Searching the Help
To search for information in the Help, type a word or phrase in the Search box. When you enter a group of words, OR is inferred. You can use Boolean operators to refine your search.
Results returned are case insensitive. However, results ranking takes case into account and assigns higher scores to case matches. Therefore, a search for "cats" followed by a search for "Cats" would return the same number of Help topics, but the order in which the topics are listed would be different.
Search for | Example | Results |
---|---|---|
A single word | cat
|
Topics that contain the word "cat". You will also find its grammatical variations, such as "cats". |
A phrase. You can specify that the search results contain a specific phrase. |
"cat food" (quotation marks) |
Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase. |
Search for | Operator | Example |
---|---|---|
Two or more words in the same topic |
|
|
Either word in a topic |
|
|
Topics that do not contain a specific word or phrase |
|
|
Topics that contain one string and do not contain another | ^ (caret) |
cat ^ mouse
|
A combination of search types | ( ) parentheses |
|
- Policy Templates
- Configure ArcSight Logger Policies
- Configure ConfigFile Policies
- Configure BSM Connector High Availability Policies
- Configure Database Policies
- Configure Data Forwarding Policies
- Configure Flexible Management Policies
- Configure Logfile Entry Policies
- Configure Measurement Threshold Policies
- Configure Metric Streaming Configuration Policies
- Configure Node Info Policies
- Configure Open Message Interface Policies
- Configure Perl Script Policies
- Configure REST Web Service Listener Policies
- Configure Scheduled Task Policies
- Configure Service Auto-Discovery Policies
- Configure Service/Process Monitoring Policies
- Configure Structured Log File Policies
- Configure SNMP Interceptor Policies
- Configure Windows Event Log Policies
- Configure Windows Management Interface Policies
- Configure XML File Policies
- Import SiteScope templates
- Troubleshoot the deployment of SiteScope templates
- Develop Instrumentation
- Policy Objects for Scripts
- Pattern Matching in Policy Rules
- Review the policy syntax
Configure Log File Entry Policies
Log file entry policies enable you to monitor log files for entries that match specific rules. You can configure policies to create events and launch commands whenever a log file entry matches one of your rules.
-
Open the Policy Templates manager:
Administration > Monitoring > Policy Templates
Alternatively, click Policy Templates.
-
In the Policy Template Groups pane, expand Policy Management > Templates grouped by type > Events.
-
Click the Logfile Entry folder, and then do one of the following:
-
To add a new policy template, in the Policy Templates pane, click the New Item button, and then click the Add New Policy Template... or the Add New Policy Template (Raw Mode) button.
The New Logfile Entry Template Editor opens.
-
To edit an existing policy template, click the policy template in the Policy Templates pane, click the Edit Item button, and then click the Edit Policy Template or the Edit Policy Template (Raw Mode) button.
The Edit Logfile Entry Template Editor opens.
-
Tip You can also access the policy editor from the Edit Aspect dialog box (see —Policy Templates).
Tasks
-
In the Log File Entry Policy Editor, in the Properties page, type a Name for the policy.
Optional. Provide a description of the policy (Description), select the instrumentation that will be deployed with the policy onto the host system where the agent is running (Instrumentation), and select the operating systems with which the policy is compatible (OS Types).
For more information, see Properties Page.
-
In the Source page, define the log file that the policy reads (for example, the path and name of the log file).
-
In Log File Path / Name, type the full path to the log file on nodes.
-
Optional. Preprocess the log file.
If you want to reformat an original log file before the agent reads it, you can preprocess it using a command or program that you provide. For example, you can preprocess a binary log file to produce a text file in a format that the agent can then read.
To preprocess a log file:
-
Select the Preprocessing check box.
-
In File to be executed, type the complete path and extension of the command or program that preprocesses the log file. The file that you specify must exist on the node.
If Log file path \ name is empty, the agent runs the command at the polling interval that you specify. If Log file path \ name contains the path of a log file, the agent runs the command at the specified polling interval only if the log file has changed.
-
Optional. In File to be read, type the full path of the log file that the preprocessing command creates or updates.
If you specify a path in File to be read, the agent reads this log file. If you leave File to be read empty, the agent reads the log file that you specify in Log file path \ name instead.
-
-
Click Logfile Character Set and select the character set of the log file that you want to monitor.
For more details, see Source Page.
-
-
Optional. In the Defaults page, set default attributes for all events that a policy sends. The event defaults only affect new rules. You can override the defaults for individual rules.
