Event Detectors

Configuring Event Monitoring › Event Detectors

Event Detectors

An event detector defines the network and systems events that you want to monitor, and what to do when the event occurs.

You can define an alert to raise, and you can define the wording of the alert. You can also define an automatic action to run.

Sample event detector definitions are supplied. Each type of event is represented in the samples. Use these definitions as examples when you create your own event detectors.

The following types of event detectors are available:

CCTN3270: Monitors Cisco channel card TN3270 log messages.
CONNECT: Monitors connections.
CONNSTAT: Monitors the status of TCP connections.
CONSOLE: Monitors system console messages.
CUSTOM: Monitors custom events.
FRAGMENT: Monitors IP packet fragmentation.
FTPFAIL: Monitors FTP failures.
ICMP: Monitors ICMP messages.
LISTENER: Monitors listening ports.
NOLISTEN: Monitors connection attempt failures due to a listener port not being active.
RTPRED5M: Monitors RTP pipe congestion.
SSLHFAIL: Monitors Secure Sockets Layer (SSL) handshake failures.
SVRRESET: Monitors TCP connections that a server resets.
TCPEND: Monitors the end of TCP connections by reason codes.
TCPSTART: Monitors the start of TCP connections.

Note: The CONNECT and LISTENER detectors operate by polling, as determined by the IPTIMING parameter group.

Define an Event Detector

To specify the type of event that you want to monitor, define an event detector.

Follow these steps:

Enter /EDETECT at the command prompt.
The Event Detectors Controls List appears.
Press F4 (Add).
The Valid Value List appears.
Select a type from the list, and press Enter.
The corresponding detector definition panel appears.
Complete the following fields:

Short Description

Briefly describes the event detector. This description appears on the Event Detector Controls List. Use this description in your own documentation.

Status

Specifies whether this rule detects events. Making a detector inactive means that you can keep a definition, but not have it checked.
Press F4 (Criteria) and define the criteria for events that you want to monitor.
Press F5 (Alert) and define the alert.
(Optional) Press F6 (Actions) to define any action that you want the system to take in response to a triggering event.
Press F3 (File).
The new detector is added.

Define Event Criteria

Event criteria define the conditions that trigger the alert, the actions, or both.

Follow these steps:

From the detector definition panel, press F4 (Criteria).
The corresponding criteria panel appears.
Complete the fields on the criteria panel.
Note: For more information about the fields, press F1 (Help).
Press F3 (OK).
The event criteria are saved.

Define an Alert

After you define the conditions that cause the alert, define the actual alert, for example, the type and severity. If you do not want to raise an alert, specify 0 for severity.

Follow these steps:

From the detector definition panel, press F5 (Alert).
The Alert Definition panel appears.

Note: For some detector types, this panel contains only the Description and Severity fields.
Complete the fields.
Note: For more information about the fields, press F1 (Help).
Press F3 (OK).
The alert details are saved.

Define an Automatic Action

After you define the alert criteria and the alert, you can define an action that happens automatically when the event criteria is satisfied.

Follow these steps:

From the detector definition panel, press F6 (Actions).
The Available Actions panel appears.
Select the action to use.
An action-specific details panel appears.
Complete the action-specific details on the panel.
Note: For more information about the fields, press F1 (Help).
Press F3 (File).
The selected action is added.
Press F3 (File).
The details are saved.

IP Connection Events

You can set up event detectors to poll connection information at defined intervals and to create alerts according to the criteria that you define.

Use IP connection event detectors to detect long-running problems, such as connections that have been idle or in a wait state for a long time.

Note: IP connection detectors do not detect every connection in real time. They run a NETSTAT command at regular intervals and scan the output for connections that match your criteria. Because this uses a polling mechanism, connections may start and end between each polling interval; therefore, some connections are not found.

You can use combinations of any of the following as criteria for a connection detector to create an alert:

A task name—as for the Taskname column on connection lists
TCP status—as for the Status column on connection lists, except that connections with Listen status are not monitored
Byte count—bytes in and bytes out on connection lists
A full or generic local IP address or local port number—must match connection list values
A full or generic remote IP address or remote port number—must match connection list values
Idle or elapsed time threshold

Define an IP Connection Detector

To define an IP connection detector, you perform the steps to define an event detector and select CONNECT as the Alert Detector Type.

Note: Before you set up an event detector for connections, use the TCP/IP : Connections Menu to find the connection that you want to monitor, and note the values displayed in the various columns.

Example: Define an IP Connection Detector

This example shows how to define an event detector that drops FTP data connections that have been idle for more than 10 minutes.

To define the IP connection detector

Enter /EDETECT at the command prompt.
The Event Detectors Controls List appears.
Press F4 (Add).
The CAS : Valid Value List appears.
Enter S next to CONNECT.
The Connection Detector panel appears.
Complete the following fields:

Short Description

Briefly describes the event detector.

Note: This description appears on the Event Detector Controls List. Use this in your own documentation.

Status

Specifies whether this rule detects events.
Press F4 (Criteria).
The TCP/IP : Connection Criteria panel appears.

