Enriching PATROL Events with More Meaningful Information

  • kb1201
  • Jun. 14, 2017 - Last Update: Dec. 29, 2022
  • 2 min read

How to enrich PATROL events with more meaningful information about the problem.

Best Practice Events PATROL Events

Related Topics

Introduction

Each time a threshold is breached, events are generated by the PATROL Agent (Events of class 11 or 9) and by the Sentry Software’s KMs (STD_41 or specific PATROL events). Because the events generated by the Sentry Software’s KMs provide more information about the problem, it is important to ensure that these events are sent to the TrueSight console.

In this article, you will learn how to enrich the standard PATROL events with the information retrieved by the Sentry Software’s KMs and have these events displayed in the TrueSight console.

Procedure

To enrich PATROL events with the information retrieved by the Sentry Software’s KMs:

  1. Launch wpconfig

  2. Under EventSetup/Format/BiiP3, verify that the class variable is set to PATROL_EV

    Verifying that the class variable is set to PATROL_EV

  3. Under AgentSetup/integration, verify that the ForwardEventsToIS variable is set to yes

    Verifying that events are forwarded to the Integration

  4. Under /EventSetup/Format/BiiP3/catalogs/0/types/41, verify that the active variable is set to 1. This configuration will allow Sentry events to be sent to the cell.

  5. Merge the PATROL_EV events:

    • Create a sentry_close41.mrl file which contains the following code:

        new sentry_close41andspecific_storage :
  PATROL_EV ($NEW)
  where [ $NEW.status != CLOSED AND $NEW.status != BLACKOUT AND ($NEW.p_class within [41,HardwareProblem,ConnectorProblem,Studio,StorageProblem,CollectionProblem] OR $NEW.mc_object_class has_prefix 'SEN_' )]
  updates PATROL_EV ($OLD)
  where [$OLD.status != CLOSED AND $OLD.status != BLACKOUT AND
      $OLD.mc_object == $NEW.mc_object AND
      $OLD.mc_origin == $NEW.mc_origin AND
      $OLD.p_instance == $NEW.p_instance AND
      $OLD.p_origin == $NEW.p_origin]
      within 60
              {
                  $NEW.status = CLOSED;
                  $OLD.msg = $NEW.msg;
              }
  END

    This rule applies to all events generated by Sentry KMs. It uses the msg slot from the Sentry event (p_class=41 or *Problem) and updates the one generated by the Patrol Agent (p_class=11) with its content. It then closes the Sentry event to avoid duplicate events.

    • Save this file in the MCELL_HOME/etc//kb/rules directory

  6. Edit the .load file to indicate that the sentry_close41 rule must be processed before the mcxp rule:

    • Go to MCELL_HOME/etc//kb/rules directory
    • Open the .load file in a text editor
    • Locate the mcxp line
    • Add the sentry_close41 line above the mcxp line

    Adding the sentry_close41 line into the load file

  7. Run the following command to recompile the cell

     mccomp  -n <cellname>

  8. Restart the cell or run this command to reload kb:

    mcontrol  -n <cellname> reload kb
Note We assume at this stage that you already have a rule/policy which propagates PATROL_EV from the IS' to the TSOM's main cell.

PATROL events should now be enriched with the information retrieved by the Sentry Software’s KMs as illustrated below:

PATROL Events enriched with Sentry Software&rsquo;s KMs information

Best Practice Events PATROL Events