Skip to content
CA Unified Infrastructure Management Probes
Documentation powered by DocOps

ntevl AC Configuration

Last update October 30, 2018

This article describes the configuration concepts and procedures to set up the NT Event Log Monitoring (ntevl) probe. You can create profiles for event log messages and can define automated actions for specific events. The probe generates alarms based on new messages in the event logs.

This article is for probe versions 4.2 or later.

The following diagram outlines the process to configure the probe.

Configuring ntevl on AC

Contents

Verify Prerequisites

Verify that required hardware and software is available and installation and upgrade considerations are understood before you configure the probe. For more information, see ntevl (NT Event Log Monitoring) Release Notes.

(Optional) Configure the General Properties

You can change the default configuration of your probe if these settings do not meet your requirements. After the probe installation, it is active and immediately attempts to publish data. You can configure the following general properties of the probe:

  • Delimiter properties
  • Run type and interval properties
  • Post message properties
  • Logging properties
  • Events and event log properties
  • Event log file selection
  • WMI query properties
  • Thread and position update

Follow these steps:

  1. Select the ntevl node.
    The Probe Information section provides information about the probe name, probe version, start time of the probe, and the probe vendor.
  2. Update the following information in the Properties section to configure the delimiter and metric ID properties of the probe:
    • Description Delimiter: defines an ASCII character to replace the existing character as delimiter. For example, the event log message consists of three lines and the description delimiter is #; then the probe returns Line 1 Text # Line 2 Text # Line 3 Text in the alarm message. CA recommends you to use a special character as delimiter.

    • Remove Recurring Delimiter: removes the repetition of the delimiter.
      Default: Not selected
  3. Update the following information in the Properties section to configure the interval properties of the probe:
    • Run Type: specifies one of the following conditions for the probe to update the events list:
      • Event: updates the event list when a new event is logged in the Windows event log file.
        • Alarm Timeout (Seconds): specifies the duration when the probe does not generate multiple alarms for the same event log.
          Default: 10

          Note: Leave this field blank to generate alarms at event occurrence.

      • Poll: updates the events list at specified intervals.
        • Poll Interval (Seconds): specifies the time interval to update the events list.
          Default: 30

          Note: Reduce this interval to generate alarms frequently. A shorter interval can also increase the system load.

    • Alarm Timeout (Seconds): specifies the duration when the probe does not generate multiple alarms for the same event log. CA recommends you to specify a lower value than the Poll Interval. If the timeout is greater than the poll interval,
      Default: 10

  4. Update the following information to configure the logging properties of the probe:
    • Log File: defines the name of the log file to monitor the probe-specific logs. This file is different from the Windows log file.
      Default: ntevl.log
    • Log Level: specifies the level of details that are written to the log file, as follows:

      • 0 - Logs only severe information (default)
      • 1 - Logs error information
      • 2 - Logs warning information
      • 3 - Logs general information
      • 4 - Logs debugging information
      • 5 - Logs tracing/low-level debugging information

      Note: Log as little as possible during normal operation to minimize disk consumption, and increase the amount of detail when debugging.

    • Log File Size (KB): specifies a maximum size of the probe log file. The older entries are deleted when this size is reached.
      Default: 100 KB
  5. Update the following information section to configure the Post message properties:
    • Default Post Subject: defines the default subject for the event log post message.
      Default: ntevl
      The following subjects are internally used in CA UIM for alarm messages, and cannot be used in this field:
      • alarm
      • alarm_new
      • alarm_update
      • alarm_close
      • alarm_assign
      • alarm_stats
      • QOS_MESSAGE
      • QOS_DEFINITION

        Notes:

        • If any of the previously mentioned subjects is used in the Default Post Subject field, then the probe uses the 'evl_' as the message subject. If the field is left blank, the probe uses ntevl as the default post message subject.
        • The Default Post Subject only defines the default post message subject. To send the message, enable the Post Message option in the Alarm section for each profile. You can also override the message subject from each profile.
    • Column Prefix: defines the text which is added with each field name of the event log when the probe posts a message. This prefix to the text and field name is set to identify the field in the posted message.
      Default: evl_
  6. Update the following information to configure the event and event log properties of the probe:
    • Maximum Events to Fetch: defines the maximum events (latest) that the probe retrieves from each event log file. These events are also displayed in the Events section. If the field is left blank, the probe displays all the events.

