ntevl probe-Source / Publisher name and how to generate alarms with description

Document ID : KB000124174
Last Modified Date : 07/01/2019
Show Technical Document Details
Issue:
When an entry is defined for the given Windows event in the Source / Publisher field in ntevl it is not generating an alarm message when the event occurs.
Environment:
- UIM 8.5.1
- ntevl v4.32
Cause:
- ntevl help documentation regarding multiple fields' usage/valid syntax/regex are a bit unclear
- inconsistent results due to configuration settings and an ntevl memory issue fixed in 4.32 HF1
Resolution:
-> First, download and deploy ntevl 4.32-HF1 (Contact Support  to obtain it).

In the Event Selection Criteria section:

1. Source / Publisher Name: 

For the filter, the following variations work as expected, for example: 

Literal String-> Microsoft-Windows-WER-SystemErrorReporting 
or 
Slashes-> /Microsoft-Windows-WER-SystemErrorReporting/ 
or 
Asterisks-> *Microsoft-Windows-WER-SystemErrorReporting* 

it matches the event without fail and with no issues.

2. Message String: 

Even though the ntevl docops.ca.com Help documentation states: 
"Message String: defines the alarm message to be generated when the event selection criteria matches an event." That statement is a bit misleading.

>>>The message string field is expecting the message string or part of a message string of a VALID Windows Event ID. Then the alarm description will update and no event errors regarding format will be shown in the log. For instance, here is a portion of a message string for Event ID 999, and some other examples:

/An unexpected error has caused a DPM service failure/
or
/.*An unexpected error.*/
or
*

3. Computer: 
In this case you cannot use localhost for the Computer field. Use either an asterisk OR <hostname_string>* or the FQDN of the local computer. 

For example these work: 


or 
/<partial_string>*/ for example, /myhost*/ 
or 
<FQDN> for example, thishost.company.com

Make sure the ntevl probe is Active and the profile is still selected (activated) before testing and creating the event to generate the alarm.

ntevl probe configuration example
Additional Information:
In the ntevl probe, when deployed OOTB, the Properties section contains the following settings when run type of 'Poll' is selected (which is the default):

Poll Interval   30 seconds is the default. Specifies the time interval to update the events list. Note: Reduce this interval to generate alarms frequently. A shorter interval can also increase the system load.

Alarm Timeout   10 seconds (default)
Specifies the duration when the probe does NOT generate multiple alarms for the same event log. CA recommends you to specify a LOWER value than the Poll Interval.

>>>So depending on the setting, you may get one alarm and then no other within the given time frame specified. When testing ntevl event alarming, you may want to empty the 'Alarm Timeout' value to assess results quickly.

***Note: Leave this field blank to generate alarms at event occurrence.***

Here is an example of an eventcreate message that can be used in testing a given event/event ID, e.g., 999.

C:\>eventcreate /t error /id 999 /l Application /d "An unexpected error has caused a DPM service failure. Restart the DPM service." /so MSDPM

SUCCESS: An event of type 'error' was created in the 'Application' log with 'MSDPM' as the source.

ntevl probe alarm message example