Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Operations Manager i10.62

Administer > Monitoring > Policy Templates > Configure Logfile Entry Policies

Configure Log File Entry Policies

Log file entry policies enable you to monitor log files for entries that match specific rules. You can configure policies to create events and launch commands whenever a log file entry matches one of your rules.

To access

Open the Policy Templates manager:

Administration > Monitoring > Policy Templates

Alternatively, click Policy Templates.
In the Policy Template Groups pane, expand Policy Management > Templates grouped by type > Events.
Click the Logfile Entry folder, and then do one of the following:
- To add a new policy template, in the Policy Templates pane, click the New Item button, and then click the Add New Policy Template... or the Add New Policy Template (Raw Mode) button.
  
  The New Logfile Entry Template Editor opens.
- To edit an existing policy template, click the policy template in the Policy Templates pane, click the Edit Item button, and then click the Edit Policy Template or the Edit Policy Template (Raw Mode) button.
  
  The Edit Logfile Entry Template Editor opens.

Tip You can also access the policy editor from the Edit Aspect dialog box (see —Policy Templates).

Tasks

How to create a log file entry policy

In the Log File Entry Policy Editor, in the Properties page, type a Name for the policy.

Optional. Provide a description of the policy (Description), select the instrumentation that will be deployed with the policy onto the host system where the agent is running (Instrumentation), and select the operating systems with which the policy is compatible (OS Types).

For more information, see Properties Page.
In the Source page, define the log file that the policy reads (for example, the path and name of the log file).
1. In Log File Path / Name, type the full path to the log file on nodes.
2. Optional. Preprocess the log file.
  If you want to reformat an original log file before the agent reads it, you can preprocess it using a command or program that you provide. For example, you can preprocess a binary log file to produce a text file in a format that the agent can then read.
  
  To preprocess a log file:
  1. Select the Preprocessing check box.
  2. In File to be executed, type the complete path and extension of the command or program that preprocesses the log file. The file that you specify must exist on the node.
    
    If Log file path \ name is empty, the agent runs the command at the polling interval that you specify. If Log file path \ name contains the path of a log file, the agent runs the command at the specified polling interval only if the log file has changed.
  3. Optional. In File to be read, type the full path of the log file that the preprocessing command creates or updates.
    
    If you specify a path in File to be read, the agent reads this log file. If you leave File to be read empty, the agent reads the log file that you specify in Log file path \ name instead.
3. Click Logfile Character Set and select the character set of the log file that you want to monitor.
For more details, see Source Page.
Optional. In the Defaults page, set default attributes for all events that a policy sends. The event defaults only affect new rules. You can override the defaults for individual rules.

Note You can set defaults for only a subset of event attributes. You can set the other event attributes within individual rules.

In text boxes, you can use indicators, policy variables, and policy parameters.

For more details, see Event Attributes Tab, Event Correlation Tab, Instructions Tab, and Advanced Tab.
In the Rules page, define one or more policy rules.
1. In the Policy Rules list, click the button, and then click one of the following options:
  - Event on matched rule: Use this option if you want to send an event to OMi when the conditions are met.
  - Suppress on matched rule: Use this option if you want to stop processing the policy when the conditions that you specify are met.
  - Suppress on unmatched rule: Use this option if you want to stop processing the policy when the conditions that you specify are not met.
2. Click the Rule Description and type a brief description of the rule.
For more details, see Policy Rules List.
In Rule Content, use the Condition tab to specify a string that the policy searches for in the log file that the policy monitors.

You can enter pattern matching expressions and policy parameters in the text boxes.

For example, set these conditions to match the following log file line:

Warning: too many users on node celery.example.com
- Node equals: celery.example.com
- Logfile line matches: ^Warning:<*.text>on node<@.node>$
This pattern matches any message that starts with Warning and assigns too many users to text and celery.example.com to node.

For more details, see Condition Tab and Pattern Matching in Policy Rules.
Optional. If you are creating a rule of the type 'event on matched rule', set attributes for events that you want the policy to send. You can override the default event attributes here. You can also enter instructions that help operators handle the associated event (or add the name of the instruction text interface in order to retrieve event instructions from an external source) and configure actions to solve problems automatically or manually.

In text boxes, you can use indicators, policy variables, and policy parameters.

For more details, see Event Attributes Tab, Event Correlation Tab, Custom Attributes Tab, Instructions Tab, Advanced Tab, and Actions Tab.
Optional. In the Options page, configure options for local event logs, unmatched events, and pattern matching.

For more details, see Options Page.
Click Save and Close to save the policy template and exit the wizard.