      Important! Do not configure the Maximum Events to Fetch field value to more than 1000 else the probe can stop responding. For more information, see the Known Issues section in ntevl (NT Event Log Monitoring) Release Notes.
    • Output Encoding: specifies the character encoding to generate alarms and QoS messages when the probe is deployed in a non-English locale. CA recommends you to specify the same encoding as that of the monitored system, unless explicitly stated to use a different one.
      Default: blank
    • System Encoding: specifies the encoding of the system where the probe is installed. 
      Default: blank

      Note: The probe auto-detects the system and output encoding when these field values are blank. However, CA recommends you to specify the appropriate encoding in System Encoding fields. You can use UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, Shift_JIS, ISO-2022-JP, ISO-2022-CN, ISO-2022-KR, GB18030, GB2312, Big5, EUC-JP, EUC-KR, ISO-8859-1, ISO-8859-2, windows-1250, and windows-1252 encodings.
    • Alarm List Size: specifies the buffer size of the event list that matches the monitoring profile criteria. For example, a monitoring profile generates an alarm when the matching events count reaches 50. Until the event count is up to 49; the probe keeps the events detail in the buffer.
      Default: 1000

      Note: This field value must be greater than or equal to number of monitoring profiles.
  7. Update the following information to configure the WMI query properties of the probe:
    • WMI Query Timeout: defines the time-out interval of WMI query to retrieve the monitoring data. The probe uses WMI queries when hosted on operating systems earlier than Windows Server 2008.
      Default: 1

      Note: The WMI service must be enabled on the host system for this option to work. The probe displays the events in the following order:

      • (Windows version older than Windows Vista, and Windows 2008) The latest event is retrieved and displayed as the first record.
      • (Windows 2008, and Windows Vista (until service pack 1)) The earliest event is displayed as the first record.
      • (Windows Vista (service pack 2, and above)) The latest events are displayed first.

      Reduce this interval to generate alarms frequently. A shorter interval can also increase the system load.

    • WMI Timeout Interval Unit: specifies the unit of WMI query timeout.
      Default: Seconds

  8. (Optional) In Select Log Files, click a log file from the Available list to add it to the Selected list for monitoring.
    Default: Application, Security, and System

    Note:

    The probe requires at least one log file in the Selected list. You can also click a log file from the Selected list to remove a log file from monitoring. If you remove a log file from a profile and save the settings, the probe does not save the configuration and displays an error message.


    (Version 4.22 or later) The security logs are not enabled for monitoring, by default. You can include them from the Available list on Windows Vista version and later. On Windows Server 2003, you must enable them from the probe Raw Configure. In the logs section, create a security key with Security value.

    Important! If you have large security logs on Microsoft Domain Controllers systems, you can exclude them from monitoring by removing Security from the Selected list. In probe versions 4.21 and earlier, the security logs are enabled as default in the probe.

  9. Update the following information to configure the thread and position update properties of the probe:
    • Maximum Number of Threads: specifies the maximum number of request processing threads that the probe can run simultaneously. 

      Note: CA recommends the following configuration for event generation rate:

      • In the Event Mode, the Maximum Number of Threads must be 10 for 400 events/sec and 20 for 600 events/sec.
      • In the Poll Interval Mode, the Maximum Number of Threads must be 10 for 400 events/sec and 50 for 600 events/sec.

      You can increase the number of threads if the probe is not able to meet the specified performance.

    • Disable continuous update of position file: allows you to update the position file only after the specified interval.
      Default: Selected
      (Version 4.21 or earlier) This field is not selected, by default.

      Note: Enable the field for both Poll Interval and Event Mode if there is higher event generation rate.

    • Position File Update Interval: defines the time interval when the position file is updated with the last location of the processed event log. CA recommends you to specify a maximum time interval of 60 seconds.
      Default: 60 seconds

    • Variable Name with non ASCII Characters: enables you to create variable names in supported non-English languages. Add a space after the variable name to expand the variables correctly.
      Default: Selected

    • Enable Position File Backup Interval: enables the probe to back up the position file.
      Default: Not selected 
    • Position File Backup Interval (Seconds): defines the time interval when the probe backs up the position file.
      Default: 10 seconds
  10. (Optional - version 4.24 or later) Select Save Log List on Upgrade to save the logs in the Log Files to be Monitored list in the configuration file (cfg) on probe upgrade.
    On version 4.23 and earlier, the probe does not save the log list on upgrade. When you upgrade the probe from an earlier version to 4.24 or later the first time, the removed defaults reappear. However, you can enable this field to retain the configuration changes on upgrade to the next version or later.
  11. Click Save.

