How do I create a logfile adapter to read UNIX application logfiles?

First, create a format file for your application. Note that you must have a default Sun syslog or AIX errpt logfile adapter deployed before you can do this, and you will need to do some scripting to install your application LFA in a different location. If you fail to do this, the application LFA will break your syslog adapter.

Define a base event class if you have multiple event formats with common attributes:

FORMAT Nortel_IVR_Base
%s %t <%s> %s %s*
hostname "HSTNAME"
sub_origin "N/A"
adapter_host "EPLABEL"
date $2
origin DEFAULT
sub_system $3
error_code $4
msg $5
END

Then begin defining your events:

// Sat Aug 17 10:55:56 <KmnPin> 91003 Line 25 Host 1 Severity 8 Vps 1
FORMAT Nortel_IVR_Error FOLLOWS Nortel_IVR_Base
%s %t <%s> %s Line %s Host %s Severity 8 %s*
-line_number $5
-host_number $6
vps_number $7
msg PRINTF("<%s> %s Line %s %s", sub_system, error_code, line_number, vps_number)
END

Note the dashes "-" before some of the slots. These signify event slots that are used locally and are not present in the BAROC file.

Create your Adapter Configuration Profile
Select the adapter type - a default AIX or Solaris type will do.

In the "Filters" tab, create your event filters.

000 Class=Nortel_IVR_Base
001 Class=Nortel_IVR_Error

In the "Environment" tab, set your keywords

AdapterErrorFile=/usr/Tivoli/lcf/bin/solaris2/TME/TEC/adapters/IVR_Logfile/etc/tecad_logfile.err
BufEvtPath=/usr/Tivoli/lcf/bin/solaris2/TME/TEC/adapters/IVR_Logfile/tecad_logfile.cache
BufferEvents=YES
MaxEventSize=4096
FilterMode=IN
LogSources=/opt/vps/vps33/log/alarm.log
PollInterval=30
ServerLocation=@EventServer

Note the use of the FilterMode keyword. FilterMode=IN will only process events are present in the event classes in the "Filters" tab. The default behavior is FilterMode=OUT.

If you have multiple logs, you must specify the full path to each logfile, separated by commas with no spaces in between.

In the "Actions" tab for the "Before" actions I do a little scripting in the adapter to create the LFA install directory and copy the necessary LFA binaries to the new LFA install directory.

TECADHOME=/usr/Tivoli/lcf/bin/solaris2/TME/TEC/adapters/IVR_Logfile
export TECADHOME
mkdir -p $TECADHOME/etc
mkdir -p $TECADHOME/bin
unset CHILD_OF_OSERV
cp $LCF_DATDIR/../../bin/solaris2/TME/TEC/adapters/bin/* $TECADHOME/bin
$TECADHOME/bin/init.tecad_logfile -s stop IVR_Logfile

Note:
You must use the "-s" switch in the adapter stop command to let the adapter know NOT to create a pipe to syslogd! If you don't, you'll break your syslog adapter.

Ok, here's where it gets tricky. In the "After" actions, we define some variables, then use sed to insert those variables into a temporary format file, then compile the temp format file and the finished format file:

TECADHOME=/usr/Tivoli/lcf/bin/solaris2/TME/TEC/adapters/IVR_Logfile
export TECADHOME
unset CHILD_OF_OSERV
REALNAME=`hostname`
export REALNAME
/usr/bin/sed -e "s/HSTNAME/$REALNAME/g" $TECADHOME/etc/tecad_logfile_IVR.fmt > $TECADHOME/etc/tecad_logfile.fmt.tmp
/usr/bin/sed -e "s/EPLABEL/${ACPEP_NAME}/g" $TECADHOME/etc/tecad_logfile.fmt.tmp > $TECADHOME/etc/tecad_logfile.fmt
logfile_gencds $TECADHOME/etc/tecad_logfile.fmt > $TECADHOME/etc/tecad_logfile.cds
$TECADHOME/bin/init.tecad_logfile -s start IVR_Logfile

Again, make sure you're using the "-s" switch on the adapter start command.

The reason for all of this scripting is to ensure that if the hostname differs from the endpoint lable, we can tell that when we look at the event. This is helpful in clustered or HACMP configurations where you may have multiple endpoints installed.

In the "Distribution" tab, tell the adapter where it's going to get its format and error files from:

tecad_logfile.err=FQDN:/usr/Tivoli/bin/generic_unix/TME/ACF_REP/tecad_logfile.err
tecad_logfile_IVR.fmt=FQDN:/usr/easm/dev/adapter/IVR_Logfile/tecad_logfile_IVR.fmt

In the "General" tab, set the install location for the adapter's configuration files:

Install dir: /usr/Tivoli/lcf/bin/solaris2/TME/TEC/adapters/IVR_Logfile/etc

Config file: tecad_logfile.conf

Make sure your event class is added to a new or existing BAROC file. Compile your rulebase and bounce the TEC server.

Save your adapter and distribute. That is, after you've added your subscribers.