ECS Designer

HP OpenView Event Correlation Services (ECS) Designer is a powerful product that offers customers sophisticated capabilities to create customized rules for specific Network Node Manager (NNM) or HP OpenView Operations event correlation requirements. The graphical user interface of ECS Designer makes the complex process of event correlation design intuitive and user-friendly.

The designer provides the interface for the compiling ECS raw circuit files (.ecs files) into compiled curcuits (.eco files) that can be loaded into the ECS runtime engine.

The ECS designer is not requred to load compiled ECS curcuits (.eco files) into the runtime engine.

ECS components

• the ECS engine The ECS Engine, the run-time component of the event subsystem, transforms and processes event streams according to the installed correlations. The engine comes for free with every Network Node Manager and Operations product, enabling out-ofthe- box correlation. ECS gives you the flexibility to correlate messages of different event types, such as SNMP, ASCII and events from every Operations message source. These events are processed and displayed in a single, consistent format, independent of event type. Furthermore customers can also integrate other correlation applications and use them as an additional information resource or use them to execute commands as part of the event processing.
• the ECS designer The ECS Designer, which includes both correlation design and simulation modes, is an easy-to-use GUI that offers a highly productive, intuitive paradigm to build correlations simply by interconnecting correlation node primitives. When the correlation is defined, the ECS Designer can be switched to simulate mode. In this mode, events can be input into the correlation to allow visualization of the flow of events through the system. By using log file events customers can take advantage of simulating real live scenarios within their environment. Various techniques are used to feedback data about the correlation circuit. Events can be input in various configurations, to step by a particular event, by time, at selectable speeds, or until a breakpoint. Furthermore, the status of each node can be examined at any time, all leading to a rich test and debug environment.

[Oct 14, 2010] Course Title : UC342S Managing Events with NNM 7.x, Operations Manager for Unix and ECS Composer - Software Version C.00

HP Product Number : UC342S

This advanced course focuses on the management and reduction of events detected by Network Node Manager (Unix or Windows) and Operations Manager for Unix ( HPOM ). It describes strategies for distributing SNMP traps between NNM and HPOM management systems, and for capturing syslog events.

Techniques for reducing the events seen by NNM and HPOM users are studied. Labs provide hands-on practice correlating events, using ECS Composer with both NNM and HPOM . This course is for those with experience using NNM or HPOM as event capture and configuration tools.

Audience

• HP Software Customers: NNM and HPOM administrators, system and network administrators, architects and planners

• HP Software Channel Partners, NNM and HPOM consultants: system architects, integrators, and planners

• HP Software Engineers involved in pre-sales and post-sales

Prerequisites

• Experience administering NNM or Operations Manager for Unix with EITHER of the following courses:

• HP Operations Manager for UNIX 1 (Administration) (H4356S)

• HP Network Node Manager 7.x for Windows and UNIX 1: Essentials of Use and Administration

(B4743/Unix or H1662/Windows UC340/combined)

Course Objective

After completing this course you will be able to:

• Configure monitoring and response to SNMP traps received by either NNM or Operations

• Capture syslog events using either HPOM or NNM

• Describe the techniques used to distribute SNMP traps in a mixed NNM and HPOM environment

• Select the most appropriate technology to reduce browser “noise”

• Correlate events from multiple sources into a single meaningful event

[Oct 14, 2010] ECS Composer Instructions

ECS Composer Instructions (updated 04-21-2006)

1. To create ECS Composer template on Mgt Server (already done on hbrpsums01d6)
   1. Requires: /var/opt/OV/share/tmp/OpC_appl/comp
   2. Upload template: opccfgupld comp
   3. Fact store must exist: /var/opt/OV/conf/OpC/mgmt_sv/ecs_comp.fs (copy from other server)
   4. Assign Composer Circuit to Mgt Server: Actions->Server->AssignTemplate
   5. Run circuit on Mgt Server: Actions->Server->Install/Update Templates (starts opcecm)
2. To create or edit Correlation store
   1. Make sure you are running the Hummingbird Window Manager