Configure the General Properties for Log Analytics

You can change the default configuration of your probe if these settings do not meet your requirements. After the probe installation, it is active and immediately attempts to publish data. You can configure the following general properties of the probe:

  • Description Delimiter (Mandatory)
  • Remove Recurring Delimiter (Optional)
  • In the Selected Log File section, select all the log types that you want to monitor and to send to Log Analytics. And add them to the monitored logs.

Follow these steps:

  1. Select the ntevl node.
    The Probe Information section provides information about the probe name, probe version, start time of the probe, and the probe vendor.
  2. Update the following information in the Properties section to configure the delimiter and metric ID properties of the probe:
    • Description Delimiter: defines an ASCII character to replace the existing character as delimiter. For example, the event log message consists of three lines and the description delimiter is #; then the probe returns Line 1 Text # Line 2 Text # Line 3 Text in the alarm message. CA Technologies recommends you to use a special character as delimiter.

      Note: Set this field to get a formatted description of the event logs on dashboard. You can enter Tab in this field in Admin Console.

    • Remove Recurring Delimiter: removes the repetition of the delimiter. This property is optional for Log Analytics.
      Default: Not selected
  3. Update the following information in the Properties section to configure the interval properties of the probe:
    • Run Type: specifies one of the following conditions for the probe to update the events list:
      • Event: updates the event list when a new event is logged in the Windows event log file.

      • Poll: updates the events list at specified intervals.
        • Poll Interval (Seconds): specifies the time interval to update the events list.
          Default: 30

          Note: Reduce this interval to generate alarms frequently. A shorter interval can also increase the system load.

    • Alarm Timeout (Seconds): specifies the duration when the probe does not generate multiple alarms for the same event log. CA recommends you to specify a lower value than the Poll Interval.
      Default: 10

      Note: Leave this field blank to generate alarms at event occurrence. For Log Analytics, alarm refers to events that are forwarded to CA App Experience Analytics.

  4. Update the following information to configure the logging properties of the probe:
    • Log File: defines the name of the log file to monitor the probe-specific logs. This file is different from the Windows log file.
      Default: ntevl.log
    • Log Level: specifies the level of details that are written to the log file, as follows:

      • 0 - Logs only severe information (default)
      • 1 - Logs error information
      • 2 - Logs warning information
      • 3 - Logs general information
      • 4 - Logs debugging information
      • 5 - Logs tracing/low-level debugging information

      Note: Log as little as possible during normal operation to minimize disk consumption, and increase the amount of detail when debugging.

    • Log File Size (KB): specifies a maximum size of the probe log file. The older entries are deleted when this size is reached.
      Default: 100 KB
  5. The Post message properties are not required for Log Analytics. The post message field in the Profile section overrides the message subject from each profile.

  6. Update the following information to configure the event and event log properties of the probe:
    • Maximum Events to Fetch: defines the maximum events (latest) that the probe retrieves from each event log file. These events are also displayed in the Events section. If the field is left blank, the probe displays all the events.

      Important! Do not configure the Maximum Events to Fetch field value to more than 1000 else the probe can stop responding. For more information, see the Known Issues section in ntevl (NT Event Log Monitoring) Release Notes.
    • Select Log Files: Select all the log types that you want to monitor in the Available section and move them to and to send to Log Analytics. And add them to the monitored logs.
    • Output Encoding: specifies the character encoding to generate alarms and QoS messages when the probe is deployed in a non-English locale. CA recommends you to specify the same encoding as that of the monitored system, unless explicitly stated to use a different one.
      Default: blank
    • System Encoding: specifies the encoding of the system where the probe is installed. 
      Default: blank

