Yes. EventTracker™ Agents can be configured to forward events to the system hosting Tivoli Netview. To make this configuration, perform the following.
a> Launch the EventTracker™ Agent Config.
b> In the "Managers" tab page, click "ADD" button.
c> In the dialog that pops up, enter the SYSTEM NAME or IP ADDRESS of the system that is hosting Tivoli Netview.
d> In case you choose not to have EventTracker™ Manager then select the Manager system name and click the "REMOVE" button. Since you can forward events to upto 5 managers you do not have to remove the EventTracker™ Manager.
e> Click the "SAVE" button.

BACK TO TOP

You could move the EventTracker™ DB from your C drive to your D drive by doing the following steps

1. Close all EventTracker™ applications.
2. From the Control Panel -> Services, stop the following services.
• EventTracker Agent
• EventTracker EventVault
• EventTracker Receiver
• EventTracker Reporter
• EventTracker Scheduler

From "C:\Program Files\Prism Microsystems\Common" move the issdbv3.mdb file to the desired folder in your D drive.

1. Open the ODBC configuration utility from Control Panel ->Administrative Tools -> Data Sources (ODBC)
2. Click the System DSN tab.
3. Select the "issdb" data source.
4. Click the "Configure" button.
5. Click the "Select" button.
6. Browse through you D drive, locate the "issdbv3.mdb" file and then click OK. Dialog Closes.
7. Click the OK button. Dialog Closes
8. Click the OK button. Changes are saved and DSN is now pointing to the “issdbv3” database on D drive.

From "C:\Program Files\Prism Microsystems\Common" move the ETReports.mdb file to the desired folder in your D drive.

1. Open the ODBC configuration utility from Control Panel ->Administrative Tools -> Data Sources (ODBC)
2. Click the System DSN tab.
3. Select the " ETReporterV1 " data source.
4. Click the "Configure" button.
5. Click the "Select" button.
6. Browse through you D drive, locate the "ETReports.mdb" file and then click OK. Dialog Closes.
7. Click the OK button. Dialog closes
8. Click the OK button. Changes are saved and DSN is now pointing to the “ETReports” database on D drive.

Restart the stopped services.

• EventTracker Agent
• EventTracker EventVault
• EventTracker Receiver
• EventTracker Reporter
• EventTracker Scheduler

BACK TO TOP

To configure your UNIX systems to forward syslog messages to EventTracker™, do the following
a> Identify the IP Address of the system that is hosting the EventTracker™ Manager.
b> Log on with the root account to the UNIX computer from which you want to forward syslog messages.
c> Open the syslog.conf file in a text editor. The default path of the syslog.conf file is /etc/syslog.conf
d> Add a line in the syslog.conf file to forward syslog messages to the IP address of the EventTracker™ Manager computer. Example: To forward syslog error messages to the IP address 192.192.150.150, add the following line to the syslog.conf file.

*.err @192.192.150.150

e> Save and close the syslog.conf file
f> Stop and restart the syslog daemon.

NOTE: For more information refer the syslog.conf or syslog MAN pages.

Syslog configuration may be platform-dependent and it is recommended that you check the platform documentation. The following URL's will further help you identify the configuration change(s) required to forward Syslog events to EventTracker™.

1. http://www.unet.univie.ac.at/aix/cmds/aixcmds5/syslogd.htm
2. http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/3_0/service/syslog.htm

BACK TO TOP

Six types of alerts are generated after respective configuration. They are:

1. A beep
2. Forward the event to another system
3. Customized alert to execute an application file
4. Send a Message to the console
5. Send an e-mail
6. Update via RSS

One example is given below. Follow the steps to use the 'Custom action' alert option to play a sound file when a critical event is received.
Configure EventTracker™ to execute a WAV file when an ERROR event occurs. Perform the following steps:
- Click the Alerts button or choose the Options -> Alerts
- Click the Add button
- Click on the “Custom” check box in the Actions section at the bottom
- Browse and select the mplayer2.exe (default media player for Windows 2000) or any other player capable of playing wave files followed by the path to the wave file that you would like to play. You could also have a batch file that executes the media player passing the desired Wav file path.
Example: 'C:\Program Files\Windows Media Player\mplayer2.exe' 'C:\Program Files\GetRight\sounds\all_done.wav'

Click the OK button
Click the OK button to complete creation of the Custom Alert.

The minimum requirements are:
1. For console message Alert
- Messenger service must be available.
2. For e-mail generating Alert
- The SMTP server mentioned must be accessible from the Console system. Either the system must be able to access Internet or the SMTP server must be reachable over the LAN.
- Ensure valid email ID is entered in 'To Address' and 'From Address'.

BACK TO TOP

In EventTracker™, a client/agent can be installed from the Client Manager or can be installed manually on the remote system. A client/agent can be removed by clicking on `UNINSTALL CLIENT’.

But by uninstalling a Client the events that were logged by it will not be removed from the database. Now in certain cases there maybe a requirement to remove all information (i.e. events, system info, etc...) of that client. This can be achieved using the Manager Console's `REMOVE CLIENT COMPONENTS’ option.

