Description
This operation component obtains information from the Windows event logs. Up to 1,000 items of event log information can be obtained.
Options
Basic Options
Target host name or IP address where the operation component will be executed.
To execute the operation component on the Management Server, specify the following:
For IPv4: 'localhost' or '127.0.0.1'
For IPv6: 'localhost' or '::1'
An argument error occurs if the host name or IP address is omitted.
The maximum length of the host name or IP address is 1,024 characters. An argument error occurs if this is exceeded.
Advanced Options
This is the event type for the obtained event.
Specify 'Application', 'System', and 'Security' for the event types which are obtained. This option is not case sensitive.
An argument error will occur if an event type other than those listed above is specified.
If the event type was omitted, all event type log information is obtained.
The maximum length of the event type is 1,024 characters. An argument error occurs if this is exceeded.
This is the event ID for the obtained event.
If the event ID was omitted, all event ID log information is obtained.
Values between 0 and 65535 can be specified. An argument error will occur if any other value is specified.
This is the source name for the event which is obtained. The source name is the name of the log output source.
If the source name was omitted, all source log information is obtained.
The maximum length of the source name is 1,024 characters. An argument error occurs if this is exceeded.
Specify the source name as shown below.
Example: winword
This is the level for the obtained event.
An argument error will occur if any level other than those listed below is specified.
If the level was omitted, all level log information is obtained.
The maximum length of the level is 1,024 characters. An argument error occurs if this is exceeded.
The following table lists the event levels.
Level | Description |
|---|---|
1 | ERROR |
2 | INFORMATION |
3 | WARNING |
4 | AUDIT_SUCCESS |
This is the filter message for the obtained event.
Events containing the string specified in the filter message are obtained.
If the filter message was omitted, filtering is not performed.
The maximum length of the filter message is 1,024 characters. An argument error occurs if this is exceeded.
This is the start date and time for the obtained event.
Events occurring after the specified date and time are obtained.
If the start date and time was omitted, events are obtained starting with the oldest event saved in the event log.
The maximum length of the string for the start date and time is 1,024 characters. An argument error occurs if this is exceeded.
The format is 4 digits for the year and 2 digits each for the month, day, hour, minute and second (YYYYMMDDhhmmss).
Example: 20110830123055
This is the end date and time for the obtained event log.
Events occurring before the specified date and time are obtained.
If the end date and time was omitted, events including the last event saved in the event log are obtained.
If the execution of the operation component conflicts with the occurrence of new events, it may not be possible to obtain these new events.
The maximum length of the string for the end date and time is 1,024 characters. An argument error occurs if this is exceeded.
The format is 4 digits for the year and 2 digits each for the month, day, hour, minute and second (YYYYMMDDhhmmss).
Example: 20110830123255
Operating system of the host executing the operation component.
Specify Windows. This option is not case sensitive.
If the OS type is omitted, the Configuration Management Database (CMDB) will be searched based on the specified host name or IP address, and Systemwalker Runbook Automation automatically sets the acquired OS type as the value.
The maximum length of the OS type is 1,024 characters. An argument error occurs if this is exceeded.
This is the name of the user that uses SSH to connect to the target host where the operation component is to be executed.
If the connected user name and password required for connection are not specified, the Configuration Management Database (CMDB) is searched based on the specified host name or IP address and Systemwalker Runbook Automation automatically sets the acquired connected user name as the value.
If the operation component connects with the file transfer infrastructure, the connected user name will be fixed at either of the following names and cannot be changed. In this case, the user name is ignored even if specified.
If the Business Server is running on Windows: SYSTEM user
The maximum length of the connected user name is 1,024 characters. An argument error occurs if this is exceeded.
This is the password of the user that uses SSH to connect to the target host where the operation component is to be executed.
If the connected user name and password required for connection are not specified, the Configuration Management Database (CMDB) is searched based on the specified host name or IP address and Systemwalker Runbook Automation automatically sets the acquired connected user password as the value.
If it connects with the file transfer infrastructure, the connected user password is invalid.
The maximum length of the connected user password is 1,024 characters. An argument error occurs if this is exceeded.
This is the completion timeout (seconds) for the execution of operation components.
Values between 300 and 86400 (1 day) can be specified.
Example) If the completion timeout is 10 minutes: 600
If the operation component has not finished executing even though the specified time has passed, the processing for the operation component will be interrupted with return value 201.
This is the retry count for the execution of operation components.
Specify the number of retry attempts to be used when operation components terminate with return value 161. Values between 0 and 5 can be specified.
