Setting up event forwarding to syslog, remote SNMP manager, email, and other event services

You can create and enable up to 20 remote event recipients to receive events.

Before you begin

The following protocols are supported:
  • Azure Log Analytics. Lenovo XClarity Administrator forwards the monitored events to over the network to Microsoft Azure Log Analytics.

  • Email. Lenovo XClarity Administrator forwards the monitored events to one or more email addresses using SMTP. The email contains information about the event, the host name of the source device, and links to the Lenovo XClarity Administrator web interface and Lenovo XClarity Mobile app.

  • FTP. Forwards monitored events over the network to an FTP server.

  • REST. Lenovo XClarity Administrator forwards the monitored events over the network to a REST Web Service.

  • SNMP. Lenovo XClarity Administrator forwards the monitored events over the network to a remote SNMP manager. SNMPv1 and SNMPv3 traps are supported.

    For information about the management information base (MIB) file that describes the SNMP traps Lenovo XClarity Administrator generates, see lenovoMgrAlert.mib file.

  • Syslog. Lenovo XClarity Administrator forwards the monitored events over the network to a central log server where native tools can be used to monitor the syslog.

To forward email to a web-based email service (such as Gmail, Hotmail, or Yahoo), your SMTP server must support forwarding web mail.

Before setting up an event forwarder to a Gmail web service, review information in Setting up event forwarding to a Gmail SMTP service.

If XClarity Administrator is rebooted after event recipients are configured, you must wait for the management server to regenerate internal data before events are forwarded correctly.

Note: For XClarity Administrator v1.2.0 and later, Switches is included on the Events tab in the New Event Recipients and Change Event Recipients dialogs. If you upgraded to 1.2.0 or later from an earlier release, remember to update your remote event recipients to include or exclude RackSwitch events as appropriate. This is necessary even if you selected the All Systems checkbox to select all devices.

Procedure

Complete the following steps to create a remote event recipient.

  1. From the XClarity Administrator menu bar, click Monitoring > Event Forwarding. The Event Forwarding page is displayed.
  2. Click the Event Monitors tab.
  3. Click the Create icon (Create icon). The General tab of New Event Recipient dialog is displayed.
  4. Select one of the following protocols to use to forward events, and fill in the protocol-specific information:
    • Azure Log Analytics

      • Enter the name and optional description for the remote event recipient.

      • Enter the primary key for the Azure Log Analytics interface.

      • Enter the time-out period (in seconds) for the request. Default is 30 seconds.

      • Optional: If authentication is required, select one of the following authentication types:

        • Basic. Authenticates to the specified server using the specified user ID and password.

        • None. No authentication is used.

    • Email

      • Enter the name, destination host, and optional description for the remote event recipient.

      • Enter the port to use for forwarding events. The default is 25.

      • Enter the time-out period (in seconds) for the request. Default is 30 seconds.
      • Enter the email address for each recipient. Separate multiple email addresses by using a comma.

        To send the email to the support contact that is assigned for the device, select Use Support Contact Email(s) (see Defining the support contacts for specific devices).

      • Optional: Enter the email address for the sender of the email (for example, john@company.com).

        If you do not specify an email address, the sender address is LXCA.<source_identifier>@<smtp_host> by default.

        If you specify only the sender domain, the format of the sender address is <LXCA_host_name>@<sender_domain> (for example, XClarity1@company.com).

        Notes:
        • If you set up your SMTP server to require a hostname to forward emails, and you do not set up a hostname for XClarity Administrator, it is possible that the SMTP server might reject forwarded events. If XClarity Administrator does not have a hostname, the event is forwarded with the IP address. If the IP address cannot be obtained, "localhost" is sent instead, which might cause the SMTP server to reject the event.

        • If you specify the sender domain, the source does not identify in the sender address. Instead, information about the source of the event is included in the body of the email, including system name, IP address, type/model, and serial number.

        • If the SMTP server accepts only emails that were sent by a registered user, the default sender address (LXCA.<source_identifier>@<smtp_host>) is rejected. In this case, you must specify at least a domain name in the From address field.

      • Optional: To establish a secure connection to the SMTP server, select the following connection types:
        • SSL. Use the SSL protocol while communicating.

        • STARTTLS. Uses TLS to form a secure communication over an unsecure channel.

        If one of these connection types is selected, LXCA attempts to download and import the SMTP server’s certificate to its truststore. You are asked to accept adding this certificate to the truststore.

      • Optional: If authentication is required, select one of the following authentication types:

        • Regular. Authenticates to the specified SMTP server using the specified user ID and password.