      Note: The probe auto-detects the system and output encoding when these field values are blank. However, CA recommends you to specify the appropriate encoding in System Encoding fields. You can use UTF-8, UTF-16BE, UTF-16LE, UTF-32BE, UTF-32LE, Shift_JIS, ISO-2022-JP, ISO-2022-CN, ISO-2022-KR, GB18030, GB2312, Big5, EUC-JP, EUC-KR, ISO-8859-1, ISO-8859-2, windows-1250, and windows-1252 encodings.
    • Alarm List Size: specifies the buffer size of the event list that matches the monitoring profile criteria. For example, a monitoring profile generates an alarm when the matching events count reaches 50. Until the event count is up to 49; the probe keeps the events detail in the buffer.
      Default: 1000

      Note: This field value must be greater than or equal to number of monitoring profiles.
  7. Update the following information to configure the WMI query properties of the probe:
    • WMI Query Timeout: defines the time-out interval of WMI query to retrieve the monitoring data. The probe uses WMI queries when hosted on operating systems earlier than Windows Server 2008.
      Default: 1

      Note: The WMI service must be enabled on the host system for this option to work. The probe displays the events in the following order:

      • (Windows version older than Windows Vista, and Windows 2008) The latest event is retrieved and displayed as the first record.
      • (Windows 2008, and Windows Vista (until service pack 1)) The earliest event is displayed as the first record.
      • (Windows Vista (service pack 2, and above)) The latest events are displayed first.

      Reduce this interval to generate alarms frequently. A shorter interval can also increase the system load.

    • WMI Timeout Interval Unit: specifies the unit of WMI query timeout.
      Default: Seconds

  8. In Select Log Files, click a log file from the Available list to add it to the Selected list for monitoring.
    Default: Application, Security, and System

    Note:

    The probe requires at least one log file in Selected list. You can also click a log file from the Selected list to remove a log file from monitoring. If you remove a log file from a profile and save the settings, the probe does not save the configuration and displays an error message.

    For Log Analytics, select all the log types that you want to monitor and send to Log Analytics and then add them to monitored logs.


    (Version 4.22 or later) The security logs are not enabled for monitoring, by default. You can include them from the Available list on Windows Vista version and later. On Windows Server 2003, you must enable them from the probe Raw Configure. In the logs section, create a security key with Security value.

    Important! If you have large security logs on Microsoft Domain Controllers systems, you can exclude them from monitoring by removing Security from the Selected list. In probe versions 4.21 and earlier, the security logs are enabled as default in the probe.

  9. Update the following information to configure the thread and position update properties of the probe:
    • Maximum Number of Threads: specifies the maximum number of request processing threads that the probe can run simultaneously. 

      Note: CA recommends the following configuration for event generation rate:

      • In the Event Mode, the Maximum Number of Threads must be 10 for 400 events/sec and 20 for 600 events/sec.
      • In the Poll Interval Mode, the Maximum Number of Threads must be 10 for 400 events/sec and 50 for 600 events/sec.

      You can increase the number of threads if the probe is not able to meet the specified performance.

    • Maximum Queue Size: specifies the maximum queue size.

    • Wait on Maximum Queue Size: specifies the time to wait on the maximum queue size in milliseconds.

    • Disable continuous update of position file: allows you to update the position file only after the specified interval.
      Default: Selected
      (Version 4.21 or earlier) This field is not selected, by default.

      Note: Enable the field for both Poll Interval and Event Mode if there is higher event generation rate.

    • Position File Update Interval: defines the time interval when the position file is updated with the last location of the processed event log. CA recommends you to specify a maximum time interval of 60 seconds.
      Default: 60 seconds

    • Enable Position File Backup Interval: enables the probe to back up the position file.
      Default: Not selected 
    • Position File Backup Interval (Seconds): defines the time interval when the probe backs up the position file.
      Default: 10 seconds
    • Variable Name with non ASCII Characters: enables you to create variable names in supported non-English languages. Add a space after the variable name to expand the variables correctly. This property does not apply to Log Analytics.
      Default: Selected
    • Save Log List on Upgrade: enables you to save the log list on upgrade.
  10. (Optional - version 4.24 or later) Select Save Log List on Upgrade to save the logs in the Log Files to be Monitored list in the configuration file (cfg) on probe upgrade.
    On version 4.23 and earlier, the probe does not save the log list on upgrade. When you upgrade the probe from an earlier version to 4.24 or later the first time, the removed defaults reappear. However, you can enable this field to retain the configuration changes on upgrade to the next version or later.
  11. Click Save.