UI Reference

User interface elements are described below (listed alphabetically):

Actions Tab

UI Element	Description
Automatic command Automatic command that runs when the rule is matched. For example, you could configure a log file entry policy to automatically delete the contents of `C:\Temp` when the log file contains "`The C: disk is at or near capacity.`"
Command	Command and parameters to run when the command is started for this event. The command runs on the node you specify in the Node field. If the command contains spaces, enclose it in quotation marks. Commands that are internal to the Windows command shell (for example `echo` or `move`), must be preceded by `cmd /c`.
Non Agent User	By default, the command runs as the agent user (`$AGENT_USER`). Alternatively, select Non Agent User and specify a user account and password that exists on the node: Username. Runs the command under the specified user account. The account must exist on the node. Password. Password of the specified user account. Enable Policy Parameter in password field. Enables you to enter a variable in the Password field, for example `%%password%%`. A corresponding policy parameter should exist in the Policy Parameters tab.
Node	Name of the node on which the command will be started. You can also use the variable `<$MSG_NODE_NAME>` to configure reusable policies for replicated sites.
Append output of command as annotation to the event	Adds an annotation to the event when the command completes. The annotation contains the start time, output, exit value, and finish time of the command. If a command fails, an annotation is provided even if this item is not selected.
Close the event when the command is successful	Closes the event automatically if the command is successful.
Send event immediately	Sends an event to the OMi server as soon as a local automatic command starts on the node. This is the default setting.
Wait until local command completes and then	Options that can help to reduce the amount of unnecessary network traffic to the OMi server. For example, if an automatic command solves the problem that generated the event, you may choose not to inform the OMi server. Send the event Send the event if the local command fails Send the event only if the local command is successful
Operator-initiated command Operator-initiated command that is attached to the event that the rule sends to OMi. This command can be started by the OMi user from the Event Browser. The command might be a script that requires user input to solve the problem, or instructions that appear in a Web browser.
Command	Command and parameters to run when the command is started for this event. The command runs on the node specified in the Node field. If the command contains spaces, enclose it in quotation marks. Commands that are internal to the Windows command shell (for example `echo` or `move`), must be preceded by `cmd /c`.
Non Agent User	By default, the command runs as the agent user ($AGENT_USER). Alternatively, select Non Agent User and specify a user account and password that exists on the node: Username. Runs the command under the specified user account. The account must exist on the node. Password. Password of the specified user account. Enable policy parameter in Password field. Enables you to enter a variable in the Password field, for example `%%password%%`. A corresponding policy parameter should exist in the Policy Parameters tab.
Node	Name of the node on which the command will be started. You can also use the variable `<$MSG_NODE_NAME>` to configure reusable policies for replicated sites.
Append output of command as annotation to the event	Adds an annotation to the event when the command completes. The annotation contains the start time, output, exit value, and finish time of the command. If a command fails, an annotation is provided even if this item is not selected.
Close the event when the command is successful	Closes the event automatically if the command is successful.

Advanced Tab

Note In the default event attributes, you cannot set the Event Drilldown URL attribute. You can set this event attribute within individual rules.

UI Element	Description
Event Drilldown
Event Drilldown URL	URL of the event in a third-party system. This is the complete path of the URL, and includes the FQDN (fully qualified domain name) of the computer that hosts the third-party system, the communication port, and the root URL path (for example, `http://nnmi.example.com:8004/nnm/launch?cmd=showForm&objtype =Incident&objuuid=$OPC_CUSTOM[nnm.incident.uuid]&menus=true`). Event drilldown information enables OMi users to launch the user interface of the third-party system in the context of an event. Tip To drill down to a specific event in the third-party system, add the source event ID to the URL.
OM Attributes
Application	Application that caused the event to occur. Unlike the Related CI attribute, which is a direct relationship to a CI in the RTSM, the application attribute is a simple string-type attribute (for example, Oracle and OS).
Object	Device such as a computer, printer, or modem. Unlike the Related CI attribute, which is a direct relationship to a CI in the RTSM, the object attribute is a simple string-type attribute (for example, `C:`, and `/dev/spool`).
Type	String used to organize different types of events within an event category or subcategory (for example, users or applications, accounts and security).
HPOM Service ID	ID of the service associated with the event. A service ID is a unique identifier for a service and can be used in OMi to identify the node and CI associated with the event.
Agent MSI
Enable Agent MSI	The message stream interface (MSI) allows external applications to interact with the internal event flow of the agent. The external application can be a read-write application, for example, an event processing program that can read events, modify attributes, and generate new events for retransmission to the server. The application could also read events, or send its own events. Divert events. Divert an event to the MSI instead of to the server when an event is requested by an external application. Copy events. Send the event to the server, and a copy of the event to the MSI. If the agent MSI is enabled in the event defaults, you can choose to apply them to or override them for this rule: Use default settings for Agent MSI. Applies the agent MSI settings configured in the event defaults to this rule. Override default settings for Agent MSI: Enables you to configure specific agent MSI settings for this policy rule.

Condition Tab

UI Element Description

Node equals

UI Element	Description
Node equals	Fully qualified domain name, node name, or IP address that the policy compares with the node in the log file line. Type a value in this field to match the log file line from a specific node. Separate multiple entries with the OR operator (\|) or leave blank to match all nodes. Example: `celery.example.com\|broccoli.example.com`
Logfile line matches	Pattern that you want the policy to compare with the log file line. Note Log file policies read each line of a log file individually. Therefore, you cannot match patterns that span multiple lines in the log file. Tip You can use standard HPE Operations Agent pattern-matching rules when matching values. Click to open the pattern matching expression toolbox. The toolbox displays the following: Pattern Matching Expressions. Click an expression to insert it in the pattern. Variable Bindings Options. Variable bindings options include case sensitivity and field separators for the rule. If you do not specify pattern matching options for the rule, either the defaults (case sensitive; a blank and the tab character as separators) or the default options set for the policy will be used.