Complete the panel as follows:

PROD--------------------- TCP/IP : Connection Criteria ------------------------ Command ===> Short Description Drop FTP Data Connections Status ACTIVE Task Name ........ FTPSRV TCP Status ....... Bytes In+Out Over Foreign Host ..... Foreign Port ..... Local Host ....... Local Port ....... 21 Idle Time Over ... 00:10 (hh:mm) Note: Generic values may be used. Field values are as shown on connection list F1=Help F2=Split F3=OK F9=Swap F12=Cancel

Press F3 (OK).
The TCP/IP : Connection Detector panel appears.
Press F6 (Actions).
The Available Actions panel appears.
Enter S next to RUN_COMMAND.
The Run Command Details panel appears.

Complete the panel as follows:

 PROD---------------- Alert Monitor : Run Command Details ----------------------
 Command ===>
 
 Short Description ...... Drop FTP Data Connections
 Command & Parameters ... NETSTAT DROP &$IPCONNID
 Command Parameters .....
 
 
 
 
  F1=Help      F2=Split     F3=File
                            F9=Swap                               F12=Cancel

Press F3 (File).
The Alert Automated Actions panel appears, with RUN-COMMAND added to the list of actions.
Press F3 (OK).
The TCP/IP : Connection Detector panel appears.
Press F3 (File).
The IP connection detector is saved.

Monitor FTP Failure Events

FTP failures detected by the FTP logging function can be declared as alerts. An FTP is considered to have failed if there is a response code of other than 0 or 250 in the FTP client or server event.

You can detect FTP failures that match the following conditions:

A specific FTP command (Retr, Stor, Appe,Delete, Rename), or any command
Remote IP address
Data set name
FTP server job name

Define an FTP Failure Detector

To define an FTP failure detector, you perform the steps to define an event detector and select FTPFAIL as the Alert Detector Type.

Example: Define an FTP Failure Detector

This example shows how to create an alert if the receipt of a production data set fails.

To define an FTP Failure detector

Enter /EDETECT at the command prompt.
The Event Detectors Controls List appears.
Press F4 (Add).
The CAS : Valid Value List appears.
Enter S beside FTPFAIL
The FTP Failure Detector panel appears.
Complete the following fields:

Short Description

Briefly describes the event detector.

Note: This description appears on the Event Detector Controls List. Use this in your own documentation.

Status

Specifies whether this rule detects events.
Press F4 (Criteria).
The FTP Failure Criteria panel appears.

Complete the panel as follows:

 PROD------------------- TCP/IP : FTP Failure Criteria -------------------------
 Command ===>
 
 
 Short Description ..... FTP Failure                            Status ACTIVE
 
 FTP Command ........... STOR            (*, Retr, Stor, Appe, Delete, Rename)
 
 Remote IP Address .....
 
 Dataset Name(Member) .. PROD.ERROR.LOG
 
 Server Job Name .......
 
  
 
  F1=Help      F2=Split     F3=OK
                            F9=Swap                               F12=Cancel

Press F3 (OK).
The FTP Failure Detector panel appears.
Press F5 (Alert).
The Alert Definition panel appears.
Enter the severity of the alert that you want to create and press F3 (OK).
The FTP Failure Detector panel appears.
Press F3 (File).
The details are saved.

Monitor Console Messages

CA NetMaster NM for TCP/IP can detect z/OS console messages issued by a specific job name, generic job name, or the TCP/IP stack. You can specify extended message text matching, not only the message number.

You can update or replace alerts, as well as raising a new alert each time a message is received.

Note: For an example of how to clear an alert when a corresponding OK message is detected, see the SAMPLE: SYSVIEW... console detectors.

Define a Console Message Detector

To define a console message detector, you perform the steps to define an event detector and select CONSOLE as the Alert Detector Type.

Example: Define a Console Message Detector

This example shows how to create a severity 4 alert when message M123 PROCESSING COMMAND occurs for commands VARY and STATUS, for jobname TCPIP1.

To define a console message detector

Enter /EDETECT at the command prompt.
The Event Detectors Controls List appears.
Press F4 (Add).
The CAS : Valid Value List appears.
Enter S beside CONSOLE.
The Console Message Detector panel appears.
Complete the following fields:

Short Description

Briefly describes the event detector.

Note: This description appears on the Event Detector Controls List. Use this in your own documentation.
Press F4 (Criteria).
The Console Message Criteria panel appears.

Complete the panel as follows:

PROD----------------- TCP/IP : Console Message Criteria ----------------------- Command ===> Short Description ..... PROCESSING COMMAND______________ Status ACTIVE__ Console Message Details Text... M123 PROCESSING COMMAND:______________________________________________ Jobname TCPIP1__ (Enter * for TCPIP Started Task) Extended Message Filtering Strt Word Scan Pos Num Opr Text 1 1__ 4__ EQ_ VARY_________________________________________________________ 2 15_ 5__ EQ_ STATUS_______________________________________________________ 3 ___ ___ ___ _____________________________________________________________ 4 ___ ___ ___ _____________________________________________________________ 5 ___ ___ ___ _____________________________________________________________ Expression ..... _____________________________________ e.g. 1 and (2 or 3) F1=Help F2=Split F3=OK F9=Swap F12=Cancel

Press F3 (OK).
The Console Message Detector panel appears.
Press F5 (Alert).
The Alert Definition panel appears.
Enter 4 in the Severity field and press F3 (OK).
The Console Message Detector panel appears.
Press F3 (File).
The console message detector is saved.