Note You can set defaults for only a subset of event attributes. You can set the other event attributes within individual rules.
In text boxes, you can use indicators, policy variables, and policy parameters.
For more details, see Event Attributes Tab, Event Correlation Tab, Instructions Tab, and Advanced Tab.
-
In the Rules page, define one or more policy rules.
-
In the Policy Rules list, click the button, and then click one of the following options:
-
Event on matched rule: Use this option if you want to send an event to OMi when the conditions are met.
-
Suppress on matched rule: Use this option if you want to stop processing the policy when the conditions that you specify are met.
-
Suppress on unmatched rule: Use this option if you want to stop processing the policy when the conditions that you specify are not met.
-
-
Click the Rule Description and type a brief description of the rule.
For more details, see Policy Rules List.
-
-
In Rule Content, use the Condition tab to specify a string that the policy searches for in the log file that the policy monitors.
You can enter pattern matching expressions and policy parameters in the text boxes.
For example, set these conditions to match the following log file line:
Warning: too many users on node celery.example.com
-
Node equals:
celery.example.com
-
Logfile line matches:
^Warning:<*.text>on node<@.node>$
This pattern matches any message that starts with
Warning
and assignstoo many users
totext
andcelery.example.com
tonode
.For more details, see Condition Tab and Pattern Matching in Policy Rules.
-
-
Optional. If you are creating a rule of the type 'event on matched rule', set attributes for events that you want the policy to send. You can override the default event attributes here. You can also enter instructions that help operators handle the associated event (or add the name of the instruction text interface in order to retrieve event instructions from an external source) and configure actions to solve problems automatically or manually.
In text boxes, you can use indicators, policy variables, and policy parameters.
For more details, see Event Attributes Tab, Event Correlation Tab, Custom Attributes Tab, Instructions Tab, Advanced Tab, and Actions Tab.
-
Optional. In the Options page, configure options for local event logs, unmatched events, and pattern matching.
For more details, see Options Page.
-
Click Save and Close to save the policy template and exit the wizard.
UI Reference
User interface elements are described below (listed alphabetically):
Description |
|
---|---|
Automatic command Automatic command that runs when the rule is matched. |
|
Command | Command and parameters to run when the command is started for this
event. The command runs on the node you specify in the Node field. If the command contains spaces, enclose it in quotation marks. Commands that are internal to the Windows command shell (for example echo or move ), must be preceded by cmd /c . |
Non Agent User |
By default, the command runs as the agent user (
|
Node |
Name of the node on which the command will be started. You can also use the variable |
Append output of command as annotation to the event | Adds an annotation to the event when the command completes. The annotation contains the start time, output, exit value, and finish time of the command. If a command fails, an annotation is provided even if this item is not selected. |
Close the event when the command is successful |
Closes the event automatically if the command is successful. |
Send event immediately | Sends an event to the OMi server as soon as a local automatic command starts on the node. This is the default setting. |
Wait until local command completes and then |
Options that can help to reduce the amount of unnecessary network traffic to the OMi server. For example, if an automatic command solves the problem that generated the event, you may choose not to inform the OMi server.
|
Operator-initiated command Operator-initiated command that is attached to the event that the rule sends to OMi. This command can be started by the OMi user from the Event Browser. The command might be a script that requires user input to solve the problem, or instructions that appear in a Web browser. |
|
Command | Command and parameters to run when the command is started for this event. The command runs on the node specified in the Node field. If the command contains spaces, enclose it in quotation marks. Commands that are internal to the Windows command shell (for example echo or move ), must be preceded by cmd /c . |
Non Agent User |
By default, the command runs as the agent user ($AGENT_USER). Alternatively, select Non Agent User and specify a user account and password that exists on the node:
|
Node |
Name of the node on which the command will be started. You can also use the variable |
Append output of command as annotation to the event | Adds an annotation to the event when the command completes. The annotation contains the start time, output, exit value, and finish time of the command. If a command fails, an annotation is provided even if this item is not selected. |
Close the event when the command is successful |
Closes the event automatically if the command is successful. |
Note In the default event attributes, you cannot set the Event Drilldown URL attribute. You can set this event attribute within individual rules.