Fully qualified domain name, node name, or IP address that the policy compares with the node in the log file line. Type a value in this field to match the log file line from a specific node.

Separate multiple entries with the OR operator (|) or leave blank to match all nodes.

Example: celery.example.com|broccoli.example.com

Logfile line matches

Pattern that you want the policy to compare with the log file line.

Note Log file policies read each line of a log file individually. Therefore, you cannot match patterns that span multiple lines in the log file.

Tip You can use standard HPE Operations Agent pattern-matching rules when matching values. Click to open the pattern matching expression toolbox. The toolbox displays the following:

Pattern Matching Expressions. Click an expression to insert it in the pattern.
Variable Bindings Options. Variable bindings options include case sensitivity and field separators for the rule. If you do not specify pattern matching options for the rule, either the defaults (case sensitive; a blank and the tab character as separators) or the default options set for the policy will be used.

Custom Attributes Tab

UI Element	Description
	Create New Custom Attribute: Creates a new custom attribute with the default name CA_n. To rename the custom attribute, double-click the name to select it and type the new name.
	Delete Custom Attribute: Deletes an existing custom attribute.
Name	The name of the custom attribute. The name is case-insensitive. Custom attributes are additional attributes that contain any information that is meaningful to you. For example, you might add a company name, contact information, or a city location to an event. You can have more than one custom attribute attached to a single event. The following custom attribute names cannot be used because they are reserved for internal use: `Description` `EtiHint` `HP_OPR_SAAS_CUSTOMER_ID` `NoDuplicateSuppression` `RelatedCiHint` `SourceCiHint` `SourcedFromExternalId` `SourcedFromExternalUrl` `SubCategory` `SubCiHint`
Value	Value of the custom attribute.

Event Attributes Tab

Note In the default event attributes, you can set only the Severity, Category, and Node attributes. You can set the other event attributes within individual rules.

UI Element	Description
Title	Brief description of the nature of the event.
Description	Detailed description of the event.
Severity	Severity assigned to the event (Critical, Major, Minor, Warning, Normal, Unknown).
Category	Name of the logical group to which the event belongs (for example, Database, Security, or Network). The event category is similar in concept to the HP Operations Manager message group.
Subcategory	Name of the logical subgroup (category) to which the event belongs (for example, Oracle (database), Accounts (security), or Routers (network)).
ETI	Contains the event type indicator (ETI) resolution hint, which OMi uses to associate the event with an ETI and for event correlation. Use the format `<ETI name>:<ETI state>:<metric value>`. Specify the name of the indicator (for example, CPULoad), the indicator state (for example, High), and, optionally, the metric value (for example, 80). When OMi receives an event with an ETI resolution hint of CPULoad:High, and the ETI and state exist, the Event Type Indicator attribute is set to CPULoad:High in the event. The metric value is optional and serves informational purposes only.
Node	Name of the system where the event occurred (for example, node.example.com).
Related CI	Contains the CI that is related to the metric (for example, oraclesid01@@node.example.com or C:@@server.example.com). Use the format `<CI 1>:<CI 2>:...:<CI n>@@<hostname>`. Best practices for related CIs It is necessary to differentiate between CIs that have a Composition relationship to a node, and those that do not have such a relationship: For “hosted on” CIs `<key attribute 1>:<key attribute 2>:<key attribute n>@@<hostname>` Typically, a “hosted on” CI is a sub-type of “Running Software”. For example, a CI of type `websphereas` has a Composition relationship to a node. For virtual CIs `<key attribute 1>:<key attribute 2>:<key attribute n>` A virtual CI does not have a strong containment relationship (Composition relationship) to node. An example of a typical virtual CI type is cluster. This CI type does not have a strong containment relationship to a node. Tip If you have problems resolving non-hosted CIs, provide the RTSM ID of the desired CI by using the format `UCMDB:<ci_uuid>`. For more information about CI resolution in OMi, see the OMi Help.
Sub Component	Information used to identify a subcomponent of a CI. This CI subcomponent is used to calculate an aggregated status within OMi's Service Health for selected CIs. If an HI is populated by events from multiple components, you can specify a component name in this field in order to ensure the correct calculation of the HI state. For example, if you have a Computer CI with two CPUs, `cpu #1` and `cpu #2`, events from both CPUs will be sent to the same `CPU Load` HI. By default, the events will override each other and create an incorrect HI state. To prevent this, you can populate Sub Component with values `"cpu #1"` and `"cpu #2"` which will cause the HI state to be calculated as an aggregated state between the two events.
Source CI	Contains the source related CI. For example, type the name and instance of the OMi server that provides events (for example, OMi@@mgmt.example.com). If you enter a source related CI, OMi tries to find the corresponding CI in the RTSM.
Source Event ID	Reserved for future use.
Send with closed status (For the Open Message Interface, SNMP Interceptor, and Scheduled Task policies)	Sets the event's lifecycle status to Closed before sending it to OMi.

