EventWatcherd
The Oracle Communications Unified Assurance Event Watcher Custom Correlation Engine is a digital pair of eyes that monitors the event stream for certain events within a specified time period and it performs basic event correlation. Watcher uses the defined policies to read the event database, and can then do one of the following if the configured threshold is breached:
-
Create a new event using a meta event template.
-
Send a notification via syslog, trap or email.
Unified Assurance has the following Watcher Policies by default:
-
Missing Syslog Heartbeat - This policy is configured to monitor for syslog messages received, and if no messages have been inserted in the last 15 minutes, a synthetic event is generated using a meta event template.
-
Login Failure x3 - This policy is configured to monitor for login failure events, and if there are 3 or more for a single device in the last 15 minutes, a synthetic event is generated using a meta event template.
You can run this application as a service using the Services UI.
Watcher Custom Correlation Engine Setup
The following steps show how to create a Watcher Policy to monitor for chosen events:
-
Add Watcher Policies or modify existing Watcher Policies:
-
Enable the default Service, unless a specific configuration option is needed.
Default Service
The following table shows the settings for the default service. Actual values are in bold, descriptions of values are in plaintext.
| Field | Value |
|---|---|
| Package | coreProcessing-app |
| Name | Event Watcher |
| Program | bin/core/processing/EventWatcherd |
| Arguments | This field is blank. There is no default value. |
| Description | Watcher Daemon that correlates custom policies as customer defined |
| Failover Type | Standalone (Supported: Standalone, Primary, Redundant/Backup) |
| Status | Disabled |
| Privileged | This option is selected. |
See Services in Unified Assurance User's Guide for general information about the settings for services.
See Using Application Primary/Backup Failover for more information about the different failover types.
Default Configuration
The following table shows the default configurations for the application. Actual values are in bold, descriptions of values are in plaintext.
| Name | Default Value | Possible Values | Notes |
|---|---|---|---|
| CheckTime | 900 | An integer | How often (in seconds) the application checks for new and removes old policies. |
| LogFile | logs/EventWatcher.log | Text, 255 characters | The relative path to the log file. |
| LogLevel | ERROR | OFF, FATAL, ERROR, WARN, INFO, DEBUG | The logging level for the application. |
| ShardID | 1 | An integer | Events database shard to run query on. 0 to run and check threshold on all shards individually. NOTE: Any violation Meta Events will be inserted into the same shard that triggered it. |
| Threads | 5 | An integer | Number of process threads created. |
Supported Meta Event/Notification Tokens
The following table shows the supported meta event tokens.
| Keyword | Description |
|---|---|
$WATCHERID |
Watcher policy ID |
$TIME |
UTC epoch |
$TIMESTAMP |
UTC epoch |
$TIMESTAMP_TEXT |
Long local timestamp |
$DATE_TEXT |
Long local timestamp |
$NAME |
Watcher policy name |
$FIELD |
Watcher policy aggregated Alarm field |
$METRIC |
Watcher policy aggregate metric (e.g. SUM, COUNT, etc) |
$OPERATOR |
Watcher policy compare operator |
$THRESHOLD |
Watcher policy threshold value |
$VALUE |
Aggregated value |
$GROUPBY |
Watcher policy Group By list |
$POLLTIME |
Watcher policy poll time (in seconds) |
$EVENTS |
Comma separated list of grouped alarm IDs that crossed threshold |
$SEVERITY_TEXT |
Severity{Clear, Unknown, Warning, Minor, Major, Critical} |
$EVENTID |
Meta Event ID that generated this alarm - Meta Event actions only |
$SHARDID |
ShardID generated from |
$NOTIFYPROFILEID |
Notification Profile ID that generated this message - Notification actions only |
$NOTIFYTEMPLATEID |
Notification Template ID that generated this message - Notification actions only |
<AlarmField> |
Alarm field information from the most recent matching alarm, where 'AlarmField' is the field to use from the Alarm table (e.g. \<EventID>, \<FirstReported>, \<Count>, etc). |
Administration Details
The following list shows the technical details you will need for advanced administration of the application:
-
Package: coreProcessing-app
-
Package:
./EventWatcherd [OPTIONS] -
Options:
-c, --AppConfigID N AppConfigID => Application Config ID (Service, Job, or Request ID) -?, -h, --Help Print usage and exit -
Threaded: Multithreaded