This section lists a few examples about how you can create rule group for custom application.
The default installation creates a rule set that supports limited number of applications. The rule sets can be used as templates to create custom rule groups for new applications. The following example procedure provides the steps to create a Rule Group for Stash or BitBucket, which is used as a source code repository.
Click Rules Manager.
The Rules Management window is displayed.
Click Manage Rule Sets > Create Rule Set.
Enter the name of the rule set and click OK.
The Rule set will be populated with default Event Sources and Groups.
To create a new rule group, in Edit Rules panel, right-click Rule sets and select one of the following options based on your requirement:
Add Event Source: Event Sources are programmable entities and used by the rule group to get event stream. Event Sources pass the events to rule groups by setting output parameters.
Add Real-time Group: Rule groups in the default rule set are real-time and contain information about rules. The rules are grouped based on the source of events.
Add Scheduled Group: Rule groups created based on the schedule at which you want the Agent to monitor the systems.
Select the Add event source to create a custom event source for Stash or BitBucket.
The following are the tabs in the Add Event Source window:
Configuration: Set as per the variable that is used for the log location.
Output: Set by the event code and read by the rules.
Notifications: SNMP notification that includes a configurable subset of the output parameters.
Sentinel Event: Maps the output variable.
Attributes: Name and description of the event source.
Initialization: Contains the Perl code that is evaluated on startup. You can initialize variables, instantiate objects, and open file for reading the log files.
Example of Initialization code: You can modify this code based on your requirement.
@logfiles = _globList(@{$logfilesOsTable{$^O}});
if($#logfiles < 0)
{
sleep(30);
es_exit(0);
}
$#fileBfrs = -1;
foreach my $logfile (@logfiles)
{
my $fileBfr = PS_FileBuffer->new($logfile, 0, 1, $main::__group_name);
push(@fileBfrs, $fileBfr);
}
Event Code: Contains the Perl code that is repeatedly evaluated to get new events. You can set the output parameter variables from event information.
Example of Event code: You can modify this code based on your requirement.
($record, $nbrBytes, $utc_timestamp, $year,
$monthAbbrev, $monthNbr,
$day_of_month, $hour, $minute, $second, $host, $source,
$pid, $message, $facility, $severity)
= _getNextLogRecord(\&_parseSyslogEvent, undef,
@fileBfrs);
(Conditional) If you selected Add Real-time Group, specify the following:
Attributes: Specify the name and description of the group.
Event Source: Configure the event source and browse to provide the log file location.
Advanced: Specify the following:
Nice value: Nice value scale goes from -20 to 19. The lower the number the more priority any task gets. If the value is high the task will be set to the lowest priority and the CPU processes it whenever possible. The default nice value is zero.
Delay: The delay value is the polling interval, or the interval in which the rule group checks for new events.
Debug level: The debug level is used to increase the amount of information logged to error logs.
(Conditional) If you selected Add Scheduled Group, specify the following:
Attributes: Specify name, description, and schedule time of the group.
Specify Nice value in Advanced tab and click OK.
Go to the new rule group that you created, right-click and select Edit Rules > Turn on Rule(s).
Save the configuration, and navigate to Rules Management Window > Apply Rule Set.
Select the host on which you want to deploy rule set, and click To Selected Hosts.
The rule set will be successfully deployed on the host.
The following table provides information about the perl modules that are imported in the event source code and namespace with the exception of the default modules:
|
Perl modules |
Description |
|---|---|
|
PS_Default, PS_Helpers, PS_FileBuffer, PS_FifoBuffer, PS_DOM_XML_Parser |
Default perl modules. |
|
PS_Pacct |
Used by the pacct event source. |
|
PS_Filesystem |
Used by the filesystem event source. |
|
PS_Lsof |
Used by the network event source earlier. |
|
PS_VigilEntAgent |
Used by the network event source. |
|
PS_BsmDirect |
Used by the bsm event source. |
|
PS_AIXAudit |
Used the AIX_Audit event source. |
|
PS_HPAudit |
Used by the HP_Audit event source. |
|
PS_Wtmp |
Used by the wtmp event source |
|
PS_OracleAudit |
Used by the Oracle_Audit event source. |
|
PS_FileBuffer |
|