If an operation component terminates with a return value other than "161" as a result of being re-executed from a retry, execution of the operation component will terminate even if the specified number of retries has not been reached. The return value for the operation component will be the value from the last time the operation component was executed.
Example) To retry the operation component twice: 2
This is the retry interval (seconds) for operation components.
Specify the time to wait before a retry is attempted if operation components terminate with return value 161. Values between 1 and 14400 can be specified.
Example) To retry at 300 second intervals: 300
If the specification of the timeout, retry and retry_interval is omitted and a value beyond the limits of the above-mentioned is input, the value specified with the operation components definition file becomes effective. Refer to "2.5 Definition File for Operation Components" for details.
Return Values
Icon | Name | Return value | Description |
|---|---|---|---|
| Success | 0 | The event log has been obtained successfully. |
| Failure | 161 | An attempt to obtain the event log failed. If a retry count has been specified, retries will be attempted. |
187 | Authentication failed when an attempt was made to connect to the Business Server over the network (using SSH). Alternatively, an error occurred during the processing of communications with the Business Server (file transfer infrastructure). In this case, the error code for the file transfer infrastructure is output to the execution results. Refer to "3.21 Detailed Code of File Transfer Infrastructure" for information on error codes. | ||
188 | When an operation component was performing an operation on a Business Server where an RBA Agent has not been installed, an SSH network connection with the Business Server was closed. | ||
189 | An attempt to connect to the Business Server over the network (using SSH) failed. Alternatively, an error occurred during the processing of communications with the Business Server (file transfer infrastructure). In this case, the error code for the file transfer infrastructure is output to the execution results. Refer to "3.21 Detailed Code of File Transfer Infrastructure" for information on error codes. | ||
197 | There is an error with the input information. | ||
200 | An attempt to obtain the event log terminated abnormally. | ||
- | - | 201 | Execution of the operation component timed out. |
202 | The operation component has not been executed. There is a problem with the settings for executing the operation component. | ||
203 | The operation component has not been executed normally. There is a problem with the Management Server environment. | ||
205 | The operation component has not been executed. There is a problem with the input information specification of the operation component. | ||
206 | The operation component has not been executed normally. There is a problem with the output information specification of the operation component. | ||
207 | The operation component has not been executed. The operation component may not have been registered on the Management Server. | ||
208 | The Automated Operation Process has been canceled because the Automated Operation Process was recovered while the operation component was executing. |
Output information
Variable | Description |
|---|---|
message | This variable will be set to the following message if the event log is obtained successfully. The operation component was successful. If an attempt to obtain the event log fails, the content of the error will be set as a string. |
log_get_result | This variable is set to the content acquired from the event log, in the following format. Any linefeed characters in the [message] part will be converted to spaces. [event ID],[event type],[source],[level],[message],[occurrence time] <Example> "6009","System","winword","ERROR",~"testEventLogMessage","20110830123255" |
nexttime | If 1,000 event logs have been obtained but there are still more event logs available, this variable will be set to the date and time of the first of the remaining event logs. The format is 4 digits for the year and 2 digits each for the month, day, hour, minute and second (YYYYMMDDhhmmss). |
returnCode | This variable is set to the return value. |
Notes
If information other than the Management Server is entered for the "hostname" option, this operation component will execute actions using either the file transfer infrastructure or SSH communications. Specify settings so that communications can be performed using at least one of these methods. Refer to "3.16 Notes of Each Communication Method" for information on communication methods.
If 1,000 event logs have been obtained but there are still more event logs available, then any event logs where the occurrence time is the same as the 1,000th event log can still be obtained from the remaining event logs.
This operation component obtains event logs by executing the wmic ntevent command based on the values specified for the following options. The wmic ntevent command can take a long time to execute when obtaining a large number of event logs. For this reason, specify the following options to prevent large numbers of event logs from being retrieved collectively. Also, set an appropriate value for the "timeout" option.
eventtype
eventid
sourcename
level
message
starttime
endtime
Use the Web console to check the return value. Refer to "Confirming the Operation Component Execution Status/Execution Results" in the Systemwalker Runbook Automation Operation Guide for details.
If a return value between 201 and 208 has been output, the Automated Operation Process will enter an aborted state or an error state, and error messages will be output to the following locations:
Event logs for the Management Server (if the Management Server is running on Windows(R))
syslogs for the Management Server (if the Management Server is running on Linux)
Custom messages for BPMN
Check for messages in these locations and take the appropriate action. Refer to the Systemwalker Runbook Automation Message Guide for details.