1.      Start-> Programs-> Hummingbird Connectivity 7.0-> Exceed -> Tools -> HWM

2. Open ecs composer in developer mode: /opt/OV/bin/ovcomposer –m d
3. Save Correlation store in /etc/opt/OV/share/conf/ecs/CIB/OpC
4. New Correlation store will be saved with a .fs extension (fact store)
5. Edit NameSpace.conf in that directory to add new Correlation Store
2. To deploy Correlation store
   1. Deploy in ovcomposer –m o does not work, use command line
   2. /opt/OV/bin/csdeploy.ovpl -p /etc/opt/OV/share/conf/ecs/CIB/OpC/deploy.conf
3. Activate Correlation store (not sure if deploy does this or not)
   1. Run: /opt/OV/bin/ecsmgr –i 11 –update \

ecs_comp /var/opt/OV/conf/OpC/mgmt_sv/ecs_comp.fs

2. Check: /opt/OV/bin/ecsmgr –i 11 –info or /opt/OV/bin/ecsmgr –i 11 –fact_dump
4. IMPORTANT UPDATE (when things get screwed up)
   1. If you are unable to load a factstore execute the following:

1.      /opt/OV/bin/ecsmgr -i 11 -disable ecs_comp

2.      /opt/OV/bin/ecsmgr -i 11 -circuit_reload ecs_comp \ /var/opt/OV/conf/OpC/mgmt_sv/ecs_comp.eco 0 ecs_comp

3.      /opt/OV/bin/ecsmgr -i 11 -enable ecs_comp

4.      /opt/OV/bin/ecsmgr -i 11 -update ecs_comp \ /var/opt/OV/conf/OpC/mgmt_sv/ecs_comp.fs

6. ANOTHER IMPORTANT UPDATE (severity number changes)
   1. 4          Unknown
   2. 8          Normal
   3. 16        Warning
   4. 32        Critical
   5. 64        Minor
   6. 128       Major
7. FYI
   1. From the ecsmgr man page:

     -instance <instance>

               Identifies a particular engine instance when there

               are multiple instances on a host system.

               The default for this option is -instance 1.

               pmd:   The  pmd-linked  correlation  engine  is

                         always instance 1.

               HPOM :  The  HPOM   Server   -linked   correlation

                         engine is always instance 11.

                         The HPOM Agent -linked correlation engine

                         is always instance 12.

8. To Create & activate Correlation store on Agent
   1. Assign & Deploy ECS Composer template to agent
   2. Edit: ENGING_INSTANCE=12 in /etc/opt/OV/share/conf/ecs/CIB/OpC/deploy.conf
   3. /opt/OV/bin/ecsmgr –i 12 –fact_update ecs_comp /var/opt/OV/conf/OpC/ecs_comp.fs

Managing Events with NNM 7.x, Operations Manager for Unix and ECS Composer

Instructor-Led Training

Detailed Course Outline

Overview

• · Event Management Objectives
• · What is an Event?
• · HPOM and NNM technologies
• · Event Reduction techniques

Configuring Events and Alarms in NNM

• · Event Subsystem and Processing
• · Event Envelope and Contents
• · Creating and Modifying Event Configurations

Overview System and Application Monitoring

• · Message Sources and Processing Flow
• · General Configuration Steps
• · Message Source Templates Window
• · Organizing Templates with Template Groups
• · Copying Templates
• · Assigning and Distributing Templates

Monitoring Logfiles

• · Applications, Systems, and Log Files
• · The HPOM Logfile Encapsulator
• · Log File Template Configuration

Discriminating between Log Messages

• · Message Condition Types
• · Message Processing on the Managed Node
• · Message and Suppress Conditions
• · Variables Used in Templates

Pattern Matching

• · HPOM Pattern Matching
• · Pattern Matching Expressions and Rules
• · Extract Variable Assignment
• · The Pattern Matching Tester - opcpat

Message Interceptor and opcmsg

• · Message Interceptor
• · Message Template and Condition Configuration
• · Using opcmsg with -option

SNMP Trap Interceptor

• · SNMP Traps
• · SNMP Template Configuration
• · SNMP Trap Condition Example

Configuring Event Forwarding

• · Distributed Event Monitoring
• · What Events Should Be Forwarded?
• · Configuring Event Forwarding
• · Forwarding Threshold Events
• · Forwarding and Correlation

