1. © 2011 IBM Corporation RTC 498 Requirement RT Windows Application Log Monitoring October 12, 2011 Tivoli SAPM

2. IBM Confidential Req 498 - Overview  More and more applications, both from Microsoft and other vendors, are starting to create and write to their own “log branches” within the Event Viewer. Currently ITM supports the gathering and display in the TEP of events from five Event Viewer logs on the Windows platform.  The five standard Windows event logs are: – Application – System – Security – DNS Server – Directory Service or File Replication Service  This feature is to add support in ITM 6.2.3 IF1 to monitor ANY event log in the windows system event viewer.  This feature includes changes to the 'Monitored Logs' and 'Event Log' attributes to support any Windows event log. The 'Monitored Logs' attributes provide information on the size, path, usage, etc. for an event log and the 'Event Log' attributes display the actual events found in the event log being monitored. Both set of attributes allow for situations to be written against them.

3. Tivoli SAPM IBM Confidential Req 498 – Design Points and Limitations  The 'Log Name' defined in the ODI file(docknt) for the Windows OS agent is maximum 32 characters. This limit will not be superseded Thus, any 'Log Name' over 32 characters must use the 'Log Name (Unicode)' attribute to define the log name. Its maximum size is 392 characters.  The Log Type attribute is defined in the ODI file(docknt) as an enumeration: *ENUM: System=0 *ENUM: Security=1 *ENUM: Application=2 *ENUM: DNS_Server=3 *ENUM: Directory_Service=4 *ENUM: File_Replication_Service=5 For Event Log Names not one of the above, the value will be set to 6 and will NOT be enumerated.  The Windows Event Log Name can be labeled in various formats so that it is confusing as to what should be used for the 'Log Name/Log Name (Unicode)' attribute. The name should be what is displayed when you right click on the Event Log name and select Properties in the Event Viewer. For example, the event log 'Hardware Events' as displayed in the Event View explorer panel with a space between Hardware and Events, is shown as HardwareEvents with no space under Properties. The HardwareEvents without the space is what should be used in the 'Log Name' or 'Log Name (Unicode)' attribute.

4. Tivoli SAPM IBM Confidential Req 498 – Design Points and Limitations  All errors in Event Log names in situations or workspaces are logged in RAS1 tracing, the Operations Log and the new Audit Log.  For the 'Monitored Logs Report' an Event Log name that is invalid is traced in the three logs, however, the workspace is populated with all valid Event Log names. Thus, a user can create a workspace for 3 Event Log names and if one is invalid the other two will display rows.  For the 'Event Log' and Event Log name if any situation contains an invalid Event Log name then the complete situation is flagged as failed and is not started. Logging is traced to the three logs also for the failure.

5. Tivoli SAPM IBM Confidential Req 498 - Technical Approach  For the 'Event Log' attributes the five hard coded event logs and use counts need to be removed and replaced with a hash table keyed on the Windows Event Log name. The hash table will contain the use count and the event log object. New methods need to be created to support the hash table for destroy, clear, save, print, increment, decrement and get use count. The use count is used to track when the event log thread is shutdown for situations.  For the 'Monitored Logs Report' attributes the five hard coded event logs needs to be replaced with a hash table that is keyed on the Windows Event Log name. The hash table will contain the event log object.  For the 'Event Log' and 'Monitored Logs Report' attributes if no event log name is used then the default is to use the standard six event logs.  Also, the event throttling code needs to be updated to use the Windows Event Log name instead of the logType value, which is a hard coded integer value.  The processing of old events used one file name(kntevt.rst) for all the five event logs, this will be changed to use one file per Windows Event Log name. The filename will be {Windows Event Log Name}.rst.  Through out the code the use of the logType for the five Windows Event Logs needs to be changed to use the actual Windows Event Log name. This will require adding a variable to the AGENTPARMS_S structure for the Windows Event Log name in wide characters.

6. Tivoli SAPM IBM Confidential Req 498 – User Story  User Story 1: As an ITM administrator I want to monitor the usage and the event records of any Windows Event logs. To do this I will provide the name of the log I'm interested in as LogName filter attribute when creating queries or situations on the Monitored Logs and/or the Event Log attribute groups.  User Story 2: MR0909074329 enhancement request from State Street Bank.  User Story 3: PMR - 02240,000,834 We have a server which has 4 Event Logs in the Event Viewer. They are as follows. – Application – Security – System – Saved Application Log  ITM6 is configured to monitor, LoggingClient event, in 'Saved Application Log'. – We would like to check with you whether ITM6 has the capability to monitor customized Event Log? Or ITM6 can only monitor default Event Logfile like 'Application', 'Security' and 'System'.