Event Correlation Tab

Note The following event correlation attributes are only available in individual rules, not in the event defaults:

Close Events with Key
Suppress Deduplication on Server

UI Element	Description
Event Key	An identifier used to identify duplicates and for Close Events with Key.
Close Events with Key	If events with the event key that you type here exist in the OMi event database when this event is received, these events are automatically closed. You can use pattern matching and variables to match multiple event keys. For example, consider the following pattern: `<$MSG_SEV>:<$MSG_NODE_NAME>` This pattern is evaluated by first replacing the variables with the values that they resolve to, for example: `critical:cabbage.example.com` This pattern is then compared using pattern matching rule against the event keys for all events in the OMi event database. Any key that you provide in the policy is treated as a simplified OM pattern in OMi. Therefore a plain string is treated as a substring and not as a complete match. The key in our example will match: critical:cabbage.example.com:TEST critical:cabbage.example.com:TEST1 critical:cabbage.example.com:TEST2A and so on. To ensure that that the key matches only exact values, enclose the attribute value in an OM Pattern Expression, starting with ^ (start of line) and ending with $ (end of line), for example: ^critical:cabbage.example.com:TEST$
Suppress Deduplication on Server	Stops automatic discarding of new events that are duplicates of existing events.
Event Suppression
Enable Event Suppression	Enables event suppression for the events generated by this policy. If event suppression is enabled in the event defaults, you can choose to apply them to or override them for this rule: Use default settings for Event Suppression. Applies the event suppression settings configured in the event defaults to this rule. Override default settings for Event Suppression: Enables you to configure specific event suppression settings for this policy rule.
Suppress events which are	Generated by the same input event. Select this option to suppress events that were sent in response to two separate input events that are identical except for the date and time that the event was generated (for example, identical entries in a log file). Generated by the same rule. Select this option to suppress events that match the pattern specified for the selected rule. This is a more general setting for the suppression of duplicate events. For example, a policy might contain a rule with this match pattern: `Error Message<#>` The log file lines `Error Message10` and `Error Message20` are not identical, but would both match this rule. Identical relative to their attributes. Select this option to suppress either events that have the same event key or (if no event key is present) events that have identical event attributes (except for the date and time that the event was generated).
Suppression Method	For event correlation, you can define one of three correlation methods: Time Interval. This correlation method lets you define an interval during which duplicate events will be ignored. For more information, read this detailed example. Time interval correlation example In the illustration below, the interval is set to 30 seconds, but the suppression is limited to 60 seconds. The represents events that are identical. The first input event (E1) matches a rule in the policy. The policy sends an event and starts timing. A second matching event (E2) occurs 25 seconds later. This event occurred less than 30 seconds after the first event, and is therefore suppressed. A third matching event (E3 ) occurs less than 30 seconds after the second event, and so is also suppressed. The next matching event (E4) occurs less than thirty seconds after the third event, but is also more than 60 seconds after the first event, and therefore the policy sends an event. Counter. This correlation method counts the number of matching input events and sends an event only after the number of matching input events equals the counter threshold. The counter can also be reset to zero after a time period that you specify. For more information, read this detailed example. Counter correlation example The represent events that are identical. The first input event (E1) matches a rule in the policy, and the counter increments to one. No event is sent. A second matching event (E2 ) occurs, the counter increments to two, an event is sent, and the counter resets. A third matching event (E3 ), and the counter increments to one. No event is sent. The next matching event (E4) occurs more than thirty seconds after the third event. Since at thirty seconds the counter was reset to zero, the counter now increments to one. No event is sent. Time Interval/Counter. If you use the Time interval and Counter together, events are evaluated first by the timer. If an event passes the timer, it is then evaluated by the counter, which either suppresses it or sends an event to OMi.
Time Interval	Time interval during which duplicate events are ignored. To modify the time, click the button and use the drop-down lists to specify increments of days, hours, minutes, or seconds. To insert a parameter in a time field, type the parameter in the format `%%<VariableName>%%` or drag and drop the parameter from the Policy Parameters tab. When dropping a numeric parameter in a time field, the policy editor appends an `s` to the parameter to indicate that the parameter specifies the time in seconds (for example, `%%interval%%s`).
Suppress for no longer than	Time interval after which duplicate events are no longer ignored. To modify the time, click the button and use the drop-down lists to specify increments of days, hours, minutes, or seconds. To insert a parameter in a time field, type the parameter in the format `%%<VariableName>%%` or drag and drop the parameter from the Policy Parameters tab. When dropping a numeric parameter in a time field, the policy editor appends an `s` to the parameter to indicate that the parameter specifies the time in seconds (for example, `%%interval%%s`).
Counter threshold	Value that triggers an event if met or crossed.
Reset counter threshold after	Time interval after which the counter is reset to 0. To modify the time, click the button and use the drop-down lists to specify increments of days, hours, minutes, or seconds. To insert a parameter in a time field, type the parameter in the format `%%<VariableName>%%` or drag and drop the parameter from the Policy Parameters tab. When dropping a numeric parameter in a time field, the policy editor appends an `s` to the parameter to indicate that the parameter specifies the time in seconds (for example, `%%interval%%s`).

