Event Log Monitoring using CCMS Agents
Do you need to automate and centralize the monitoring you do for critical system events occuring on distributed Microsoft Windows hosts? Well, now you can: the latest CCMS agents enable you to monitor Windows event logs across your landscape and report any alerts to your central monitoring system:
- In case of problems, the MS Windows application or the system itself reports error messages into the Windows event log.
- An SAP CCMS agent scans the event log and reports the error messages to the central monitoring system CEN.
This blog describes how to set up and configure SAP CCMS agents to monitor Microsoft Windows event logs.
- SAPCCM4X or SAPCCMSR, as appropriate, is running on the host where you want to monitor the Windows event log.
- The agent has a release as of Patch Collection 2005/3. You can determine the release of the agent using the option –v, e. g. sapccmsr –v. If you need a new agent, see http://help.sap.com/saphelp_nw2004s/helpdata/en/ca/118110ff542640b7c86b570cc61ae3/frameset.htm.
For more information see CCMS Agents: Features, Installation, and Operation (https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/d724f879-0901-0010-219b-af6665b95fee).
First let me introduce the Windows Event Viewer (you find it in Start -> Control Panel -> Administrative Tools -> Event Viewer):
Keep in mind that events are grouped in event types (Application, Security, and System) and within one type in different event sources.
Let’s assume that we are running a CCMS agent SAPCCMSR on the host where we want to centrally monitor the event log, and that the agent is registered to a central monitoring system.
To activate the event log monitoring, you have to set some parameters in the configuration file of the agent sapccmsr.ini. You find the file in the working directory of the agent; for the host agent SAPCCMSR on a windows host, this is by default [drive]:\\usr\\sap\\prfclog\\sapccmsr:
Open sapccmsr.ini and enter the following parameters:
Parameter Meaning EventLogMon On activates the event log monitoring on the Microsoft Windows host of the CCMS agent EventLogMon <file path> specifies an event log template that contains additional configuration settings for the event log monitoring; by default, all event sources and all of their event types are monitored EventLogResolveMessages On activates the complete resolution of the event log messages, that is, a more exact description of the event is obtained using additional Microsoft Windows system calls and transferred to CEN; this means that you obtain more exact information at the cost of performance
In our example:
- We only want to monitor events of event type System and Application. That’s the reason why we have to create the two event log templates in the screenshot above. The first template EvtLogTemplate1.ini is very simple:
It says that we want to monitor the application log (and about the monitoring details, we stick to the defaults). EVENTLOG_TEMPLATE is the keyword for the beginning of the configuration area, and the period (.) marks the end of it.
Now let’s create the second template:
OK, it seems we want to monitor the system log as well (and we are not interested in the security log). But here, we differentiate between different sources:
- Events from the source Print always have the color GREEN in the Monitoring Infrastructure, independently from their weightiness in the event viewer.
- Events from all other sources (<ALL>) have the same weightiness in the event viewer and in the Monitoring Infrastructure.
We’ve changed the configuration file sapccmsr.ini and created the necessary event log templates. Now these changes need to be introduced to the agent. This is simple: just restart the service of the agent SAPCCMSR.99 (to do so, choose Start -> Control Panel -> Administrative Tasks -> Services):
That’s it! Now log on to the central monitoring system, and start transaction RZ20 (the Alert Monitor):
You find the nodes of the event log monitoring in the operating system tree, so you could for example start the monitor Operating System:
P108494 is the host where we’ve just configured the event log monitoring. You can only see two sub-trees System and Application (that’s what we defined in the event log templates; without these templates, the default configuration would have been valid, i. e. all three sub-trees reflecting three event types).
4. Every sub-tree contains a message log attribute called Event Log Entries. It contains the events of the corresponding event type; by default, the alert color is taken from the weighting, or seriousness, of the event:
Weighting of the Event Alert Color information green warning yellow error red
5. In this example, however, we overrode this default setting in the System \ event type. To check that, mark the Event Log Entries, and choose the Details pushbutton:
You can see that the events from the source Print are green, although the corresponding event represents a warning:
And one last thing: you can build your own monitor in the Monitoring Infrastructure with the event log nodes. To build a rule-based monitor, you just need the MTE class of the nodes. To see them, choose Views -> Info on MTE from the menu:
2. The standard MTE class for the event log objects is CcmsEventLogCL, however, you can set another name by using the parameter MTE_Class in an event log template (what we didn’t).
3. If you need more information about creating your own rule based monitor, see Federico Babelis’ weblog CCMS Rule Based Monitors configuration guide for Dummies (https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3553).
Congratulations! Now you have activated and configured the event log monitoring in the CCMS Monitoring Infrastructure using CCMS agents.