O'Reilly logo

Event Management and Best Practices by Michael Wallace, Guilherme Pereira, Jacqueline Meckwood, Peter Glasmacher, Tony Bhe

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 6. Event management products and best practices 205
To suppress events from IP nodes that are unmanaged in the open map, in the
Event Display window, select Options
Unmanaged Nodes Suppress
Traps. This menu option is a toggle button. To resume seeing the traps, select
this menu option again.
6.1.2 Filtering and forwarding using IBM Tivoli Enterprise Console
This section explains the reasons and ways to filter and forward events using IBM
Tivoli Enterprise Console.
Logfile adapters
Usually, an adapter sends all events to the event server. You can optionally
specify events that can or cannot be sent to the event server. You can do this by
specifying the event class and such information as the origin, severity, or any
other attribute=value pair that is defined for the event class. The class name
specified for an event filter entry must match a defined class name; an adapter
does not necessarily have knowledge of the class hierarchy.
You can try to filter events in the adapter to save processing and correlation time.
Depending on how you specify the Filter and FilterMode keywords, filtered events
are either sent to the event server or discarded.
To send specific events to the event server, set FilterMode to IN. To discard
specific events, set FilterMode to OUT (the default value). Create Filter
statements to match the specific events that you want discarded or sent,
depending on your FilterMode keyword.
You can also use Tcl regular expressions in filtering statements. The format of a
regular expression is re:’value_fragment’.
For more information about how to use these functions, see the IBM Tivoli
Enterprise Console Adapters Guide, Version 3.9, SC32-1242.
Event buffer filtering
When an adapter is unable to connect to the event server or Tivoli Enterprise
Console gateway, it sends the events to a file if the BufferEvents keyword is set to
YES. You can filter events sent to a cache file, similar to filtering events for the
event server by using the FilterCache keyword.
There are no default event cache filters in the configuration files shipped with
adapters.
Format files
A format file serves as the lookup file for matching messages to event classes.
When the format file is used for this purpose, all format specifications in the file
206 Event Management and Best Practices
are compared from top to bottom. In situations where there are multiple matching
classes for a message, the last matching format specification is used. If no match
is found, the event is discarded.
A format file also serves as the source from which a CDS file is generated.
Class definition statement file
CDS files are used by an adapter to map incoming raw events to a particular
class and to define event attributes before forwarding the event to the event
server. No alterations to this file are necessary to use an adapter unless you alter
the corresponding .fmt file (if any). If any event definition is changed in a CDS file,
the corresponding event class definition in the BAROC file may also need
changing.
IBM Tivoli Enterprise Console gateways
IBM Tivoli Enterprise Console gateways should be placed as close to their
corresponding event sources as possible. Depending on the amount of
processing required for each gateway, including the new features of state
correlation, if enabled, you may need to investigate the performance of each
gateway to ensure that it is capable of managing the number of events and their
respective correlation that it receives from it various event sources.
During our laboratory examples, we did not find or investigate any performance
issues caused by the enablement of state correlation on an IBM Tivoli Enterprise
Console gateway. Of course, our environment does not map exactly to your
existing environment, and we did not run performance tests or scalability tests
during our exercises. You made need to investigate this feature of the IBM Tivoli
Enterprise Console gateways to ensure that you do not experience problems in a
production environment.
Match rules
Matching rules are stateless. This means that they perform passive filtering on
the attribute values of an incoming event. A matching rule consists of a single
predicate. If the predicate evaluates to true, the trigger actions, which are
specified in the rule, are executed.
For example, a good practice is to create a state correlation rule, with a match
predicate, to filter events from default root event classes such as EVENT or
NT_BASE.
Note: IBM Tivoli Enterprise Console Gateway state correlation can apply to all
NetView, TME, and non-TME events received by the IBM Tivoli Enterprise
Console gateway.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required