL_EV ($OLD)
where [$OLD.status != CLOSED AND $OLD.status != BLACKOUT AND
	   $OLD.mc_object == $NEW.mc_object AND
	   $OLD.mc_origin == $NEW.mc_origin AND
	   $OLD.p_instance == $NEW.p_instance AND
	   $OLD.p_origin == $NEW.p_origin]
	   within 10
			{
				$NEW.status = CLOSED;
				$OLD.msg = $NEW.msg;
			}
END

      This rule applies to all events generated by Sentry KMs. It uses the msg slot from the Sentry event (p_class=41 or *Problem) and updates the one generated by the Patrol Agent (p_class=11) with its content. It then closes the Sentry event to avoid duplicate events.

    • Save this file in the MCELL_HOME/etc/<cellname>/kb/rules directory 
  6. Edit the .load file to indicate that the sentry_close41 rule must be processed before the mcxp rule:
    • Go to MCELL_HOME\etc\<cellname>\kb\rules\
    • Open the .load file in a text editor
    • Locate the mcxp line
    • Add the sentry_close41 line above the mcxp line
      Adding the sentry_close41 line into the .load file

      Adding the sentry_close41 line into the .load file

  7. Run the following command to recompile the cell
    8. mccomp  –n <cellname>
  8. Restart the cell or run this command to reload kb:
    9. mcontrol  –n <cellname> reload kb
Note: We assume at this stage that you already have a rule/policy which propagates PATROL_EV from the IS' to the TSOM's main cell.

PATROL events should now be enriched with the information retrieved by the Sentry Software's KMs as illustrated below:
PATROL Events enriched with Sentry Software's KMs information

PATROL Events enriched with Sentry Software's KMs information