Description |
|
---|---|
Event Drilldown | |
Event Drilldown URL |
URL of the event in a third-party system. This is the complete path of the URL, and includes the FQDN (fully qualified domain name) of the computer that hosts the third-party system, the communication port, and the root URL path (for example, Event drilldown information enables OMi users to launch the user interface of the third-party system in the context of an event. Tip To drill down to a specific event in the third-party system, add the source event ID to the URL. |
OM Attributes | |
Application |
Application that caused the event to occur. Unlike the Related CI attribute, which is a direct relationship to a CI in the RTSM, the application attribute is a simple string-type attribute (for example, Oracle and OS). |
Object |
Device such as a computer, printer, or modem. Unlike the Related CI attribute, which is a direct relationship to a CI in the RTSM, the object attribute is a simple string-type attribute (for example, |
Type |
String used to organize different types of events within an event category or subcategory (for example, users or applications, accounts and security). |
HPOM Service ID |
ID of the service associated with the event. A service ID is a unique identifier for a service and can be used in OMi to identify the node and CI associated with the event. |
Agent MSI | |
Enable Agent MSI |
The message stream interface (MSI) allows external applications to interact with the internal event flow of Divert events. Divert an event to the MSI instead of to the server when an event is requested by an external application. Copy events. Send the event to the server, and a copy of the event to the MSI. If the agent MSI is enabled in the event defaults, you can choose to apply them to or override them for this rule: Use default settings for Agent MSI. Applies the agent MSI settings configured in the event defaults to this rule. Override default settings for Agent MSI: Enables you to configure specific agent MSI settings for this policy rule. |
Description |
|
---|---|
Create New Custom Attribute: Creates a new custom attribute with the default name CA_n. To rename the custom attribute, double-click the name to select it and type the new name. |
|
Delete Custom Attribute: Deletes an existing custom attribute. | |
Name |
The name of the custom attribute. The name is case-insensitive. Custom attributes are additional attributes that contain any information that is meaningful to you. For example, you might add a company name, contact information, or a city location to an event. You can have more than one custom attribute attached to a single event. The following custom attribute names cannot be used because they are reserved for internal use:
|
Value |
Value of the custom attribute. |
The Defaults page enables you to set default attributes for all events that a policy sends. The event defaults only affect new rules. You can override the defaults for individual rules.
For more details, see Event Attributes Tab, Event Correlation Tab, Instructions Tab, and Advanced Tab.
Note In the default event attributes, you can set only the Severity, Category, and Node attributes. You can set the other event attributes within individual rules.
Description |
|
---|---|
Title |
Brief description of the nature of the event. |
Description |
Detailed description of the event. |
Severity |
Severity assigned to the event (Critical, Major, Minor, Warning, Normal, Unknown). |
Category |
Name of the logical group to which the event belongs (for example, Database, Security, or Network). The event category is similar in concept to the HP Operations Manager message group. |
Subcategory |
Name of the logical subgroup (category) to which the event belongs (for example, Oracle (database), Accounts (security), or Routers (network)). |
ETI |
Contains the event type indicator (ETI) resolution hint, which OMi uses to associate the event with an ETI and for event correlation. Use the format |
Node |
Name of the system where the event occurred (for example, node.example.com). |
Related CI |
Contains the CI that is related to the metric (for example, oraclesid01@@node.example.com or C:@@server.example.com). Use the format Best practices for related CIs
It is necessary to differentiate between CIs that have a Composition relationship to a node, and those that do not have such a relationship:
For more information about CI resolution in OMi, see the OMi Help. |
Sub Component |
Information used to identify a subcomponent of a CI. This CI subcomponent is used to calculate an aggregated status within OMi's Service Health for selected CIs. If an HI is populated by events from multiple components, you can specify a component name in this field in order to ensure the correct calculation of the HI state. For example, if you have a Computer CI with two CPUs, |
Source CI |
Contains the source related CI. For example, type the name and instance of the OMi server that provides events (for example, OMi@@mgmt.example.com). If you enter a source related CI, OMi tries to find the corresponding CI in the RTSM. |
Source Event ID |
Reserved for future use. |
Send with closed status (For the Open Message Interface, SNMP Interceptor, and Scheduled Task policies) |
Sets the event's lifecycle status to Closed before sending it to OMi. |
Note The following event correlation attributes are only available in individual rules, not in the event defaults:
- Close Events with Key
- Suppress Deduplication on Server
Description |
|
---|---|
Event Key | An identifier used to identify duplicates and for Close Events with Key. |
Close Events with Key |
If events with the event key that you type here exist in the OMi event database when this event is received, these events are automatically closed. You can use pattern matching and variables to match multiple event keys. For example, consider the following pattern:
