IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Installation Guides > Agent Installation Guides > Windows Agent Installation Guide > Agent installation and configuration
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
Processing missed Windows Event Log events
Whenever you have situations that monitor the Windows Event Log and you do not want to lose events that might occur when the Windows OS agent is stopped or situations are stopped, you can set environment variables to process the missed events.
This function is by default disabled, so set one or more environment variables in the KNTENV file. These environment variables provide a mechanism for you to ensure that the monitoring server and portal server are not flooded with events if the agent is shut down or situations are stopped for long periods of time and then restarted:
- Missed Events by Time Interval
Apply to all event logs:
- NT_LOG_MAX_TIME=x
Apply to each log separately:
- NT_{Event Log Name}_LOG_MAX_TIME=x
When x is a positive value in minutes:
- x = 0, disabled, do not process missed events while the agent is shut down or a situation is stopped.
- x = 1, process all missed events while the agent was shut down or a situation is stopped.
- x > 1, process all missed events that are within the value specified in minutes.
For example, if x=120, then at startup of the agent, only events that are within 120 minutes of the current machine time are processed that were received while the agent was shut down or a situation is stopped.
You must specify the exact name of the event log you want to monitor. The Windows Registry Editor lists the event log name as a key in either of two paths:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
The name of the event log is the key listed under the Eventlog or Channels key. For example, the Application event log has the key:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
Applying the Event Log Name to the environment variable, NT_{Event Log Name}_LOG_MAX_TIME, requires the conversion of any invalid characters within the Event Log Name to a dash (-). Invalid characters include a space ( ), asterisk (*), pound sign (#), vertical bar (|), back slash (\), forward slash (/), colon (:), quotation mark ("), less than sumbol (<), greater than symbol (>), and question mark (?). For example, if the Event Log Name is Microsoft-Windows-TaskScheduler/Operational, then the environment variable to use in the KNTENV file would be NT_Microsoft-Windows-TaskScheduler-Operational_LOG_MAX_TIME=x where x is defined above and the forward slash (/) was changed to a dash (-).
- Missed Events by Maximum Count
Apply to all event logs:
- NT_LOG_MAX_EVTS=x
Apply to each log separately:
- NT_{Event Log Name}_LOG_MAX_EVTS=x
Where x is a positive value specifying a maximum count of events to process.
- x = 0, disabled, do not process missed events while the agent is shut down or a situation is stopped.
- x = 1, process all missed events while the agent was shut down or a situation is stopped.
- x > 1, process missed events while the agent was shut down or a situation is stopped for a maximum of x events.
You must specify the exact name of the event log you want to monitor. The Windows Registry Editor lists the event log name as a key in either of two paths:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels
The name of the event log is the key listed under the Eventlog or Channels key. For example, the Application event log has the key:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
Applying the Event Log Name to the above environment variable, NT_{Event Log Name}_MAX_EVTS, requires the conversion of any invalid characters within the Event Log Name to a dash (-). Invalid characters include a space ( ), asterisk (*), pound sign (#), vertical bar (|), back slash (\), forward slash (/), colon (:), quotation mark ("), less than sumbol (<), greater than symbol (>), and question mark (?). For example, if the Event Log Name is Microsoft-Windows-TaskScheduler/Operational, then the environment variable to use in the KNTENV file would be NT_Microsoft-Windows-TaskScheduler-Operational_LOG_MAX_EVTS=x where x is defined above and the forward slash (/) was changed to a dash (-).
Define one or more of the above environment variables with a non-zero value in the KNTENV file, and then restart the Windows OS agent. When the agent is restarted, you will see situation events triggered for Windows Event Log events that were missed because they occurred after the agent or the situation was last stopped.
Both sets of environment variables can be used together. In this way, you can process a maximum number of events received while the agent was shut down or a situation is stopped, along with the time interval that the event must fall within. Any of the environment variables that apply separately to the Windows Event Logs override the environment variables NT_LOG_MAX_TIME and NT_LOG_MAX_EVTS for that specified event log. The processing of missed events for a specific Windows Event Log while a situation is stopped requires that all situations running against the specific Windows Event Log be stopped along with historical data collection for the Event Log group.
Parent topic:
Agent installation and configuration