        • NTLM. Uses the NT LAN Manager (NTLM) protocol to authentication to the specified SMTP server using the specified user ID, password, and domain name.

        • OAUTH2. Uses the Simple Authentication and Security Layer (SASL) protocol to authenticate to the specified SMTP server using the specified user name and security token. Typically, the user name is your email address.

          Attention: The security token expires after a short time. It is your responsibility to refresh the security token.
        • None. No authentication is used.

    • FTP

      • Enter the name, destination host, and optional description for the remote event recipient.

      • Enter the port to use for forwarding events. The default is 21.

      • Enter the time-out period (in seconds) for the request. Default is 30 seconds.

      • Optional: Specify the sequence of characters to be removed from the file content.

      • Enter the file-name format to use for the file that contains the forwarded event. The default format is event_[[EventSequenceID]].txt.

        Note: Each file contains information for a single event.
      • Enter the path on the remote FTP server where the file is to be uploaded.

      • Choose the character encoding, either UTF-8 or Big5 . This is UTF-8 by default.

      • Select the authentication type. This can be one of the following values.

        • Anonymous. (default) No authentication is used

        • Basic. Authenticates to the FTP server using the specified user ID and password.

    • REST

      • Enter the resource path on which the forwarder is to post the events (for example, /rest/test).

      • Select the protocol to use for forwarding events. This can be one of the following values.
        • HTTP

        • HTTPS

      • Select the REST method. This can be one of the following values.

        • PUT

        • POST

      • Enter the time-out period (in seconds) for the request. Default is 30 seconds.

      • Optional: If authentication is required, select one of the following authentication types:
        • Basic. Authenticates to the specified server using the specified user ID and password.

        • None. No authentication is used.

    • SNMP

      • Enter the name and destination host for the remote event recipient.

      • Enter the port to use for forwarding events. The default is 162.

      • Optional: Enter additional information, including the description, contact name, and location.

      • Select the SNMP version. This can be one of the following values.

        • SNMPv1. If this version is selected, specify the community password that is sent with every SNMP request to the device.

        • SNMPv3. This is the default version and is recommended for enhanced security. If SNMPv3 is selected, optionally specify the user ID, authentication type and password, and privacy type and password.

          If the SNMPv3 trap receiver requires the engine ID for the XClarity Administrator instance, you can find the engine ID by performing the following steps:
          1. Ensure that the connection parameters (username, authProtocol, authPassword, privProtocol, privPassword) match the ones set in XClarity Administrator.

          2. Using your preferred software (such as snmpwalk), perform an SNMP GET request on the XClarity Administrator server using one of the following OIDs:
            • EngineID: 1.3.6.1.6.3.10.2.1.1.0

            • EngineBoots : 1.3.6.1.6.3.10.2.1.2.0

      • Enter the time-out period (in seconds) for the request. Default is 30 seconds.
      • Optional: If trap authentication is needed, enter the user ID and authentication password. The same user ID and password must be entered in the remote SNMP recipient to which the traps are forwarded.

      • Select the authentication protocol that is used by the remote SNMP recipient to verify the trap sender. This can be one of the following values
        • SHA. Uses the SHA protocol to authentication to the specified SNMP server using the specified user ID, password, and domain name.

        • None. No authentication is used

      • If trap encryption is needed, enter the privacy type (encryption protocol) and password. This can be one of the following values. The same protocol and password must be entered in the remote SNMP recipient to which the traps are forwarded.

        • AES

        • DES

        • None

    • Syslog

      • Enter the name, destination host, and optional description for the remote event recipient.
      • Enter the port to use for forwarding events. The default is 514.
      • Select the protocol to use for forwarding events. This can be one of the following values.
        • UDP
        • TCP
      • Enter the time-out period (in seconds) for the request. Default is 30 seconds.
      • Optionally select the format for the timestamp in the syslog. This can be one of the following values.
        • Local time. The default format, for example Fri Mar 31 05:57:18 EDT 2017.

        • GMT time. International standard (ISO8601) for dates and times, for example 2017-03-31T05:58:20-04:00.

  5. Click Output format to choose the output format of the event data to be forwarded. The information varies for each type of remote event recipient.

    The following example output format is the default format for sylog recipients. All words between double square brackets are the variables that are replaced with actual values when an event is forwarded. The available variables for the selected remote event recipient are listed in the Output Format dialog.

