Re: [nv-l] again a ruleset

[James Shanks <jshanks@us.ibm.com>]

Well, as I said, if you are stuck with
Windows then you may have to abandon complex rulesets.  It's a trade-off.
Reset-On-Match does work on Windows,
as does Pass-On-Match.  I have tried simple test cases of both quite
recently.  What I suspect does not work is having them back-to-back,
that is, having one feed into another as you are trying to do.   

 I would not expect a quick resolution
to the PMR you haven opened. 

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group

lucian.vanghele@bisnet.ro
Sent by: owner-nv-l@lists.us.ibm.com

03/15/2004 07:03 AM

Please respond to
nv-l

To	nv-l@lists.us.ibm.com
cc
Subject	Re: [nv-l] again a ruleset

I forgot to tell you .. the netview machine also has SAN
manager and this is not supported on a Linux so that's another reason for
trying rules on windows. Anyway it's strange that pass on match is working
and reset on match does not!! anyway I opened a PMR...

thanks anyway...

I keep trying to tell you that the ruleset implementation on Windows is not complete,  that it does not work in the same fashion as on UNIX and that you will most likely have to abandon this attempt.  If you insist on pursuing your present course, then you will have to open a problem to Support to have someone pursue the issue in detail, if that is what you want.  But the end result might simply be a statement that what you want to do is not supported.

The simple fact is that  IBM's direction for event correlation is TEC, and funding for expanding rulesets to  make them work on Windows like they do on UNIX is not currently available and not likely to be made available.  That is why in all probability, what you see is what you get.

So you will have to make a very hard choice here.  Complex rulesets will likely require a UNIX implementation.  So you have to get off Windows or give up rulesets for almost anything other than an event display filter, which is what the Windows implementation designed them to be.   Look at the samples and you will see what I mean.  They are quite trivial, and not even all of those work correctly, as I mentioned before.

In a nutshell, then you must open a problem for an official answer or find another solution.

James Shanks
Level 3 Support  for Tivoli NetView for UNIX and Windows
Tivoli Software / IBM Software Group

lucian.vanghele@bisnet.ro
Sent by: owner-nv-l@lists.us.ibm.com

03/12/2004 08:57 AM

Please respond to
nv-l

To	nv-l@lists.us.ibm.com
cc
Subject	[nv-l] again a ruleset

I'm back with my ruleset problem. this is the ruleset
I'm trying to fire-up
on Windows:

RuleSet33 RuleSet EventAttr34 EventAttr42
"" 0
EventAttr34 EventAttr EventAttr35 EventAttr40
Specific 0 5 "" 0
EventAttr35 EventAttr AttrDelay36
Origin 0 192.168.4.84 "" 0
AttrDelay36 AttrDelay EventAttr37
"" 0 "" 180 "" 0 0 0 "Origin Origin
0~"
EventAttr37 EventAttr AttrJoin38
Specific 0 5 "" 0
AttrJoin38 AttrJoin UserExit39
"" 0 "" 600 "" 0 "Specific Specific
0~"
UserExit39 UserExit
" set >>loglog" 0 0 0 ""
EventAttr40 EventAttr AttrDelay41
Origin 0 192.168.4.83 "" 0
AttrDelay41 AttrDelay AttrJoin38.2
"" 0 "" 180 "" 0 0 0 "Origin Origin
0~"
EventAttr42 EventAttr EventAttr43 EventAttr44
Specific 0 9 "" 0
EventAttr43 EventAttr AttrDelay36.2
Origin 0 192.168.4.84 "" 0
EventAttr44 EventAttr AttrDelay41.2
Origin 0 192.168.4.83 "" 0

and this is the log file (nvcordd.log):

2004/03/12 15:48:48 :   loading for correlationAppl 0x00FB0080
2004/03/12 15:48:48 :   CorrDnode=0x01050038 ForwardCorr ap=0x00000000
2004/03/12 15:48:48 :   new ap=0x00FB0080
2004/03/12 15:48:48 :   UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 :   UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 :   UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 :   UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 :   Adding dnode to CorrelationDefinitionRuleSet
2004/03/12 15:48:48 :   ===> Processing actions for regula.rs
2004/03/12 15:48:48 :   ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:48:48 :   ===> trap (6, 5)
2004/03/12 15:48:52 :         Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
2004/03/12 15:48:52 :         Attr(Generic='(ulong,6)')
2004/03/12 15:48:52 :         Attr(Specific='5')
2004/03/12 15:48:52 :   Received event CID(1) sysOID(1.3.6.1.2.1.318)
Gen(6) Spec(5)
2004/03/12 15:48:52 :   ===> Processing Event ===========================
1
of 1
                    
                     
     Event CID(1) 15:48:52

Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')

Attr(Generic='(ulong,6)')
                    
