IBM Tivoli Monitoring, Version 6.3

Event Log attributes

Use Event Log attributes to create situations about actual records that are written to any Windows Event logs, such as date and time of the event and event identification information. Event Log is a multiple-instance attribute group. You cannot mix these attributes with those of any other multiple-instance attribute group.

When building a query to collect log entries, the following applies:

The operator is checked for ULogName and LogName. If ULogName and LogName are specified for the same clause (AND) ULogName is used. This is not recommended since the normal filter will likely throw away the results (no log will have ULogName == Application and LogName = Security, for example). The operator is checked for ULogName and LogName. If it is anything other than ==, the query fails, error entries are written to the log and no results are returned.
EntryTime allows specification using >, >=, <, <=. Any other operators cause an error to be written to the log, and no results are returned.
The agent returns up to 500 entries from each log identified in the query.
The agent processes all of the logs identified in OR clauses using ULogName and LogName.
Any filter elements other than U/LogName and EntryTime are handled by the agent infrastructure, so the results are filtered correctly.

Category The classification of the event as defined by the source. Valid format is a text string of up to 32 characters.

Category (Unicode) The classification of the event as defined by the source in UTF8. Valid format is a text string of up to 52 bytes.

Computer The name of the computer where the event occurs. Valid format is a text string of up to 16 characters.

Date The date for when the event was logged.

Description A description of the event you are monitoring. Valid format is a text string of up to 1128 characters. Note that this attribute displays only ANSI strings. Description (Unicode) serves as a Unicode version of this attribute.

Description (Unicode) A description of the event you are monitoring in UTF8. Valid format is a text string of up to 1128 characters.

Duplicate Record Count The number of duplicate records in the NT Event Log. Note: the value 9223372036854775807 indicates Value_Exceeds_Maximum and the value -9223372036854775808 indicates Value_Exceeds_Minimum. Controlled by these agent environment settings:

NT_LOG_THROTTLE
NT_{Event Log Name}_LOG_THROTTLE
NT_APPLICATION_LOG_THROTTLE
NT_SYSTEM_LOG_THROTTLE
NT_SECURITY_LOG_THROTTLE
NT_DNS_LOG_THROTTLE
NT_DIRSERVICE_LOG_THROTTLE
NT_FILEREPSRV_LOG_THROTTLE

For information on how to use environment variables to resolve high CPU usage due to situation behavior and to reduce the amount of records displayed in query views, see Specific situation troubleshooting.

Entry Time The date and time the event you are monitoring is logged.

Event ID The identification code of the event you are monitoring. Valid format is a numeric string.

Event ID (String) Event ID represented as a string.

Log Name The name of a log. Valid format is a text string of up to 32 characters. The log names are case sensitive. Application is an example of a valid log name.

Log Name (Unicode) The Log Name in UTF8. Valid format is a text string of up to 392 bytes. The log names are case sensitive. Application is an example of a valid log name.

Record Number The identifier for the event within the Windows NT event log file (specific to the log file). This attribute is used together with the log file name to uniquely identify an instance of this class.

Server Name The managed system name. The form should be hostname:agent_code.

Examples include spark:KNT or deux.raleigh.ibm.com:KNT.

In workspace queries, this attribute should be set equal to the value $NODE$ in order to populate the workspace with data. This attribute is generally not included in situations, unless there is a need to customize the situation for a specific managed system.

Source The name of the application or component that logged the event you are monitoring. Valid format is a text string of up to 32 characters.

Source (Unicode) The software that logged the event, which can be an application name or a component of the system in UTF8. Valid format is a text string of up to 52 bytes.

Time The time for when the event was logged.

Timestamp The date and time the Tivoli Enterprise Monitoring Server samples the data.

Type The severity level of the event you are monitoring. Valid format is a case-sensitive text string of up to 16 characters (as described in the Event Type column). Possible values are:

Event Type	Description
Error	Serious, such as 'device driver not loading'
Warning	Cautionary, but not serious, such as 'low on disk space'
Information	Noteworthy, but not serious, such as 'successful operation achieved by an application'
Success	Indicates a successful procedure, such as 'an attachment to a shared printer'
Failure Audit	Failure of a procedure, such as 'a user attempting a procedure without correct privileges'

For example, Error indicates the severity level of the event you are monitoring is serious.

User The name of the user whose information you are monitoring. Valid format is a text string of up to 32 characters.

User (Unicode) The user name in UTF8. Valid format is a text string of up to 52 bytes.

Feedback