(Optional) Configure Subsystems

You can define a new subsystem ID for any custom log file that is selected for monitoring. The default configuration of the probe monitors security, system, and application log files, with the 1.1.11.1.1, 1.1.11.1.3, and 1.1.11.1.2 subsystem IDs respectively.

Important! Do not delete or modify any of the default subsystem ids.

Follow these steps:

  1. Navigate to the ntevl node > Subsystems Configuration section.
  2. Click New.

  3. Update the following information to configure the subsystem ID to be used for an event log:
    • Subsystem Key: defines a subsystem key for the appropriate log file. This key must be identical to the corresponding log file name and contain only small characters. For example, use microsoft-windows-dhcp-client/admin for Microsoft-Windows-Dhcp-Client/Admin log file.
    • Subsystem Value: defines a different alarm subsystem for each monitored log file. CA recommends you to use the default subsystem ID pattern (2.1.2.x) for other log files too. This pattern is mandatory to view the metric details under the Event Log node of the Unified Management Portal (UMP).
      You can also define a name for a newly defined subsystem value in the nas probe. If you do not define a name, the subsystem value is displayed as is in UMP.
  4. Click Apply to save the configuration.

(Optional) Configure Language Strings in Non-English Locales

The probe displays all event severity as Information, when deployed in a non-English locale. When the probe is installed on Windows Vista, Windows Server 2008 R2, or a later version, Windows returns event severity string in their specific locales and the probe is not able to compare these values with an equivalent English string. You can configure the locale-specific severity strings when the probe is deployed in a non-English locale.

Follow these steps:

  1. Navigate to the ntevl node > Language String Configuration section.
  2. Update the following information to define appropriate strings to identify the event severity:

    • Critical: For example, define critique for the French locale.
    • Information: For example, define informations for the French locale
    • Warning: For example, define avertissement for the French locale.
    • Verbose: For example, define verbeux for the French locale.
    • Error: For example, define erreur for the French locale.
  3. Click Apply to save the configuration.

Create Profiles

You can create profiles to monitor event logs and generate alarms for unexpected events. The Event Log displays retrieved events from the monitored host. You can create profiles for specific events. You can also select Clear log from the Actions drop-down list to remove all messages from current event log.

You can also use regular expressions in event criteria fields to use a single profile for multiple events. For more information, see ntevl Regular Expressions. The probe also includes two default profiles for all events and all errors in the log. For example, the allevents default profile uses the * regular expression to monitor all events in the events log file.

Note: The probe executes the monitoring profiles sequentially in their creation order. However, the probe interface sorts the profiles alphabetically. CA recommends you to add a prefix in the profile name to keep their creation order and the display order same. For example, add 1, 2, and 3 after a profile name.

Follow these steps:

  1. Select the ntevl node.
  2. Click Options (icon) > Select Event Log.
  3. Select the event log file to monitor from the Event log drop-down list.

    Note: The Event Log drop-down displays only those log files that are selected in the ntevl > Log Files Configuration section. For more information, see Step 8 in the Configure General Properties section.
  4. Click Submit to monitor the events from the log file.
  5. In the Event Log Status section, select the event to monitor.

    Important! The probe displays the Failed to get events error while retrieving the event list when the event count is higher, for example, 3000 or more. The actual event count varies due to your system configuration and performance. In such case, reduce the value of Maximum Events to Fetch field in the ntevl node.

  6. Click Actions > New Profile to create a profile for the event.

    You can also create a profile for an event log that is not generated. Click the Options (icon) next to the Profiles node and select Add New Profile.
  7. Specify a name and click Submit to create a profile for the event.

    Important! Do not use slash (/) in the profile name; else the probe trims the profile name from the slash (/) character and discards the profile properties. For example, if the profile name is My/Profile then the probe only saves My as the profile name.

    Note: For Log Analytics, specify a name and then select the send_to_axa checkbox. This creates a Log Analytics integrated profile. click Submit to create a profile for the event.

    The Profile name node appears under the Profiles node.

  8. Navigate to the Profile name node and update the following information in the Event Selection section:
    • Active: activates the profile for monitoring.
      Default: Not selected
    • Description: specifies additional information about the profile.