    <8[[SysLogSeverity]]> [[EventTimeStamp]] [appl=LXCA service=[[EventService]] severity=[[EventSeverity]]
    class=[[EventClass]] appladdr=[[LXCA_IP]] user=[[EventUserName]] src=[[SysLogSource]] uuid=[[UUID]]
    me=[[DeviceSerialNumber]] resourceIP=[[DeviceIPAddress]] systemName=[[DeviceFullPathName]]
    seq=[[EventSequenceID]] EventID=[[EventID]] CommonEventID=[[CommonEventID]]

    You can click Reset to defaults to change the output format back to the default fields.

  6. Click the Allow Excluded Events toggle to either allow or prevent excluded event from being forwarded.
  7. Select Enable this recipient to activate event forwarding for this remote event recipient.
  8. Click Next to display the Devices tab.
  9. Select the devices and groups that you want to monitor for this remote event recipient.
    Tip: To forward events for all managed devices (current and future), select the Match all systems checkbox.

    If you do not select the Match all systems checkbox, ensure that the selected devices do not have a DUMMY-UUID in the UUID column. A Dummy-UUID is assigned to devices that have not yet recovered after a restart or are not discovered completely by the management server. If you select a device with a Dummy-UUID, event forwarding works for this device until the moment when the device is fully discovered or recovered and the Dummy-UUID changes to its real UUID.

  10. Click Next to display the Events tab.
  11. Select the filters to use for this remote recipient.
    • Match by event category.

      1. To forward all audit events regardless of the status level, select Include All Audit events.

      2. To forward all warranty events, select Include Warranty events.

      3. To forward all health-status-change events, select Include Status Change events.

      4. To forward all health-status-update events, select Include Status Update events.

      5. Select the event classes and serviceability level that you want to forward.

      6. Enter IDs for one or more events that you want to exclude from forwarding. Separate IDs by using a comma (for example, FQXHMEM0214I,FQXHMEM0214I).

    • Match by event code. Enter IDs for one or more events that you want to forward. Separate multiple IDs by using a comma.

    • Exclude by event category.

      1. To exclude all audit events regardless of the status level, select Exclude All Audit events.

      2. To exclude all warranty events, select Exclude Warranty events.

      3. To exclude all health-status-change events, select Exclude Status Change events.

      4. To exclude all health-status-update events, select Exclude Status Update events.

      5. Select the event classes and serviceability level that you want to exclude.

      6. Enter IDs for one or more events that you want to forward. Separate IDs by using a comma.

    • Exclude by event code. Enter IDs for one or more events that you want to exclude. Separate multiple IDs by using a comma.

  12. Select each component and severities for which you want events to be forward.
  13. Click Next to display the Scheduler tab.
  14. Optional: Define the times and days when you want the specified events to be forwarded to this remote event recipient. Only events that occur during the specified time slot are forwarded.

    If you do not create a schedule for the remote event recipient, events are forwarded 24x7.

    1. Use the Scroll left icon (Scroll-left icon) and Scroll right icon (Scroll-right icon), and Day, Week, and Month buttons to find the day and time that you want to start the schedule.

    2. Double-click the time slot to open the New Time Period dialog.

    3. Fill in the required information, including the date, start and end times, and whether the schedule is to be reoccurring.

    4. Click Create to save the schedule and close the dialog. The new schedule is added to the calendar.

    Tips:
    • You can change the time slot by dragging the schedule entry to another time slot in the calendar.

    • You can change the duration by selecting the top or bottom of the schedule entry and dragging it to the new time in the calendar.

    • You can change the end time by selecting the bottom of the schedule entry and dragging it to the new time in the calendar.

    • You can change a schedule by double-clicking the schedule entry in the calendar and clicking Edit Entry.

    • You can view a summary of all schedule entries by selecting Show Scheduler Summary. The summary includes the time slot for each entry and which entries are repeatable.

    • You can delete a schedule entry from the calendar or scheduler summary by selecting the entry and clicking Delete Entry.

  15. Click Create.

    The remote event recipient is listed in the Event Forwarding table.


    Illustrates the Event Forwarding dialog that lists the event recipients.
  16. Select the new remote event recipient, click Generate Test Event, and then verify that the events are forwarded correctly to the recipient (syslog, SNMPv3, or email server).

Results

From the Event Forwarding page, you can perform the following actions on a selected remote-event recipient:
  • Refresh the list of remote event recipients by clicking the Refresh icon (Refresh icon).

  • View details about a specific remote event recipient by clicking the link in the Name column.

  • Change the remote event recipient properties and filter criteria by clicking the event recipient name in the Name column.

  • Delete the remote event recipient by clicking the Delete icon (Delete icon).

  • Suspend event forwarding (see Suspending event forwarding).