Configuring a Log File Agent instance on Windows allows
Windows OS events to be forwarded to IBM® Operations Analytics - Log Analysis.
Before you begin
Ensure that the Tivoli Log File Agent (LFA) is installed
on the Windows server that is being monitored. For more information
on installing the Tivoli LFA, see the "Tivoli Log File Agent User's
Guide" in the IBM Tivoli Monitoring Knowledge Center.
Ensure
that the Windows Server can communicate with the IBM Operations Analytics - Log Analysis server.
Communication is directed to the EIF receiver port on the IBM Operations Analytics - Log Analysis server
(default 5529). Ensure that any firewall restrictions are lifted.
About this task
The steps in this task outline how to use the LFA to gather
and push Windows OS events to IBM Operations Analytics - Log Analysis server.
The LFA can be configured to send Windows OS Events to the EIF Receiver
that is deployed with IBM Operations Analytics - Log Analysis.
For more details on configuring the EIF Receiver on IBM Operations Analytics - Log Analysis,
see section "Configuring the EIF Receiver" in the IBM Operations Analytics - Log Analysis Knowledge Center.
Procedure
- On the IBM Operations Analytics - Log Analysis server,
copy the LFA .conf and .fmt files
to the target Windows Server.
The .conf and .fmt files
are in the directory that Windows OS Events Insight Pack is installed
in.
The location of the Windows OS Events Insight Pack can be
determined by using the pkg_mgmt.sh command:
<HOME>/IBM/LogAnalysis/utilities/pkg_mgmt.sh -list
- On the target Windows Server place, both files in a directory
accessible to the installation of the Tivoli LFA.
- Edit the lfaWinEvt.conf file.
- Update the ServerLocation to the
host name or IP address of the IBM Operations Analytics - Log Analysis server
- Update the ServerPort to the configured
value on the IBM Operations Analytics - Log Analysis server.
The default port is 5529.
# Our EIF receiver host and port.
# Only needed when sending events directly to OMNIbus or TEC via EIF.
# That is configured through either the Manage Tivoli Enterprise Monitoring
# Services GUI or the
# "itmcmd config -A lo" command.
ServerLocation=unityserver.ibm.com
ServerPort=5529
For more information
on configuring the EIF Receiver on IBM Operations Analytics - Log Analysis,
see section "Configuring the EIF Receiver" in the IBM Operations Analytics - Log Analysis Knowledge Center.
The lfaWinEvt.fmt file formats the
Windows OS events that are read by the Tivoli LFA into a CSV format
for ingestion by the Windows OS Events Insight Pack.
- The only value within this .fmt file
you are recommended to edit is logpath. This
string must match that of the configured data source on the IBM Operations Analytics - Log Analysis server.
By default, the value of the host name is the value that
is returned by executing the DOS command hostname from
the command line. This string must be used as the host name value
when configuring the data source on the IBM Operations Analytics - Log Analysis server.
- Launch the Manage Tivoli Enterprise Monitoring
service application on the Windows Server.
- Select the Tivoli Log File Agent template
and select using defaults.
- Enter a unique instance name when prompted.
Note: There
is a limit on the length of the instance names. The internal identification
of an LFA instance by ITM libraries restricts the length to 32 chars
in total.
- In the Log File Adapter Configuration tab,
enter the location of the .conf and .fmt files,
and set the Send ITM Event option to No.
The LFA instance will now be configured and can be
started from the Manage Tivoli Enterprise Monitoring service.
Once
started, it is possible to troubleshoot the LFA instance by:
- Select and right-click the LFA instance in the Manage
Tivoli Enterprise Monitoring service dialog.
- Click .
The $UNITY_HOME/logs/UnityEifReceiver.log file
on IBM Operations Analytics - Log Analysis server
can now be used to observe events being received from the LFA by IBM Operations Analytics - Log Analysis.
For
more information on logging the UnityEifReceiver,
see section "Enabling console logging and changing the log level for
the EIF receiver" in the IBM Operations Analytics - Log Analysis Knowledge Center.
Note: When configuring
the LFA, ensure that the
No TEMS option is
selected. For more details on configuring this option, see the known
issue "Log File Agent fails to post events" in the
IBM Operations Analytics - Log Analysis Knowledge Center.