Distributed SNMP Trap Management

• · HPOM Distributed Event Interception
• · Using ovtrap2opc
• · SNMP Trap Interceptor on the Management Server
• · Distributed Event Interception - Benefits and Configuration
• · Avoiding Duplicate Messages

Configuring syslog Messages for SNMP

• · Converting syslog Messages to SNMP Traps
• · Configuration Prerequisites and Overview
• · NNM syslog Main GUI
• · Extract Patterns and Variable Assignment
• · Sending an SNMP Message on a Condition
• · Suppressing a syslog Pattern
• · The Syslog to NNM Template
• · Modifying or Adding Conditions and Varbinds
• · Deploying and Testing
• · syslog and Overlapping IP Addresses

Introduction to Event Correlation

• · Goal of Event Reduction
• · Deploying Event Reduction
• · Event Reduction Techniques
• · Event Correlation Services
• · HPOM Message Strem Interface and ECS
• · ECS in NNM
• · Composer: the ''Super'' Circuit
• · Developing Event Correlation

HPOM Message Reduction

• · Message Reduction in HPOM
• · Duplicate Message Suppression on the Manager and Agent
• · Creating Duplicates with Message Keys
• · What is a ''State-Based'' Browser
• · Message Key Relations

Correlating HPOM Messages with ECS and Composer

• · Event Correlation Service in HPOM
• · Event Correlation on the Managed Node
• · Management Server Architecture
• · Event Correlation in HPOM with Designer
• · Configuring a Template for use by ECS
• · Deploying the ECS Agent Template
• · Enabling the Server MSI
• · Using hp OpenView Correlation Composer

Configuring NNM Event Correlation

• · ECS Configuration Files
• · The ECS Event Configuration GUI
• · Enabling and Disabling Correlations
• · Composer: Configuring NNM-Shipped Correlators
• · Modifying Event Correlations and Parameters
• · netmon Accelerated Polling
• · Connector Down Correlation
• · Configuring Secondary Failure Options
• · ConnectorDown Correlation with NNM Extended Topology
• · PairWise Event Correlation and Pattern Delete
• · Repeated Events Correlation and Event De-Duplication
• · ovtrapd Event Blocking (UNIX Only)
• · Scheduled Maintenance Correlation
• · Copying a Correlation

Introduction to Composer Development

• · Correlator Evaluation and Development Process
• · Composer User Interface Modes
• · Starting the Composer Developer Interface
• · Setting the Event Type
• · Selecting a Template
• · Opening a Correlator Store
• · Exclusive Access to Correlator Stores for NNM
• · Development and Runtime Correlator Stores - HPOM
• · Configuring a NameSpace (NNM only)
• · Configuring the Security and Deployment Files (NNM only)
• · Deploying Correlators

Creating a Basic Correlator

• · Composer Roadmap
• · Suppress Correlator Template
• · Creating a Correlator
• · Select Incoming Events
• · Alarm Signature
• · Operators
• · Suppress Example
• · Event Contents and Varbinds

Using Variables in Correlators

• · Variable Types and Scope
• · Advanced Filters
• · Configuring a Lookup Variable
• · Editing the Data Store
• · Extract Variable Assignment and Definition
• · Creating a Combine Variable
• · Enhance Correlator Template
• · New Event Creation

Using Additional Correlators

• · Multiple Events
• · Message Key s
• · Automatic Variables
• · Repeated, Rate, and Transient Correlator Templates

Relating Events from Multiple Sources

• · Multi-Source Correlator Template
• · Set Definition
• · MultiSource Examples

Using Callbacks and Built-In Functions

• · Variables that Access Functions
• · Variable and Function Evaluation
• · Callbacks
• · Passing Parameters to Functions
• · Built-In Functions
• · Keys and Functions
• · getbyIndex to Access Multiple Return Values
• · Load Perl or C Library

Combining Correlators

• · Suppress and Multi-Source Examples
• · The Combined Impact
• · Advanced Function Example
• · Concept of Feedback
• · Composer Event Flow

Best Practices, Tools and Information

• · Migrating, Viewing, or Merging Correlator Store Files (NNM only)
• · Analyzing, Capturing, and Replaying Events (NNM only)
• · Tracing Events and Function Debugging

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019