Define Event Detectors

Configuring Event Monitoring › How You Automate Responses to syslogd Messages in UNIX System Services › Define Event Detectors

Define Event Detectors

You want to automate responses to the syslogd messages that the region receives. The SYSLOGD event detectors enable you to detect specific messages, raise alerts, and perform actions.

Follow these steps:

Enter the /EDETECT panel shortcut.
The Event Detector Controls List panel appears.
Press F4 (Add), and enter S next to the SYSLOGD event detector type.
A panel appears for you to define the detector.

Note: For information about the panels and fields, press F1 (help).
Describe the detector, and set the status to ACTIVE.
Note: You can also activate or inactivate a detector from the Event Detector Controls List panel.
Specify the criteria for the message you want to detect:
1. Press F4 (Criteria).
2. Specify the criteria, and press F3 (OK).
  The Event Detector Controls List panel appears with the criteria information.
The detector triggers on messages that satisfy the specified criteria.
Define the alert that you want to raise:
1. Press F5 (Alert).
2. Define the alert, and press F3 (OK).
  The Event Detector Controls List panel appears with the alert information.
When the detector is triggered, it raises the defined alert.
(Optional) Specify the actions that you want to perform:
1. Press F6 (Actions).
2. Select the type of action.
3. Specify the action, and press F3 (File).
  The Alert Automated Actions panel appears.
4. If you want to specify more actions, press F4 (Add). Repeat Step b and Step c.
  If you have finished specifying your actions, press F3 (OK). The Event Detector Controls List panel appears with the action information.
When the detector is triggered, it performs the specified actions.
Press F3 (File).
You save the detector. The detector is active and starts processing received syslogd messages.

Example: Detect EZD1125I Messages

This example shows the criteria to detect an EZD1125I message. You review the region activity log and note the following message that has IKE as the source:

22.12.25 RMSL0105 276.1 Aug  7 02:12:25 USILCO31 IKE: EZD1125I SERVAUTH check for user JOHNDOE  and profile EZB.NETMGMT.CO31.TCPIP.IPSEC.DISPLAY failed during an NMI request

The message indicates that a user attempted to issue a Network Management Interface (NMI) request but was refused. The user does not have READ access to the security resource required to display IPSec information. You want to define an event detector to alert you on such events. The following panel shows the criteria to detect such messages:

Short Description ..... EZD1125I________________________ Status ACTIVE__ USS Syslog Daemon Message Details Text... EZD1125I______________________________________________________________ Source IKE_____ Extended Message Filtering Strt Word Scan Pos Num Opr Text 1 ___ 9__ EQ_ EZB.NETMGMT.*.TCPIP.IPSEC.DISPLAY____________________________ 2 ___ ___ ___ _____________________________________________________________

Example: Detect a Message That Does Not Begin With a Message ID

This example shows the criteria to detect an EZD0917I message that follows a qualifying text string:

11.57.07 RMSL0105 4177.1 Dec  6 16:57:07 BADEVL IKE: Message instance 384: EZD0917I Could not find applicable KeyExchangeRule - LocalIp : 192.168.21.1 RemoteIp : 192.168.21.5 LocalID :  Any RemoteID : ID_DER_ASN1_DN CN=dept001.comp001.com,OU=Mainframe,O=COMP001 Data

The following panel shows the criteria to detect such a message:

Short Description ..... EZD0917I________________________ Status ACTIVE__ USS Syslog Daemon Message Details Text... Message instance______________________________________________________ Source IKE_____ Extended Message Filtering Strt Word Scan Pos Num Opr Text 1 ___ 4__ EQ_ EZD0917I_____________________________________________________ 2 ___ ___ ___ _____________________________________________________________