Troubleshooting the Windows NT Event Log Adapter
Perform the following steps to troubleshoot the Windows NT event log adapter:
1. Stop any Windows NT event log adapters that are currently running by
pressing the Esc key in the command window session that is running the
Windows NT event log adapter. Pressing the Ctrl+c key combination in the
command window session that is running the Windows NT event log adapter
also stops the adapter.
2. Start the adapter in debug mode:
tecad_nt –d –c Config_File
3. Generate test events and see if the adapter receives them. Do this by starting
and stopping a service that logs to the Windows NT Event Manager. For
example, you can use Windows NT Control Panel Services to stop the FTP
Server and then start it. This adds an event entry in Windows NT Security Log
that is picked up by the Windows NT event log adapter.
Another effective way to generate and monitor Windows NT events is to run
Windows NT User Manager application (located in the Administrative Tools
folder). Select Audit from the Policies menu and choose from the different
activities that Windows NT can monitor. You want these items to be audited
and then picked up by the Windows NT event log adapter.
Yet another method is to set up an alert in Windows NT Performance Monitor
(located in the Administrative Tools folder) to go off every 30 seconds when
the CPU usage is less than 100%.
4. When events arrive, the adapter prints messages to the screen indicating the
class and the attribute values in the class.
If you do not see any messages, the adapter is not receiving events from the
Windows NT event logs.
For example, you should see a message that the FTP server has registered as a
trusted login process. If you do not see this message, run Windows NT User
Manager application (located in the Administrative Tools folder), select Audit
from the Policies menu and choose Restart, Shutdown, and System events to
be audited for Success and Failure. Then stop and restart the Windows NT
FTP server as described in steps 1 and 2.
5. If you see the messages, the adapter is receiving events and processing them.
Run the wtdumprl command on the event server and verify that the messages
are actually showing up in the reception log. If not, the events were not
received by the event server or there is a problem with the event server
reception process. Check the adapter configuration file to verify that
ServerLocation and ServerPort are properly defined. If the event class appears
in any filter entry in the configuration file, it will not be sent to the event
server. The administrator who started the adapter must have the required roles
if you are running the TME version of the adapter. For a TME adapter, running
the odstat command can offer some clues as to what failed.
6. If the reception log has a PARSING_FAILED error, the BAROC definition of
the class does not match the event that is being received from the adapter.
Usually the error messages pinpoint the problem.
7. If the previous steps do not indicate any problem and you do not see the new
events in the IBM Tivoli Enterprise Console product, there might be a problem
with the event group filters. Make sure the class filters match the classes in the
BAROC files.
8. Change all /dev/null entries in the .err file to the file name you want. Stop and
restart the adapter, send an event through, and then look in the trace file to see
what processing was done on the event.
Chapter 11. Windows NT Event Log Adapter 139