Indicators Tab

UI Element	Description
	Refresh. Loads the configured indicators from the OMi server. Note Loading indicators from the OMi server may take a few seconds.
<Search …>	Entered search string is used to search the indicators and highlight only the indicators containing the specified string. To search for indicators with specific text strings in the name, type the string in the <Search …> field and click the button. The first matching indicator is selected in the list of rules. Click the and buttons to move to the previous and next matching indicator.
<Indicators>	Hierarchy of configuration item types with associated health indicators (HIs), which are applicable for the event integration only, and event type indicators (ETIs). To insert an indicator with a state in a policy, drag and drop the indicator from the Indicators tab to the relevant field in the policy.

UI Element

Description

Refresh. Loads the configured indicators from the OMi server.

Note Loading indicators from the OMi server may take a few seconds.

Entered search string is used to search the indicators and highlight only the indicators containing the specified string.

To search for indicators with specific text strings in the name, type the string in the <Search …> field and click the button. The first matching indicator is selected in the list of rules. Click the and buttons to move to the previous and next matching indicator.

Hierarchy of configuration item types with associated health indicators (HIs), which are applicable for the event integration only, and event type indicators (ETIs). To insert an indicator with a state in a policy, drag and drop the indicator from the Indicators tab to the relevant field in the policy.

Instructions Tab

Specify if you want the instructions to accompany the event.

Events generated by a policy can include instructions that explain what to do when the event is generated. This instruction text can often help an operator to solve a problem when a particular type of event is received. The operator can view the instructions included with an event by checking the Event Details pane in the Event Browser. You can define default instructions for all rules in a policy. You can also override the default with different instructions for any rule.

UI Element	Description
Type	You can select one of the following options from the Type drop-down list: Use defaults. Select if you do not want to use instructions that accompany the event. Instruction Text. Select if you want to add the instruction text to accompany the event. Enter the text directly in the Instruction Text field. Note that you can type URLs in the text. The Event Browser automatically converts them into clickable hyperlinks. For example, you can add URLs of external websites, support sites, documentation repositories, troubleshooting information, and similar. To add a link, type any URL that begins with one of the following URI scheme names: `http://` `https://` `ftp://` `ftps://` `mailto:` `telnet://` `file://` You can also just type the address of any website that begins with `www.`. Instruction Text Interface. Select if you want to use the external instructions interface to generate instructions. Type the name of the external instructions interface in the Interface name field and enter Parameters that will be passed to the instruction text interface upon the instruction text retrieval (these parameters will get resolved by the agent before the message is sent to the server). In Parameters, you can enter a policy variable or a policy parameter configured for this policy template (note that you can also enter a parameter as a value in the Interface name field). Supported policy variables include (but are not limited to): `<$MSG_APPL>`: Returns the name of the application associated with the event. `<$MSG_NODE>`: Returns the IP address of the node on which the original event took place. `<$MSG_NODE_NAME>`: Returns the hostname of the node on which the original event took place (this is the hostname that the agent resolves for the node). `<$MSG_ID>`: Returns the unique identity number of the event. `<$MSG_SEV>`: Returns the default value for the event severity. `<$MSG_TEXT>`: Returns the full text of the event. A list of supported variables is available in the Policy Variables tab. For a complete list of HPOM variables and their descriptions, see the HPOM documentation.

UI Element

Description

Type

You can select one of the following options from the Type drop-down list:

Use defaults. Select if you do not want to use instructions that accompany the event.
Instruction Text. Select if you want to add the instruction text to accompany the event. Enter the text directly in the Instruction Text field.

Note that you can type URLs in the text. The Event Browser automatically converts them into clickable hyperlinks. For example, you can add URLs of external websites, support sites, documentation repositories, troubleshooting information, and similar.

To add a link, type any URL that begins with one of the following URI scheme names:
- http://
- https://
- ftp://
- ftps://
- mailto:
- telnet://
- file://
You can also just type the address of any website that begins with www..
Instruction Text Interface. Select if you want to use the external instructions interface to generate instructions. Type the name of the external instructions interface in the Interface name field and enter Parameters that will be passed to the instruction text interface upon the instruction text retrieval (these parameters will get resolved by the agent before the message is sent to the server).

In Parameters, you can enter a policy variable or a policy parameter configured for this policy template (note that you can also enter a parameter as a value in the Interface name field). Supported policy variables include (but are not limited to):
- <$MSG_APPL>: Returns the name of the application associated with the event.
- <$MSG_NODE>: Returns the IP address of the node on which the original event took place.
- <$MSG_NODE_NAME>: Returns the hostname of the node on which the original event took place (this is the hostname that the agent resolves for the node).
- <$MSG_ID>: Returns the unique identity number of the event.
- <$MSG_SEV>: Returns the default value for the event severity.
- <$MSG_TEXT>: Returns the full text of the event.
A list of supported variables is available in the Policy Variables tab. For a complete list of HPOM variables and their descriptions, see the HPOM documentation.