      Note: For Log Analytics, update the following information:

      • Tenant ID: Enter your axa generated tenant_ID here.
      • Post Message: This is the default UIM topics on which the probes send data. axa_log_gateway reads data from this queue and posts to Log Analytics.
      • Tags: Comma Separated values that can help you identify records in dashboard. Default:N/A
  9. Update the following information to configure the event log details:
    • No Propagation of Events: excludes the event that matches the filtering criteria of any monitoring profile. The probe then makes the event unavailable to other profiles.
      Default: Not Selected

    • Log: specifies the log file from which the probe monitors the event. The event log files that are selected in the ntevl node are displayed here. You can also click the + button to add a log file to the list.
    • Computer: defines the computer name on which the event has occurred.
    • Source/Publisher Name: defines the source or the publisher from where the event has logged.
    • Severity: specifies the severity of the event.
    • User: defines the Windows user account for whom the event was generated.
    • Category: defines the event category. For example, Service State.
    • Event ID: defines the Event ID you are monitoring. Use * to monitor all events of the selected log file. The field does not support any other regular expression.

    • Message String: defines the alarm message to be generated when the event selection criteria matches an event.
  10. (Optional) Select Run Command on Match to enable the probe to execute the specified command when a matching event is found. Update the following information to configure the command properties if a matching event is found.
    Default: Not selected
    • Command Executable: defines the executable command when the matching event is found. You can also browse for a batch file path. For example, you can execute a script to send an email to the support executive to resolve the issue.
    • Command Arguments: defines the command arguments to execute the command. For example, define the email address of the support executive to send an email.
    • Separator: defines a field separator character for the event message text. This field is useful to segregate the event message text in multiple columns and then uses those column numbers in the Variables section. For example, if your event message text is ABCD:EFGH:IJKL:MNOP and the separator is a colon (:), then the probe segregates the message text in four different columns (1-4). You can use these column numbers to retrieve the appropriate text to the variable.
    Note: Non-English characters are not supported as separators.
  11. Click Save.

    Note: If you do not want to use the profile, click the Options (icon) next to the profile and select  Delete. Save the configuration after you delete an entity.

Create Profile for Log Analytics

You can create a profile to monitor event logs and post messages for events to the Log Analytics queue. You must create only one profile to monitor all the logs that you selected in the General Configuration section. Your other NTEVL profiles are not affected and will continue to work as configured in parallel.

Important! Creating a profile for Log Analytics using IM configuration is not supported.

Follow these steps:

  1. Click the Options (icon) next to the Profiles node and select Add New Profile.
  2. Enter the profile name and select the send_to_axa checkbox. This creates a Log Analytics integrated profile.
  3. Click Submit to create a profile for the event.
    The Profile name node appears under the Profiles node.

    Important! Do not use slash (/) in the profile name; else the probe trims the profile name from the slash (/) character and discards the profile properties. For example, if the profile name is My/Profile then the probe only saves My as the profile name.

  4. Navigate to the Profile name node and update the following information in the Event Selection section:
    • Active: Activates the profile for monitoring.
    • Tenant ID: Enter the unique Tenant ID provided during the CA App Experience Analytics on-boarding process.
    • Tags: Comma Separated values that can help you identify records in Dashboard. Default: N/A
    • Post Message Subject: The UIM queue name to which the probe writes the log data. The axa_log_gateway probe reads log data from this queue and posts to Log Analytics.

Configure Monitoring and Alarms

You can configure the QoS and alarm properties of the profile.

Follow these steps:

  1. Navigate to the Profile name node.
  2. Update the following information in the QOS section to generate QoS messages for the profile:
    • Publish Data: enables the profile to genera
    • te QoS messages.
    • Publish Alarms: enables the profile to generate alarms.
    • Time Interval (Seconds): defines the time interval to monitor the events and generate alarms and QoS.
      Default: 3600
  3. Select Compute Baseline to enable thresholds. This option might not be available depending on your CA Unified Infrastructure Management configuration. For more information, see Configuring Alarm Thresholds.
  4. Update the following information in the Alarm section to generate alarm messages for the profile:
    • Publish Alarms: enables the profile to generate alarms.
    • Alarm Message: defines the alarm message that is issued when the event matches the monitoring criteria. You can also use variables in this field. For more information, see the Variable Expansion in Alarms section.
      Default: $source ($event_id - $category): $message
    • Level: specifies the severity of the alarm. Select the From Eventlog option to use the same severity level as the event log message.

