Enriching PATROL Events with More Meaningful Information
KB1201 - Jun 14, 2017
Type: Best Practice
Description: How to enrich PATROL events with more meaningful information about the problem.
Additional Keywords: Events, PATROL Events
Introduction
Each time a threshold is breached, events are generated by the PATROL Agent (Events of class 11 or 9) and by the Sentry Software's KMs (STD_41 or specific PATROL events). Because the events generated by the Sentry Software's KMs provide more information about the problem, it is important to ensure that these events are sent to the TrueSight console.
In this article, you will learn how to enrich the standard PATROL events with the information retrieved by the Sentry Software's KMs and have these events displayed in the TrueSight console.
Procedure
To enrich PATROL events with the information retrieved by the Sentry Software's KMs:
- Launch wpconfig
- Under EventSetup/Format/BiiP3, verify that the class variable is set to PATROL_EV
Verifying that the class variable is set to PATROL_EV
- Under AgentSetup/integration, verify that the ForwardEventsToIS variable is set to yes
Verifying that events are forwarded to the Integration Service
- Under /EventSetup/Format/BiiP3/catalogs/0/types/41, verify that the active variable is set to 1. This configuration will allow Sentry events to be sent to the cell.
- Merge the PATROL_EV events:
- Create a sentry_close41.mrl file which contains the following code:
new sentry_close41andspecific_storage : PATROL_EV ($NEW) where [ $NEW.status != CLOSED AND $NEW.status != BLACKOUT AND ($NEW.p_class within [41,Studio,HardwareProblem,ConnectorProblem] OR ($NEW.p_class contains 'Problem' AND $NEW.mc_object_class contains 'SEN_'))] updates PATROL_EV ($OLD) where [$OLD.status != CLOSED AND $OLD.status != BLACKOUT AND $OLD.mc_object == $NEW.mc_object AND $OLD.mc_origin == $NEW.mc_origin AND $OLD.p_instance == $NEW.p_instance AND $OLD.p_origin == $NEW.p_origin] within 10 { $NEW.status = CLOSED; $OLD.msg = $NEW.msg; } END
This rule applies to all events generated by Sentry KMs. It uses the msg slot from the Sentry event (p_class=41 or *Problem) and updates the one generated by the Patrol Agent (p_class=11) with its content. It then closes the Sentry event to avoid duplicate events.
- Save this file in the MCELL_HOME/etc/<cellname>/kb/rules directory
- Create a sentry_close41.mrl file which contains the following code:
- Edit the .load file to indicate that the sentry_close41 rule must be processed before the mcxp rule:
- Go to MCELL_HOME\etc\<cellname>\kb\rules\
- Open the .load file in a text editor
- Locate the mcxp line
- Add the sentry_close41 line above the mcxp line
Adding the sentry_close41 line into the .load file
- Run the following command to recompile the cell
- Restart the cell or run this command to reload kb:
mccomp –n <cellname>
mcontrol –n <cellname> reload kb
PATROL events should now be enriched with the information retrieved by the Sentry Software's KMs as illustrated below:
PATROL Events enriched with Sentry Software's KMs information
Related Topics
- Class-41 Events not Sent to Cell After Upgrading PATROL Agent to v9.5
- Closing Sentry Class-41 Events in BEM/BPPM when Class-9 Events are Generated
- Deduplicating PATROL Events with Different mc_origin_key Slot Values
- Empty Values for mc_object_class, mc_object and mc_parameter Slots in the Sentry KMs’ Events
- Error Message is Unclear for Block Authentication Failures When Using the EMC Celerra Connector
- Generating Test Events with Hardware Sentry KM for PATROL
- Handling PATROL Events Generated by Sentry KMs in BMC Helix Operations Manager
- Handling PATROL Events of Class 11/41
- How NetApp Filers KM for PATROL Reports 'Failed’ and ‘Degraded’ Status Values in the PATROL Console
- How to Manually Set Agent Thresholds in a CMA Policy
- Integrating the Events Generated by the KMs into BMC Event Manager
- Too Many Hardware Sentry Internal Events Generated in TrueSight/PATROL Consoles
- Troubleshooting Missed Events
- Updating the mc_host and mc_host_address Slots of Sentry Class-41 Events in BEM with the Actual Hostname and IP Address of the Remotely Monitored System
- Using Macros to Customize PATROL Event Alert Actions