IBM Enterprise Console Network Router User Manual


 
Troubleshooting the Windows Event Log Adapter
Perform the following steps to troubleshoot the Windows event log adapter:
1. Stop the Windows event log adapter that is currently running by pressing the
Esc key in the command window session that is running the Windows event
log adapter. Pressing the Ctrl+c key combination in the command window
session that is running the Windows event log adapter also stops the adapter.
2. Start the adapter in debug mode:
tecad_win d c Config_File
3. Generate test events and see if the adapter receives them. Do this by starting
and stopping a service that logs to the Windows Event Manager. For example,
you can use the Windows Control Panel Services to stop the FTP Server and
then start it. This adds an event entry in the Windows Security Log that is
picked up by the Windows event log adapter.
Another effective way to generate and monitor Windows events is to run the
Windows User Manager application (located in the Administrative Tools
folder). Select Audit from the Policies menu and choose from the different
activities that Windows can monitor. You want these items to be audited and
then picked up by the Windows event log adapter.
Yet another method is to set up an alert in Windows Performance Monitor
(located in the Administrative Tools folder) to go off every 30 seconds when
the CPU usage is less than 100%.
4. When events arrive, the adapter prints messages to the screen indicating the
class and the attribute values in the class.
If you do not see any messages, the adapter is not receiving events from the
Windows event logs.
For example, you should see a message that the FTP server has registered as a
trusted login process. If you do not see this message, run the Windows User
Manager application (located in the Administrative Tools folder), select Audit
from the Policies menu and choose Restart, Shutdown, and System events to
be audited for Success and Failure. Then stop and restart the Windows FTP
server as described in steps 1 and 2.
5. If you see the messages, the adapter is receiving events and processing them.
Run the wtdumprl command on the event server and verify that the messages
are actually showing up in the reception log. If not, the events were not
received by the event server or there is a problem with the event server
reception process. Check the adapter configuration file to verify that
ServerLocation and ServerPort are properly defined. If the event class appears
in any filter entry in the configuration file, the event is not sent to the event
server. The administrator who started the adapter must have the required roles
if you are running the TME version of the adapter. For a TME adapter, running
the odstat command can offer some clues as to what failed.
6. If the reception log has a PARSING_FAILED error, the BAROC definition of
the class does not match the event that is being received from the adapter.
Usually the error messages pinpoint the problem.
7. If the previous steps do not indicate any problem and you do not see the new
events in the IBM Tivoli Enterprise Console product, there might be a problem
with the event group filters. Make sure the class filters match the classes in the
BAROC files.
8. Change all /dev/null entries in the .err file to the file name you want. Stop and
restart the adapter, send an event through, and then look in the trace file to see
what processing was done on the event.
Chapter 10. Windows Event Log Adapter 125