BACK TO TOP

EventTracker™ provides two methods for archival. One method is by storing the events in the native, Windows based .evt format. The other method known as the EventVault™ stores the event data in an ODBC compatible format. EventVault™ based archival can be configured to either automatic archival or manual archival.

To enable automatic archiving the user has to launch the EventVault™ Manager, choose the Configure option and check on the enable EventVault™ option and provide the destination directory and Archival frequency. Once the EventVault™ has been configured to automatically archive events then whenever the archive period is exceeded the EventVault™ automatically creates an EventBox and stores the archived event data into it. The archived data will be removed from the main database and will be available only in the archives.

In addition to the above process, the EventVault™ also creates a MD5 HASH (Checksum) for each EventBox. This MD5 HASH can be used to verify the integrity of each EventBox.

The integrity of each EventBox can be verified at any time, by choosing the `verify’ option after selecting an EventBox in the EventVault™ Manager. The EventVault™ regenerates the MD5 HASH and compares it with the MD5 HASH that is stored in the database. Any mismatch will indicate that the contents of the specific EventBox have been manipulated. If the EventBox is not tampered with, then the MD5's will match and will be declared as safe.

For documentation, EventBox information can be exported as a text document. Click on File – save EventBox information in a text file.

An existing EventBox is retrieved on the EventVault™ Manager by selecting Options > Extract EventBox.

By default UDP is used to forward events from ET Agent to Receiver in the Manager with no acknowledgement.

ET has added optional TCP/IP feature to ET agent starting from version 4.0.9. After each event is received at the Manager, acknowledgement is sent to Agent to assure Guaranteed Event Delivery.

A queue is created at Agent to store events if receiver is not ready (server may be temporarily down). When receiver is ready, event from the queue is forwarded to the Manager and acknowledgement is received at Agent ensuring Guaranteed Event Delivery. While forwarding, if receiver goes down, transfer stops. It resumes when receiver is ready.

Refer to this document.

When monitoring for Group Policy Changes you can watch for 2 events. The first is Event ID 612 and the second is one of the many 566/565 events that Active Directory can generate.
Event ID 612 -- Group Policy Changed; will not show up in the event log until a system accesses or checks for Group Policy updates. This event will not show you who or what was changed only that your GP was changed. To get a better look into who changed a GP you will need to do the following.
1. Have Audit Policy Change and Audit Directory Service Access turned on in your AD
2. You will then watch for event ID 566 or 565 as seen below:
When watching all the 566/565 events ID's that are generated you will need to watch for the following items in the Event Description:
1. Object Type = groupPolicyContainer
2. Write Property = versionNumber
These 2 items indicate that a change to your Group Policy has been made and will tell you who made the change but not what was changed.

Following steps will ensure smooth operation of EventTracker agents:

A scheduled log volume analysis for all monitored servers is a good indication. Also, for any given time period, one can run a quick “Log search” to review events forwarded by the agent to EventTracker console.

Query for status of EventTracker agent on the monitored servers using EventTracker Control Panel->System Manager->Options->Agent management tool.

To install EventTracker agent on a system which is in DMZ, do one of the following:

1. Download the EventTracker install package on the system, run the executable, select “EventTracker client” and when prompted, enter the external ip address of EventTracker management console.
2. Download and run EventTracker manual agent install package on the system. Follow the package readme file instructions.

Procedure to collect syslogs from Solaris:

Touch /var/adm/loginlog (user  logon information)
Touch /var/adm/sulog (su logon information)

Open /etc/default/login and set the value of Syslog_failed_logins to the value 0

Backup existing syslog.conf file and create new syslog.conf file in /etc

Add the following lines and save the file.

Auth.debug /var/adm/loginlog
*.debug     @<name of sysloghost> 

Please note that the separator between *.debug and @<name of syslog host > is a tab

Use the following commands to disable or enable the syslogd daemon

svcadm disable svc:/system/system-log:default

svcadm enable svc:/system/system-log:default

To upgrade EventTracker license

1. Open EventTracker Control Panel->Event Monitoring.
2 .Choose menu option Help->Upgrade License.
3. Enter the license keys and click ok to save the changes.
4. Restart the Management Console.

To update license keys on all monitored servers, choose EventTracker Control Panel->System Manager->Help->License->Update. Apply the new key set to all monitored servers

For EventTracker v 6.1 and below:

a) Stop and disable "EventTracker EventVault” service

b) Move the .cab files from the archives folder to the offline location.
 Note: Archives path can be obtained from EventTracker Control Panel->EventVault Warehouse Manager->Configuration.

c) Once all the cabs have been moved, enable and start "EventTracker EventVault” service

d) To retrieve offline data, simply move the cabs back to the same archives location.

For EventTracker v6.2 and above:
                
a) Stop and disable the “EventTracker EventVault” service. 

b) Open the EventVault warehouse Manager from EventTracker control panel.

c) Select all the cabs you want to move to offline location and click on “move” to proceed.

d) After the move is complete enable and restart the "EventTracker EventVault” service.

e) Verify by opening the EventTracker Control Panel-->EventVault Warehouse Manager and ensure that the moved cabs are shown with the new path.

f) Ensure you have full permissions on the offline storage location to run reports and extract event data from these archives.