Integrating the Windows OS Events Insight Pack with the Log File Agent

Configuring a Log File Agent instance on Windows allows Windows OS events to be forwarded to IBM® Operations Analytics - Log Analysis.

1. On the IBM Operations Analytics - Log Analysis server, copy the LFA .conf and .fmt files to the target Windows Server.

   The .conf and .fmt files are in the directory that Windows OS Events Insight Pack is installed in.

   The location of the Windows OS Events Insight Pack can be determined by using the pkg_mgmt.sh command:

   <HOME>/IBM/LogAnalysis/utilities/pkg_mgmt.sh -list

2. On the target Windows Server place, both files in a directory accessible to the installation of the Tivoli LFA.
3. Edit the lfaWinEvt.conf file.
   1. Update the ServerLocation to the host name or IP address of the IBM Operations Analytics - Log Analysis server
   2. Update the ServerPort to the configured value on the IBM Operations Analytics - Log Analysis server.

      The default port is 5529.

      # Our EIF receiver host and port.  
      # Only needed when sending events directly to OMNIbus or TEC via EIF.
      # That is configured through either the Manage Tivoli Enterprise Monitoring 
      # Services GUI or the 
      # "itmcmd config -A lo" command.
      ServerLocation=unityserver.ibm.com
      ServerPort=5529

      For more information on configuring the EIF Receiver on IBM Operations Analytics - Log Analysis, see section "Configuring the EIF Receiver" in the IBM Operations Analytics - Log Analysis Knowledge Center.

   The lfaWinEvt.fmt file formats the Windows OS events that are read by the Tivoli LFA into a CSV format for ingestion by the Windows OS Events Insight Pack.
4. The only value within this .fmt file you are recommended to edit is logpath. This string must match that of the configured data source on the IBM Operations Analytics - Log Analysis server.

   By default, the value of the host name is the value that is returned by executing the DOS command hostname from the command line. This string must be used as the host name value when configuring the data source on the IBM Operations Analytics - Log Analysis server.

5. Launch the Manage Tivoli Enterprise Monitoring service application on the Windows Server.
6. Select the Tivoli Log File Agent template and select Actions > Configure using defaults.
7. Enter a unique instance name when prompted.
   Note: There is a limit on the length of the instance names. The internal identification of an LFA instance by ITM libraries restricts the length to 32 chars in total.
8. In the Log File Adapter Configuration tab, enter the location of the .conf and .fmt files, and set the Send ITM Event option to No.

   The LFA instance will now be configured and can be started from the Manage Tivoli Enterprise Monitoring service.

   Once started, it is possible to troubleshoot the LFA instance by:

   1. Select and right-click the LFA instance in the Manage Tivoli Enterprise Monitoring service dialog.
   2. Click Advanced > View Trace File.

   The $UNITY_HOME/logs/UnityEifReceiver.log file on IBM Operations Analytics - Log Analysis server can now be used to observe events being received from the LFA by IBM Operations Analytics - Log Analysis.

   For more information on logging the UnityEifReceiver, see section "Enabling console logging and changing the log level for the EIF receiver" in the IBM Operations Analytics - Log Analysis Knowledge Center.

   Note: When configuring the LFA, ensure that the No TEMS option is selected. For more details on configuring this option, see the known issue "Log File Agent fails to post events" in the IBM Operations Analytics - Log Analysis Knowledge Center.