This pattern is evaluated by first replacing the variables with the values that they resolve to, for example:
This pattern is then compared using pattern matching rule against the event keys for all events in the OMi event database. Any key that you provide in the policy is treated as a simplified OM pattern in OMi. Therefore a plain string is treated as a substring and not as a complete match. The key in our example will match: critical:cabbage.example.com:TEST critical:cabbage.example.com:TEST1 critical:cabbage.example.com:TEST2A and so on. To ensure that that the key matches only exact values, enclose the attribute value in an OM Pattern Expression, starting with ^ (start of line) and ending with $ (end of line), for example: ^critical:cabbage.example.com:TEST$ |
Suppress Deduplication on Server | Stops automatic discarding of new events that are duplicates of existing events. |
Event Suppression | |
Enable Event Suppression |
Enables event suppression for the events generated by this policy. If event suppression is enabled in the event defaults, you can choose to apply them to or override them for this rule: Use default settings for Event Suppression. Applies the event suppression settings configured in the event defaults to this rule. Override default settings for Event Suppression: Enables you to configure specific event suppression settings for this policy rule. |
Suppress events which are |
|
Suppression Method |
For event correlation, you can define one of three correlation methods:
|
Time Interval |
Time interval during which duplicate events are ignored. To modify the time, click the button and use the drop-down lists to specify increments of days, hours, minutes, or seconds. To insert a parameter in a time field, type the parameter in the format |
Suppress for no longer than |
Time interval after which duplicate events are no longer ignored. To modify the time, click the button and use the drop-down lists to specify increments of days, hours, minutes, or seconds. To insert a parameter in a time field, type the parameter in the format |
Counter threshold | Value that triggers an event if met or crossed. |
Reset counter threshold after |
Time interval after which the counter is reset to 0. To modify the time, click the button and use the drop-down lists to specify increments of days, hours, minutes, or seconds. To insert a parameter in a time field, type the parameter in the format |
Description |
|
---|---|
Refresh. Loads the configured indicators from the OMi server. Note Loading indicators from the OMi server may take a few seconds. |
|
<Search …> |
Entered search string is used to search the indicators and highlight only the indicators containing the specified string. To search for indicators with specific text strings in the name, type the string in the <Search …> field and click the button. The first matching indicator is selected in the list of rules. Click the and buttons to move to the previous and next matching indicator. |
<Indicators> |
Hierarchy of configuration item types with associated health indicators (HIs), which are applicable for the event integration only, and event type indicators (ETIs). To insert an indicator with a state in a policy, drag and drop the indicator from the Indicators tab to the relevant field in the policy. |
Specify if you want the instructions to accompany the event.
Events generated by a policy can include instructions that explain what to do when the event is generated. This instruction text can often help an operator to solve a problem when a particular type of event is received. The operator can view the instructions included with an event by checking the Event Details pane in the Event Browser. You can define default instructions for all rules in a policy. You can also override the default with different instructions for any rule.
Description |
|
---|---|
Type |
You can select one of the following options from the Type drop-down list:
|
Description |
|||
---|---|---|---|
Options in events policies: |
|||
Options in metrics policies: |
|||
Options in events and metrics policies: | |||
Pattern Matching Options Defines case sensitivity and field separators for all rules. |
|||
Case sensitive check | Defines whether the case (uppercase or lowercase) of a text string is considered when the pattern of a rule is compared with the source data. When switched on, a match only occurs if the use of uppercase and lowercase letters is exactly the same in both the source data and the pattern. This is the default setting. | ||
Field Separators |
Defines which characters should be considered to be field separators. Field separators are used in the pattern as separator characters for the rule condition. You can define up to seven separators, including these special characters:
For example, if you wanted a backslash, an asterisk, and the letter A to define the fields in the event, you would type \\*A (with no spaces separating the characters). If you leave this box empty, the default separators (a blank and the tab character) are used by default. You can set case sensitivity and separator characters for individual rules in a policy by clicking the button in rule's match condition. |
||
Apply to All |
Applies the pattern matching options to all existing rules in a policy. This overwrites any modifications made to the pattern matching options in individual rules. If you change the pattern matching options and do not click Apply to all, they only apply to all new rules in a policy. |
Description |
|
---|---|
Load From Local File System: Click to open the Select file to upload dialog box. Use the dialog box to upload a policy file. Policy files are data files and their filenames end in |
|
