IBM Netcool uses probes to collect events from various sources.
What are Netcool Probes ?
Netcool Probes are lightweight, small-footprint software components that are used to obtain event information, convert it into the Common Event Format (CEF) and pass it to the Netcool ObjectServer.
As the probes are completely separate from the ObjectServer, the same ObjectServer can collect events from any number of different sources. As monitoring requirements change, new probes can be added or old probes removed without changes to the ObjectServer or interruption to service. Currently more than 300 types of element manager, device or system have probes available. Some probes are very generic (such as the SNMP Trapd probe, or the Syslog probe) whilst others are specific to particular applications or devices.
Event Enrichment: Probes can modify and add more details to the event data. This is called event enrichment. String manipulation functions, external lookup tables and arithmetic operators can all be used within the interpreted probe rules file.
Resiliency: Probes create a reliable TCP connection to the ObjectServer in order to send an event; this ensure completeness and accuracy of data. If a probe cannot connect to the ObjectServer it can store events until the ObjectServer becomes available again. Where a pair of ObjectServers exist, a probe can be configured to fail-over to send events to the alternate ObjectServer.
Most event data is collected using probes, but events can also be modified or generated by Automations, Tools, Gateways or the SQL Command line interface (CLI).
Components of Netcool Probe
Every probe comprises at least three files: a binary executable, an interpreted rules file and properties file.
The probe binary collects the event data stream and splits the stream into individual tokens. The binary then interprets and applies the rules file (see below) and sends the finished event to the ObjectServer.
The rules file is used to assign tokens to ObjectServer fields in the alerts.status table. Additionally data may be manipulated, added to the event and mathematical calculations be performed in the rules file.
The properties file is used to set run-time parameters and determine a probes behaviour.
Probe Operation
The operation of a probe can be split into five stages:
a) Initialization : The probe connects to the ObjectServer, identifies the format of the alerts.status table. The props and rules files of the probe are then read and parsed ready to retrieve the events.
b) Event Retrieval : The probe then retrieves an event from the source. This can be by using an API, receiving a SNMP trap or reading a log file, for example.
c) Tokenization : The probe then tokenizes the event stream to create tokens ($) which are used within the rules file.
d) Rules Interpretation : Once the probe has tokenized the event stream the event is parsed through the rules file, setting the field values (@).
e) Send Event : The last step is to send the event to the ObjectServer, ensuring the event is received. If any problem occurs sending the event to the ObjectServer, the probe will either fail over to another ObjectServer or go into Store and Forward. The probe then retrieves the next event.