                     
          Attr(Specific='5')
2004/03/12 15:48:52 :   RootDnode::resolveRootDnode() = TRUE
2004/03/12 15:48:52 :   RuleSet::resolve()   RuleSetName =regula.rs
2004/03/12 15:48:52 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 5)) (ulong,5)
CONTINUE
2004/03/12 15:48:52 :         Attr(Origin='(ulong,1409591488)')
2004/03/12 15:48:52 :         Attr(sysUpTime='(ulong,1)')
2004/03/12 15:48:52 :         Attr(Community='(char,)')
2004/03/12 15:48:52 :         Attr(Category='(ulong,2)')
2004/03/12 15:48:52 :         Attr(Source='(char,?)')
2004/03/12 15:48:52 :         Attr(Severity='(ulong,1)')
2004/03/12 15:48:52 :   EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.84)) (char,192.168.4.84) CONTINUE
2004/03/12 15:48:56 :   ResetOnMatch:(7)  event is being SAVED
2004/03/12 15:48:56 :   EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.83)) (char,192.168.4.84) STOP
2004/03/12 15:49:01 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 9)) (ulong,5)
STOP
2004/03/12 15:49:01 :   Ruleset regula.rs got 0
2004/03/12 15:49:01 :   ===> Processing actions for regula.rs
2004/03/12 15:49:01 :   ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:49:01 :   ===> Finished with the trap
====================================
2004/03/12 15:49:01 :   ===> trap (6, 5)
2004/03/12 15:49:01 :         Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
2004/03/12 15:49:01 :         Attr(Generic='(ulong,6)')
2004/03/12 15:49:01 :         Attr(Specific='5')
2004/03/12 15:49:01 :   Received event CID(2) sysOID(1.3.6.1.2.1.318)
Gen(6) Spec(5)
2004/03/12 15:49:01 :   ===> Processing Event ===========================
1
of 1
                    
                     
     Event CID(2) 15:49:01

Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')

Attr(Generic='(ulong,6)')
                    
                     
          Attr(Specific='5')
2004/03/12 15:49:01 :   RootDnode::resolveRootDnode() = TRUE
2004/03/12 15:49:01 :   RuleSet::resolve()   RuleSetName =regula.rs
2004/03/12 15:49:01 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 5)) (ulong,5)
CONTINUE
2004/03/12 15:49:01 :         Attr(Origin='(ulong,1392814272)')
2004/03/12 15:49:01 :         Attr(sysUpTime='(ulong,1)')
2004/03/12 15:49:01 :         Attr(Community='(char,)')
2004/03/12 15:49:01 :         Attr(Category='(ulong,2)')
2004/03/12 15:49:01 :         Attr(Source='(char,?)')
2004/03/12 15:49:01 :         Attr(Severity='(ulong,1)')
2004/03/12 15:49:01 :   EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.84)) (char,192.168.4.83) STOP
2004/03/12 15:49:05 :   EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.83)) (char,192.168.4.83) CONTINUE
2004/03/12 15:49:10 :   ResetOnMatch:(14)  event is being SAVED
2004/03/12 15:49:10 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 9)) (ulong,5)
STOP
2004/03/12 15:49:10 :   Ruleset regula.rs got 0
2004/03/12 15:49:10 :   ===> Processing actions for regula.rs
2004/03/12 15:49:10 :   ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:49:10 :   ===> Finished with the trap
====================================
2004/03/12 15:49:10 :   ===> Processing time events
================================
2004/03/12 15:50:10 :   ResetOnMatch::processHeartbeat(7)
RuleSetName=regula.rs
2004/03/12 15:50:10 :   ResetOnMatch::processHeartbeat (7)setting
heartbeatInterval = 102 for:Event(CID(1),
Attr(EnterpriseID='(char,1.3.6.1.2.1.318)') Attr(Generic='(ulong,6)')
Attr(Specific='5') Attr(Origin='(ulong,1409591488)')
Attr(sysUpTime='(ulong,1)') Attr(Community='(char,)')
Attr(Category='(ulong,2)') Attr(Source='(char,?)')
Attr(Severity='(ulong,1)'))
2004/03/12 15:50:10 :   ResetOnMatch:::processHeartbeat(7)  finished
processing heartbeat.
2004/03/12 15:50:10 :   ResetOnMatch::processHeartbeat(14)
RuleSetName=regula.rs
2004/03/12 15:50:10 :   ResetOnMatch::processHeartbeat (14)setting
heartbeatInterval = 111 for:Event(CID(2),
Attr(EnterpriseID='(char,1.3.6.1.2.1.318)') Attr(Generic='(ulong,6)')
Attr(Specific='5') Attr(Origin='(ulong,1392814272)')
Attr(sysUpTime='(ulong,1)') Attr(Community='(char,)')
Attr(Category='(ulong,2)') Attr(Source='(char,?)')
Attr(Severity='(ulong,1)'))
2004/03/12 15:50:10 :   ResetOnMatch:::processHeartbeat(14)  finished
processing heartbeat.
2004/03/12 15:50:10 :   ===> Processing time events
================================
2004/03/12 15:51:10 :   ===> Processing time events
================================
2004/03/12 15:52:10 :   ResetOnMatch::processHeartbeat(7)
RuleSetName=regula.rs
2004/03/12 15:52:10 :   ResetOnMatch::processHeartbeat
RESOLVING:Event(CID(1), Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
Attr(Generic='(ulong,6)') Attr(Specific='5')
Attr(Origin='(ulong,1409591488)') Attr(sysUpTime='(ulong,1)')
Attr(Community='(char,)') Attr(Category='(ulong,2)')
Attr(Source='(char,?)') Attr(Severity='(ulong,1)'))
2004/03/12 15:52:10 :   ResetOnMatch::processHeartbeat(7)
RESOLVING:Event(CID(1), Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
Attr(Generic='(ulong,6)') Attr(Specific='5')
Attr(Origin='(ulong,1409591488)') Attr(sysUpTime='(ulong,1)')
Attr(Community='(char,)') Attr(Category='(ulong,2)')
Attr(Source='(char,?)') Attr(Severity='(ulong,1)'))

I don't understand why the events don't go to the Pass on Match node after
waiting 3 minutes in Reset on Match!! On Linux that rule works ok....Also,
on Windows, a simple rule (just 2 event attribute, one Pass on match and
an
inline action) also works fine!
thanks
Lucian vanghele