Save To Local File System: Click to download the policy to a policy data file on your system. You can then update the policy more comfortably in an editor of your choice. After completing your changes to the policy, upload the policy data file by clicking the Load From Local File System button. The policy editor automatically asks you to download policies that exceed 1 MB in file size. |
|
Check Syntax: Validates the syntax of the policy data. If the policy syntax is incorrect, the validation tool reports an error and points to the corresponding line and position of the unexpected token (for example the incorrect keyword). |
|
<policy data> |
Policy data in text form. The policy editor highlights the policy syntax. If the policy exceeds 1,000 lines, syntax highlighting is automatically disabled. If the policy exceeds 1 MB in file size, the policy editor automatically asks you to download the policy to a file. |
Description |
|
---|---|
Copy Rule. Copies the selected rule. You can then rewrite the description of the copied rule and edit the rule. | |
Delete Rule. Deletes the selected rule. | |
Move Up. Moves the selected rule higher in the rule order. | |
Move Down. Moves the selected rule lower in the rule order. | |
<Move to> |
Entered number is used to select the rule with that sequence number in the list of rules. To select a specific rule in the rule list, type the rule's sequence number in the <Move to> field and click the button. |
<Search Rules> |
Entered search string is used to search the rule descriptions and highlight only the rules containing the specified string. To search for rules with specific text strings in the rule description, type the string in the <Search rules> field and click the button. The first matching rule is selected in the list of rules. Click the and buttons to move the previous and next matching rule. |
Activate/Deactivate Rule Filter. Activates and deactivates the rule filter. | |
Seq. | Sequence number of the rules. Rules are evaluated in a specific order. When one condition is matched, no additional rules are evaluated. |
Rule Description | Description of the rule. It is good practice to use a description that helps you remember what the rule does. |
Rule Type |
Options in events policies: Options in metrics policies: You can change the rule type by clicking the current rule type in the list of rules and selecting another rule type from the drop-down list. |
You can use the following variables in log file entry policies. If a variable returns values that contain spaces, surround the variable with quotation marks.
Policy Variables Tab for Database and REST Web Service Policies (Events only)
Policy Variables Tab for XML File and Structured Log File Policies (Events only)
Policy Variables Tab for Open Message Interface, Scheduled Task, and SNMP Interceptor Policies (Events only)
Policy Variables Tab for All Policy Types (Metrics only)
Description |
|
---|---|
Name |
Name of the policy. You can use spaces in the name. The equal sign (=) is not allowed. The name is set when the policy is created and cannot be changed in new versions of a policy. |
Description | Description of what the policy does. You might also add other notes (for example, data sources that are used). |
Template ID | GUID (globally unique identifier) assigned to the policy template when it is first created. |
Version ID | GUID (globally unique identifier) assigned to this version of the policy template when it is saved. Each version of a policy template has a unique ID. |
Version |
The current version of the policy. If you modify an existing policy, you create a new version of the policy in the database with a unique version number. By default, the minor version number increases by one automatically after you modify the policy and save it. If you want to save the policy with a specific version number, you can select the major or minor version number that you want. It is not possible to replace an existing version of a policy. However, you can delete a specific version of a policy. Note If you modify a policy template that is part of an HPE Operations Manager i Management Pack, increase the minor version number only. The next version of the Management Pack normally uses the next major version number. |
Change Log |
Text that describes what is new or modified in this version of the policy. |
Last Modification |
The date and time that the policy was saved.
The date and time displays using the current time zone of the computer on which the Web browser runs. The language setting of the Web browser determines the date and time format (for example, |
Last Modified by |
The name of the user active when the policy was saved. |
Instrumentation |
Instrumentation selected for this policy. Instrumentation consists of one or more programs (for example scripts or executable files) that some policies may require to complete a configuration or monitoring task. Instrumentation is deployed to nodes that have HPE Operations Agent installed when the policy is deployed. Instrumentations are unavailable if they are grayed out and their names end with "(Placeholder)". Upload them by using the Content Manager. |
OS Types |
Types of operating system with which this policy is compatible. To enable platform neutrality, you can create several platform specific variations of the same policy, and include them all in one aspect. OMi ensures that a policy is deployed only to host nodes that have the operating systems that you specify. If you leave all the OS type check boxes clear, the policy can be deployed to host nodes with any operating system. |
The Rules page enables you to define one or more policy rules.
For more details, see Policy Rules List, Condition Tab, Event Attributes Tab, Event Correlation Tab, Custom Attributes Tab, Advanced Tab, and Actions Tab.
We welcome your comments!
To open the configured email client on this computer, open an email window.
Otherwise, copy the information below to a web mail client, and send this email to ovdoc-asm@hpe.com.
Help Topic ID:
Product:
Topic Title:
Feedback: