Discussion:
[ITM6] [OmniBus] Netcool OMNIbus Logfile Agent
Zhytkou, Yury
2010-07-16 18:14:47 UTC
Permalink
To everyone that considers using KLO agent - the ITM6-based "Netcool
OMNIbus Logfile Agent" that can use the good old .fmt and .conf files
from tecad_logfile ...



Approach with caution :-)



This thing does not work for logs that are a bit more "complex" than
echo "`date` :: my awesome log record" >> myawesome.log

Example where it fails miserably so far is log4j logs usually produced
by various Java App servers.

Agent crashes, when it does not crash - it maps random parts and pieces
of the log record to random event attributes, etc - it is all over the
place.

While the same format file works perfectly fine matching the exact same
records from exact same logs when used with old tecad_logfile.
From what I have seen in agent trace logs - it looks like it is actually
not using same code as tecad_logfile (that also could explain why KLO
agent does not need and does not compile .cds file from .fmt file) ...
and instead tries to fake it by translating FORMAT records from .fmt
into regex. While I see nothing wrong with that approach in general, I
wonder if IBM _really_ tested all possible scenarios with all possible
.fmt file syntax tags, especially in cases where you need to escape
"special" characters like ( [ { and others ... both in format definition
and in the content of log record.



Oh, and a have a great weekend! :-)

Yury Zhytkou
Sr IT Engineer | T&O Systems Management and Automation Services
TIAA-CREF | Financial Services for the Greater Good

8625 Andrew Carnegie Blvd, F1-03
Charlotte, NC 28262
Office: 704.988.3274
Mobile: 704.516.1703
yzhytkou-YwIA+KEzWU8/11+***@public.gmane.org <mailto:yzhytkou-YwIA+KEzWU8/11+***@public.gmane.org>



IBM Tivoli Certified



ITIL Foundation Certified






********************************************************************************************
This e-mail may contain confidential or privileged information. If you are not the intended recipient, please notify the sender immediately and then delete it.

TIAA-CREF
********************************************************************************************
Lister, Craig
2010-07-16 22:07:07 UTC
Permalink
Hi Yury

On the ball, as usual, thanks for the heads up ;-)


Rgds, Craig
________________________________________
From: tme10-bounces-***@public.gmane.org [tme10-bounces-***@public.gmane.org] On Behalf Of Zhytkou, Yury [YZhytkou-YwIA+KEzWU8/11+***@public.gmane.org]
Sent: Saturday, July 17, 2010 4:14 AM
To: Discussion list for Tivoli product and Tivoli Ready products.
Subject: [TME10] [ITM6] [OmniBus] Netcool OMNIbus Logfile Agent

To everyone that considers using KLO agent – the ITM6-based “Netcool OMNIbus Logfile Agent” that can use the good old .fmt and .conf files from tecad_logfile 


Approach with caution ☺

This thing does not work for logs that are a bit more “complex” than echo “`date` :: my awesome log record” >> myawesome.log
Example where it fails miserably so far is log4j logs usually produced by various Java App servers.
Agent crashes, when it does not crash – it maps random parts and pieces of the log record to random event attributes, etc – it is all over the place.
While the same format file works perfectly fine matching the exact same records from exact same logs when used with old tecad_logfile.
From what I have seen in agent trace logs – it looks like it is actually not using same code as tecad_logfile (that also could explain why KLO agent does not need and does not compile .cds file from .fmt file) 
 and instead tries to fake it by translating FORMAT records from .fmt into regex. While I see nothing wrong with that approach in general, I wonder if IBM _really_ tested all possible scenarios with all possible .fmt file syntax tags, especially in cases where you need to escape “special” characters like ( [ { and others 
 both in format definition and in the content of log record.
Oh, and a have a great weekend! ☺

Yury Zhytkou
Sr IT Engineer | T&O Systems Management and Automation Services
TIAA-CREF | Financial Services for the Greater Good

8625 Andrew Carnegie Blvd, F1-03
Charlotte, NC 28262
Office: 704.988.3274
Mobile: 704.516.1703
yzhytkou-YwIA+KEzWU8/11+***@public.gmane.org<mailto:yzhytkou-YwIA+KEzWU8/11+***@public.gmane.org>


IBM Tivoli Certified
[cid:image001.gif-***@public.gmane.org]

ITIL Foundation Certified
[cid:image002.jpg-***@public.gmane.org]




********************************************************************************************
This e-mail may contain confidential or privileged information. If you are not the intended recipient, please notify the sender immediately and then delete it.

TIAA-CREF
********************************************************************************************



************************************************************************************************
DISCLAIMER

Confidential Communication: This email and any attachments are intended for the addressee(s)
only and are confidential. They may contain legally privileged or copyright material. If you
are not the intended recipient, please contact the sender immediately by reply email and
delete this email and any attachments. You must not read, copy, use, distribute or disclose
the contents of this email without consent and Harvey Norman Holdings Limited ACN 003 237 545
(and its related subsidiaries) (“Harvey Norman”) does not accept responsibility for any
unauthorised use or reliance on the contents of this email.

Harvey Norman does not represent or warrant that the integrity of this email has been maintained
or that it is free from errors, viruses, interceptions or interference. Any views expressed by
the sender do not necessarily represent the views of Harvey Norman.

This notice should not be removed from this email.
************************************************************************************************
Zhytkou, Yury
2010-07-27 13:25:26 UTC
Permalink
Update for anyone interested:

1) IBM is indeed trying to emulate original tecad_logfile code with brand new code using regex (translating FORMAT definitions in .fmt file into regex first)
2) Even with "fixed" libraries it does not work. The agent does not crash anymore, but still does not match properly. IBM's L3 excuse this time - "it's having trouble with the blank lines between the records in the log sample"

So, we are abandoning Netcool OMNIbus Logfile Agent for now with a simple rationale that goes like this:

The test cases we have work perfectly for tecad_logfile; KLO agent is advertised as shoe-in replacement for tecad_logfile; therefore KLO agent MUST behave exactly the same way as tecad_logfile in everything related to parsing/matching logs. While the approach of using regex emulation is OK in general, if you do not do it flawlessly, please do not do it at all.

Your mileage may wary, but so far it looks like a total failure.

Yury Zhytkou
Sr IT Engineer | T&O Systems Management and Automation Services
TIAA-CREF | Financial Services for the Greater Good

8625 Andrew Carnegie Blvd, F1-03
Charlotte, NC 28262
Office: 704.988.3274
Mobile: 704.516.1703
yzhytkou-YwIA+KEzWU8/11+***@public.gmane.org

-----Original Message-----
From: tme10-bounces-***@public.gmane.org [mailto:tme10-bounces-33AaDErTWvCs9+***@public.gmane.orgom] On Behalf Of Lister, Craig
Sent: Friday, July 16, 2010 6:07 PM
To: Discussion list for Tivoli product and Tivoli Ready products.
Subject: RE: [TME10] [ITM6] [OmniBus] Netcool OMNIbus Logfile Agent

Hi Yury

On the ball, as usual, thanks for the heads up ;-)


Rgds, Craig
________________________________________
From: tme10-bounces-***@public.gmane.org [tme10-bounces-***@public.gmane.org] On Behalf Of Zhytkou, Yury [YZhytkou-YwIA+KEzWU8/11+***@public.gmane.org]
Sent: Saturday, July 17, 2010 4:14 AM
To: Discussion list for Tivoli product and Tivoli Ready products.
Subject: [TME10] [ITM6] [OmniBus] Netcool OMNIbus Logfile Agent

To everyone that considers using KLO agent – the ITM6-based “Netcool OMNIbus Logfile Agent” that can use the good old .fmt and .conf files from tecad_logfile 


Approach with caution ☺

This thing does not work for logs that are a bit more “complex” than echo “`date` :: my awesome log record” >> myawesome.log
Example where it fails miserably so far is log4j logs usually produced by various Java App servers.
Agent crashes, when it does not crash – it maps random parts and pieces of the log record to random event attributes, etc – it is all over the place.
While the same format file works perfectly fine matching the exact same records from exact same logs when used with old tecad_logfile.
From what I have seen in agent trace logs – it looks like it is actually not using same code as tecad_logfile (that also could explain why KLO agent does not need and does not compile .cds file from .fmt file) 
 and instead tries to fake it by translating FORMAT records from .fmt into regex. While I see nothing wrong with that approach in general, I wonder if IBM _really_ tested all possible scenarios with all possible .fmt file syntax tags, especially in cases where you need to escape “special” characters like ( [ { and others 
 both in format definition and in the content of log record.
********************************************************************************************
This e-mail may contain confidential or privileged information. If you are not the intended recipient, please notify the sender immediately and then delete it.

TIAA-CREF
********************************************************************************************
Loading...