Options Page

UI Element

Description

Options in events policies:

Options in metrics policies:

Options in events and metrics policies:

Pattern Matching Options

Defines case sensitivity and field separators for all rules.

Case sensitive check

Defines whether the case (uppercase or lowercase) of a text string is considered when the pattern of a rule is compared with the source data. When switched on, a match only occurs if the use of uppercase and lowercase letters is exactly the same in both the source data and the pattern. This is the default setting.

Field Separators

Defines which characters should be considered to be field separators. Field separators are used in the pattern as separator characters for the rule condition. You can define up to seven separators, including these special characters:

\n New line (NL)
\t Horizontal tab (HT)
\v Vertical tab (VT)
\b Backspace (BS)

\r Carriage return (CR)
\f Form feed (FF)
\a Alert (BEL)
\\ Backslash (\)

For example, if you wanted a backslash, an asterisk, and the letter A to define the fields in the event, you would type \\*A (with no spaces separating the characters).

If you leave this box empty, the default separators (a blank and the tab character) are used by default.

You can set case sensitivity and separator characters for individual rules in a policy by clicking the button in rule's match condition.

Apply to All

Applies the pattern matching options to all existing rules in a policy. This overwrites any modifications made to the pattern matching options in individual rules.

If you change the pattern matching options and do not click Apply to all, they only apply to all new rules in a policy.

Policy Data Page

UI Element	Description
	Load From Local File System: Click to open the Select file to upload dialog box. Use the dialog box to upload a policy file. Policy files are data files and their filenames end in `_data`.
	Save To Local File System: Click to download the policy to a policy data file on your system. You can then update the policy more comfortably in an editor of your choice. After completing your changes to the policy, upload the policy data file by clicking the Load From Local File System button. The policy editor automatically asks you to download policies that exceed 1 MB in file size.
	Check Syntax: Validates the syntax of the policy data. If the policy syntax is incorrect, the validation tool reports an error and points to the corresponding line and position of the unexpected token (for example the incorrect keyword).
<policy data>	Policy data in text form. The data uses the HPE Operations Agent policy syntax. The policy editor highlights the policy syntax. If the policy exceeds 1,000 lines, syntax highlighting is automatically disabled. If the policy exceeds 1 MB in file size, the policy editor automatically asks you to download the policy to a file.

Policy Parameters Tab

UI Element	Description
	Create Parameter: Open the Create Parameter dialog box.
	Edit Parameter: Open the Edit Parameter dialog box.
	Delete Parameter: Delete the selected parameter from the list.
	Synchronize Parameters: Check the policy template to make sure that variables in the format `%%<variable_name>%%` have corresponding parameters. Each variable should have one corresponding parameter. Also checks for unused parameters, for which no corresponding variable exists in the policy template. If any missing or unused parameters exist, the Synchronize Parameters dialog box opens. Read the summary, and then click Change or Ignore. If you click Change, the missing parameters are automatically created, and unused parameters are automatically deleted.
<Parameters>	List of parameters configured for this policy template. Parameters enable you to create policy templates that other users can easily customize. Each parameter corresponds to a variable in a policy template. A parameter gives consumers of a policy template the opportunity to specify the value of a variable, without having to modify the policy template themselves. To insert a parameter, drag the parameter from the Policy Parameters tab to any text field within a condition or an event definition in a policy template. Alternatively, type the parameter in the text box using the format `%%<variable_name>%%` (for example `%%CriticalThreshold%%`). An icon represents the type of parameter value, which can be one of the following: Enumeration (of several options) Number Password String

Policy Rules List

UI Element	Description

	Copy Rule. Copies the selected rule. You can then rewrite the description of the copied rule and edit the rule.
	Delete Rule. Deletes the selected rule.
	Move Up. Moves the selected rule higher in the rule order.
	Move Down. Moves the selected rule lower in the rule order.
<Move to>	Entered number is used to select the rule with that sequence number in the list of rules. To select a specific rule in the rule list, type the rule's sequence number in the <Move to> field and click the button.
<Search Rules>	Entered search string is used to search the rule descriptions and highlight only the rules containing the specified string. To search for rules with specific text strings in the rule description, type the string in the <Search rules> field and click the button. The first matching rule is selected in the list of rules. Click the and buttons to move the previous and next matching rule.
	Activate/Deactivate Rule Filter. Activates and deactivates the rule filter.
Seq.	Sequence number of the rules. Rules are evaluated in a specific order. When one condition is matched, no additional rules are evaluated.
Rule Description	Description of the rule. It is good practice to use a description that helps you remember what the rule does.
Rule Type	Options in events policies: Options in metrics policies: You can change the rule type by clicking the current rule type in the list of rules and selecting another rule type from the drop-down list.

Policy Variables Tab

You can use the following variables in log file entry policies. If a variable returns values that contain spaces, surround the variable with quotation marks.