      Note: The critical level is supported only for error type events on Windows Server 2008, and the probe generates a Minor severity alarm.
    • Subsystem: defines a custom subsystem ID to override the default subsystem ID. For example, you can give the profile name to identify each alarm source. You can also use variables in this field. For more information, see the Variable Expansion in Alarms section.

      Note: CA does not recommend you to use custom subsystem IDs as that can result in an unexpected view of the QoS data on USM.

    • Set Suppression Key: enables the probe to use a custom message suppression key to avoid multiple instances of the same alarm. If you do not select Set Suppression Key, the alarm description is used to suppress alarms and probe sends only one alarm with the same description in one interval.
    • Optional Key: defines a custom suppression key for the alarm messages, which overrides the default key.
    • Time Frame Value: defines the time interval during which the probe monitors and temporarily stores matching events in buffer.

      Note: This field is different from Poll Interval which is configured in the Properties section of the ntevl node.

    • Time Frame Unit: specifies the unit of Time Frame Value.
    • Event Count(condition): specifies the threshold condition while counting the number of events to generate an alarm, during the specified time frame.
    • Event Count: defines the event count to compare with the actual event count in buffer and generates an alarm when the threshold condition is breached.

      Note: This functionality is operational only if at least one event is triggered for the matching profile.

      For example, if the Time Frame Value is 5 minEvent Count(condition) is greater than (>), and the Event Count is 4, the probe scans the event log messages in a slot of 5 minutes and generates an alarm when the matching events count is more than 4.

    • Post Message: enables the probe to post the event log message data as the alarm.
    • Post Message Subject: defines the subject of the alarm. This value overrides the value of the Default Post Subject field as defined in the ntevl node > Properties section.
  5. Click Save.

(Optional) Configure Custom Variables

You can define variables with a set of conditions. These conditions populate the variable value on real time from the selected event log message. These variables are then used to generate the alarm messages.

Note: The name for two variables cannot be the same.


You can use these variables in alarms. For more information, see the Variable Expansion in Alarms section.

Follow these steps:

  1. Navigate to the Profiles node > Variables section.
  2. Click New and update the following information to add a variable to a profile:
    • Name: specifies a name for the variable.
      Default: var

      Important! CA does not recommend you to update the variable name as the probe creates a variable with the updated name. For example, if you change the variable name from Var1 to Var2 then probe creates a Var2 variable.
    • Source Line: enables the probe to use a source line of the event message text from where the probe reads the text. The probe saves the extracted text in the variable.
    • Source Line Value: defines the line number of the event log message text. 
      Default: 1
    • From Character Position: defines the position of the character from where the source line is defined to extract the variable value. 
      Default: 1
    • Source From Position: allows you to select from the following options:
      • Column: defines the position of the column in the source line to extract value of the variable.
      • Character Position: defines the position of the character in the source line to extract value of the variable.
      • Match Expression: defines a regular expression to retrieve all message strings that match with the specified value. For more information, see ntevl Regular Expressions.
        The probe generates an alarm when the specified expression matches with the defined operator. (Select the RE option to use the regular expressions.)
      Note: You can extract variables from the contents inside parentheses in the match expression. Using number 1, refers to the first parenthesis in the expression, using number 2, refers to the second parenthesis in the expression, and so on.
    • Operator: specifies the operator to generate an alarm. Select the RE option to use regular expressions. For more information, see ntevl Regular Expressions.

      Note: The >, <, >=, and <= operators support only integer and float type values. These operators do not work with string values. However, only the = operator works with string values.
    • Threshold: defines the expected value for the variable.

      Note: The probe generates an alarm if the specified expected condition in the Threshold alarm definition section is not met. For example, if you set threshold value as ${50} and define the expected condition as greater than equal to 20, alarms are generated for values less than 20.
  3.  Click Save.

    Note: If you do not want to use the variable, select the variable and click Delete. Save the configuration after you delete an entity.

(Optional) Exclude Event Logs from Monitoring

You can create an Exclude Profile to remove applicable event logs from monitoring. You can also use regular expressions in event criteria fields to use a single profile to exclude multiple events. For example, use the *Win* regular expression to exclude all events with Win in the name from the events log file. For more information, see ntevl Regular Expressions.

You can use both ranges and commas in the same entry, such as, 1-5, 9-20. Events matching all the criteria in an exclude profile are excluded from monitoring by the defined profiles. The Event ID field does not support regular expressions. Use format as shown in the following examples:

  • *
  • 114
  • 1, 5,10
  • 1, 10-12
  • 115-12

Follow these steps:

  1. Select the ntevl node.
  2. Click Options (icon) > Select Event Log.
  3. Select the event log file to exclude monitor from the Event log drop-down list.

    Note: The Event Log drop-down displays only those log files that are selected in the ntevl > Select Log Files.
  4. Click Submit to monitor the events from the log file.
  5. In the Event Log Status section, select the event to exclude from monitoring.

    Important! The probe displays the Failed to get events error while retrieving the event list when the event count is higher, for example, 3000 or more. The actual event count varies due to your system configuration and performance. In such case, reduce the value of Maximum Events to Fetch field in the ntevl node.

  6. Click Actions > Exclude Profile to create a profile for the event.

    Note: To remove all messages from current event log, select Clear log from Actions drop-down list.


    You can also create an exclude profile for an event log that is not generated. Click the Options (icon) next to the Exclude node and select Exclude Profile.

  7. Specify a name and click Submit to create a profile for the event as an Exclude profile name node under the Exclude node.

    Important! Do not use slash (/) in the profile name; else the probe trims the profile name from the slash (/) character and discards the profile properties. For example, if the profile name is My/Profile then the probe only saves My as the profile name.
  8. Navigate to the Exclude profile name node and select Active to activate the profile.
    Default: Not selected
  9. Update the following information to configure the event log details:
    • Log: specifies the log file from that the probe excludes from monitoring. The event log files that are selected in the ntevl node are displayed here.
    • Computer: specifies the computer name on which the event has occurred.
    • Source: specifies the source or the publisher from where the event has logged.
    • Severity: specifies the severity of the event.
    • User: specifies the Windows user account for whom the event was generated.
    • Category: specifies the event category. For example, the Service State event.
    • Event ID: specifies the Event ID you are monitoring. Use * to monitor all events of the selected log file.

      Note: The Event ID field does not support regular expressions.
    • Message String: defines the alarm message text when the event selection criteria matches an event. You can use regular expressions to match the message string. For more information, see ntevl Regular Expressions.
  10. Click Save.

    Note: If you do not want to use the exclude profile, click the Options (icon) next to the exclude profile and select  Delete. Save the configuration after you delete an entity.

(Optional) Variable Expansion in Alarms

You can use variables in alarm messages, which when expanded provides the related text in the generated alarm message. For example, if you want to use the profile name in the message, you can use the profile variable. The values of these variables are retrieved from the monitored system. You can select the variables from a list. Type a $ symbol followed by a { symbol in the alarm message text to select from the list of variables.

The ${Variable name} also returns the variable value which is defined in a profile. For example, you can use ${var} to retrieve the value of a var variable that is configured for the profile. If the specified variable is not defined in the profile, then the variable name is displayed as is. For more information, see the Configure Custom Variables section.

The default variables available for inclusion in the message text are as follows:

  • profile: indicates the name of the profile for which alarm or QoS is generated.
  • description: indicates the user-defined description.
  • variable: indicates the user-defined variable.
  • source: indicates the source from where the event is logged, for example, [Service Control Manager].
  • event_id: indicates the ID of the particular event.
  • category: indicates the category name of the particular event, for example, [Management] and [Disk].
  • log: indicates the event log name, for example, [System] and [Application].
  • severity: indicates the event severity level of the event.
  • severity_str: indicates the severity code name, for example, [error] and [information].
  • user: indicates the username of the event.
  • computer: indicates the host name of the system on which the event is generated.
  • time_stamp: indicates the date-time stamp when the event is generated.
  • message: indicates the message description available in the event logger.
  • record_id: indicates the record number which is assigned to the event when the event is logged.
  • evlData: indicates the associated data of the event. If no data is present, None is added to the message.
Was this helpful?

Please log in to post comments.