Policy Variables Tab for Database and REST Web Service Policies (Events only)

Variable	Description
`<$MSG_NODE>`	Returns the IP address of the node on which the original event took place. Sample output: `192.168.1.123`
`<$MSG_NODE_NAME>`	Returns the name of the node on which the original event took place. This is the hostname that the agent resolves for the node. This variable is not fixed, however, and can be changed by a policy on a per-event basis.
`<$MSG_TEXT>`	Returns the full text of the event. Sample output: `SU 03/19 16:13 + ttyp7 bill-root`

Policy Variables Tab for XML File and Structured Log File Policies (Events only)

Variable	Description
`<$MSG_NODE>`	Returns the IP address of the node on which the original event took place. Sample output: `192.168.1.123`
`<$MSG_NODE_NAME>`	Returns the name of the node on which the original event took place. This is the hostname that the agent resolves for the node. This variable is not fixed, however, and can be changed by a policy on a per-event basis.
`<$MSG_TEXT>`	Returns the full text of the event. Sample output: `SU 03/19 16:13 + ttyp7 bill-root`

Policy Variables Tab for Open Message Interface, Scheduled Task, and SNMP Interceptor Policies (Events only)

Variable	Description
`<$MSG_NODE>`	Returns the IP address of the node on which the original event took place. Sample output: `192.168.1.123`
`<$MSG_NODE_NAME>`	Returns the name of the node on which the original event took place. This is the hostname that the agent resolves for the node. This variable is not fixed, however, and can be changed by a policy on a per-event basis.
`<$MSG_TEXT>`	Returns the full text of the event. Sample output: `SU 03/19 16:13 + ttyp7 bill-root`

Policy Variables Tab for All Policy Types (Metrics only)

Variable	Description
`<$MSG_GEN_NODE>`	Returns the IP address of the node that sends the event. Sample output: `192.168.1.123`. Note On agents that run in an AIX Workload Partition (WPAR), `<$MSG_GEN_NODE>` returns the IP address of the global environment. To configure the agent to return the WPAR's IP address for this variable, set the parameter OPC_IP_ADDRESS in the eaagt namespace to the IP address of the WPAR.
`<$MSG_GEN_NODE_NAME>`	Returns the host name of the node that sends the event. Sample output: `node123.example.com`.

Properties Page

UI Element	Description
Name	Name of the policy. You can use spaces in the name. The equal sign (=) is not allowed. The name is set when the policy is created and cannot be changed in new versions of a policy.
Description	Description of what the policy does. You might also add other notes (for example, data sources that are used).
Template ID	GUID (globally unique identifier) assigned to the policy template when it is first created.
Version ID	GUID (globally unique identifier) assigned to this version of the policy template when it is saved. Each version of a policy template has a unique ID.
Version	The current version of the policy. If you modify an existing policy, you create a new version of the policy in the database with a unique version number. By default, the minor version number increases by one automatically after you modify the policy and save it. If you want to save the policy with a specific version number, you can select the major or minor version number that you want. It is not possible to replace an existing version of a policy. However, you can delete a specific version of a policy. Note If you modify a policy template that is part of an HPE Operations Manager i Management Pack, increase the minor version number only. The next version of the Management Pack normally uses the next major version number.
Change Log	Text that describes what is new or modified in this version of the policy.
Last Modification	The date and time that the policy was saved. The date and time displays using the current time zone of the computer on which the Web browser runs. The language setting of the Web browser determines the date and time format (for example, `09/14/2010 8:16:38 AM` for English (United States)). If the Web browser and the computer on which the server run have different language settings, the language setting of the Web browser takes precedence. However, English is the default language if the Web browser is configured to use a language that is not available on the server.
Last Modified by	The name of the user active when the policy was saved.
Instrumentation	Instrumentation selected for this policy. Instrumentation consists of one or more programs (for example scripts or executable files) that some policies may require to complete a configuration or monitoring task. Instrumentation is deployed to nodes that have HPE Operations Agent installed when the policy is deployed. Instrumentations are unavailable if they are grayed out and their names end with "(Placeholder)". Upload them by using the Content Manager.
OS Types	Types of operating system with which this policy is compatible. To enable platform neutrality, you can create several platform specific variations of the same policy, and include them all in one aspect. OMi ensures that a policy is deployed only to host nodes that have the operating systems that you specify. If you leave all the OS type check boxes clear, the policy can be deployed to host nodes with any operating system.

Source Page

UI Element Description

Log File Path / Name

Path and name of the log file that the policy reads. Type the drive letter and the full path for the location of this file on the node.

You can use the following configurations to make your policy more flexible:

Windows environment variables (for example, winnt or clusterlog). The syntax for these variables is <$variablename>, for example <$winnt>.
Script or command that returns the path and name of the log file you want to access. For example, type <`command`> where command is the name of a script that returns the path and name of the log file you want the policy to read.

The command can also return more than one log file path separated by spaces. The HPE Operations Agent processes each of the files using the same options and conditions as configured for this policy. This is very useful when you want to dynamically determine the log file path or process multiple instances of a log file.

Caution You must ensure that the log file can be processed. For example, log files that contain binary data cannot be read by the policy and may cause the policy to stop responding or even quit. If your log files contain binary data, use log file preprocessing to preprocess your files.

Preprocessing If you want to reformat an original log file before the agent reads it, you can preprocess it using a command or program that you provide. For example, you can preprocess a binary log file to produce a text file in a format that the agent can then read.

File to be executed

Path and name with extension of the command or program that preprocesses the log file. The file that you specify must exist on the node.

If Log File Path \ Name is empty, the agent runs the command at the polling interval that you specify. If Log File Path \ Name contains the path of a log file, the agent runs the command at the specified polling interval only if the log file has changed.

File to be read

Path of the log file that the preprocessing command creates or updates.

If you specify a path in File to be read, the agent reads this log file. If you leave File to be read empty, the agent reads the log file that you specify in Log File Path \ Name instead.

Polling Interval

Determines how often the policy reads the log file (in days, hours, minutes, and seconds). This period of time is the polling interval. The larger polling interval is set, the less performance is needed. However, more memory is used (this depends on the amount of the data in the log file). Setting the polling interval below 30 seconds is not recommended, the default setting is usually appropriate.

Note that a policy begins to evaluate data after the first polling interval passes, unless the Read from beginning (first time) or Read from beginning (always) radio button is selected, which results in evaluation of the first data at the policy activation. A shorter polling interval is better when you are testing a policy.

To modify the time, click the button and use the drop-down lists to specify increments of days, hours, minutes, or seconds.

To insert a parameter in a time field, type the parameter in the format %%<VariableName>%% or drag and drop the parameter from the Policy Parameters tab. When dropping a numeric parameter in a time field, the policy editor appends an s to the parameter to indicate that the parameter specifies the time in seconds (for example, %%interval%%s).

Default value: 5 minutes

Note Make sure that you set this value to a minimum of 15 seconds to be able to save the policy.

Logfile Character Set

Name of the character set used by the log file that the policy reads.

Note It is important to choose the correct character set. If the character set that the policy is expecting does not match the character set in the log file, pattern matching may not work, and the event details can have incorrect characters or be truncated in OMi. If you are unsure of which character set is used by the log file that the policy reads, consult the documentation of the program that writes the file.

Default value: UTF-8

Send event if log file does not exist

The agent sends an event if the specified log file does not exist.

Default value: not selected

Close after reading

If you select this option, the file handle of the log file closes and reopens again after the polling interval. The log file is read from the last position. If this file had a rollover in the meantime, it is read from the beginning. If the name of the log file changes, and a new file was started in the meantime, the policy continues to read the new log file and the original log file data is lost.

If you do not select this option, the file handle remains and is read entirely each time, unless there is a newer file with the same name (or name pattern). In that case the original log file is read to the end, and then the newer file is read. Therefore, no data is lost.

Consider the following example: a policy reads the log file system.log.While there is still some unread data in the system.log file, it is renamed to systemMonday.log, and a new version of the system.log file is written.

In case this option is selected, the unread data from the systemMonday.log file remains unread and the system.log file is read entirely.

In case this option is not selected, the unread data from the new system.log file is read after the reading of the systemMonday.log file is completed.

Default value: not selected

Read Mode

The read mode of a log file policy indicates whether the policy processes the entire file or only new entries.

Read from last position. The policy reads only new—appended—entries written in the log file while the policy is activated. If the file decreases in size between readings, then the entire file is read. Entries that are added to the file when the policy is disabled are not processed by the policy.

Choose this option if you are concerned only with entries that occur when the policy is enabled.

Advantage: No chance of reading the same entry twice. (Unless the file decreases in size because some entries were deleted.)

Disadvantage: Entries written to file while the policy is disabled or the agent is not running are not processed by the policy.

Read from beginning (first time). The policy reads the complete log file each time the policy is activated or the agent restarts. This ensures that all entries in the file are compared with the rules in the policy. Each successive time that the policy reads the file, only new (appended) entries in the file are processed.

Choose this option if you want to ensure that every existing and future entry in the file is processed by the policy while it is activated.

Advantage: Every existing and future entry in the file will be processed by the policy.

Disadvantage: Duplicate entries can occur if an activated policy is deactivated and reactivated, or if the agent stops and restarts.

Read from beginning (always). The policy reads the complete log file every time it detects that the file has changed. The policy scans the file at the specified polling interval. If no change is detected, the file is not processed. Any entries overwritten while the agent is not running or the policy is deactivated will not be evaluated by the policy.

Choose this option if the policy reads a file that is overwritten, rather than appended.

Advantage: Ensures that files that are overwritten are correctly processed.

Disadvantage: Only valid for files that are overwritten, rather than appended.

Note Every policy reads the same log files independently from any other policies. This means, for example, that if "Policy 1" with read mode Read from beginning (first time) is activated and "Policy 2" with the same read mode already exists, "Policy 1" still reads the entire file after it has been activated.

Default value: Read from last position

Send Help Center feedback