Professional Documents
Culture Documents
Administrator's Guide
Legal Notices
Warranty
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
Copyright Notice
Copyright 2012 Hewlett-Packard Development Company, L.P.
Trademark Notices
Oracle and Java are registered trademarks of Oracle and/or its affiliates, and shall not be used
without Oracles express written authorization. Other names may be trademarks of their respective
owners.
Intel and Itanium are registered trademarks of Intel Corporation in the US and other countries
and are used under license.
Red Hat and Enterprise Linux are registered trademarks of RedHat, Inc.
Documentation Updates
The title page of this document and the below print history contains the following identifying
information:
http://www.hp.com/support/usage
The following table lists the version history since the last released edition.
Print History
Edition Version Release Date
Related Documents
Refer to the following documents (including this document) for further information.
HP eIUM Release Provides release-specific topics, such as new features, software and hardware
Notes requirements, and known problems and workarounds.
HP eIUM Provides Operations Console usage information (also in help system embedded
Operations in the web application), such as an orientation to the interface, monitoring
Console User capabilities for the deployment, groups, and processes, as well as common
Guide usage scenarios.
HP eIUM Describes collector and Session Server templates pre-configured to read from
Template particular data sources. The templates can be used to create collectors and
Reference Session Servers quickly.
HP eIUM Real- Describes the Session Server, the Real-Time Charging Manager, and the Real-
Time Guide Time Engine in the eIUM system.
HP eIUM Studio Describes how to use the HP SNAP Studio to perform business, technical, or
User Guide administration tasks.
HP eIUM Real- Describes the Real-Time Engine system and functionality overview,
Time Developer development considerations, and reference information.
Guide
HP eIUM Real- Provides performance tuning and sizing tips and guidelines for the Real-Time
Time Engine.
Performance
Tuning and
Sizing Guide
HP eIUM Load Describes how to use the optional Load Balancer capabilities of eIUM.
Balancer Guide
HP eIUM SPR Introduces the Subscriber Profile Repository (SPR) and describes how to install
Guide and configure the SPR in eIUM.
Security 20
Status Icons 22
Initial Configuration 30
Database Setup 30
Metatable Definitions 34
Audit Logging 53
Security 55
Authentication 55
Authorization 55
Using eIUMCommands 62
Security 63
Command History 64
Accessing Help 64
Non-Interactive Mode 65
Chaining Commands 66
Example Scripts 76
Using processmanager 78
Commands 78
Scripting Support 79
Using configmanager 81
Commands 81
Scripting Support 82
Creating Collectors 84
Methods of Creating Collectors 84
Testing Collectors 86
Deploying Collectors 87
Enabling IPv6 97
Changing the Security Server Shutdown Keyword and Port Number 108
Groups 115
Syntax 170
Examples 170
Syntax 171
Examples 171
Overview
This documentation provides information pertinent to eIUMadministrators, such as the following:
This documentation assumes you are familiar with eIUM and basic eIUM and mediation concepts. For
more information, see the eIUM Foundation Guide. For overall usage instructions and a description of
the Operations Console, see the eIUM Operations Console User Guide.
Security 20
Status Icons 22
NOTE: In example commands in this manual, SIU is the default instance name. If you installed
using a different instance name, use that instead of SIU in the examples. See the eIUM
Installation Guide for information on how to install the eIUM product.
Security
If you have installed the optional eIUM security module, you must log in to the Launchpad and when
using any eIUM command. Provide a valid user name and password. The default administrators user
name and password were set when you installed HP eIUM security.
For more information on security, see "Managing Users and Security" (on page 106).
l The menu provides all the operations you can perform with the Launchpad. For a complete list,
see "The Launchpad Menu" (on page 22).
l Right-clicking on the collector or any other process icon brings up a menu of operations you
can perform on that object. For example, if you right click on a collector you can start or stop the
collector, display its log file, view statistics about the process, query its data, perform diagnostics
or perform several other operations.
l The buttons provide quick access to common operations. Hold the mouse pointer over each
button to see what it does. With the buttons you can:
n Start and stop collectors and other servers
l The status panel displays valuable information about your deployment. It can display the
operational status of collectors, log files for collectors, and statistics about the data processed
by a collector.
l The additional tabs let you select whether to view operational status, statistics or log files for a
collector, host or other server.
Status Icons
The icon beside each collector, host and server in the Launchpad tells you the status of that object,
as follows:
NOTE: The Actions menu changes depending on what is selected in the deployment map. The
menu items are customized to the particular collector or server that has been selected.
File: New... File Creates a new file collection service from a template. Use the Tools:
Collection Deployment Builders: Create File Service Components menu instead of this
Service menu item. For more information, see the eIUM Foundation Guide.
File: New... File Creates a new file distribution service from a template. Use the Tools:
Distribution Deployment Builders: Create File Service Components menu instead of this
Service menu item. For more information, see the eIUM Foundation Guide.
File: Import Reads configuration information from one or more files into the configuration
Configuration... server.
File: Export Writes configuration information from the configuration server to one or more
Configuration... files.
File: Save Remembers the arrangement of collector and server icons on the right side of
Layout the Launchpad screen. This is useful when you have a large number of
collectors and servers to retain the way you have arranged them. See also the
Options: Preference menu item below.
View: Opens or closes a Status window at the bottom of the Launchpad screen.
Operational
Status
View: Zoom In Makes the collector and server view larger or smaller on the right side of the
and Zoom Out Launchpad.
View: Redraw Repositions all the collectors and servers in the view on the right side of the
Launchpad.
Actions: Audit (Deployment must be selected.) Displays audit information. For more
Data information on audit, see the eIUM Component Reference.
Actions: Displays a screen where you can select one or more diagnostics to perform on
Diagnostics the selected server.
Actions: View (A host must be selected.) Displays all log messages for the host. See the eIUM
Central Log Foundation Guide for details on consolidated logging.
Actions: Open (A host must be selected.) Displays a window where you can view log messages.
Central Log See the eIUM Foundation Guide for details on consolidated logging.
Viewer
Actions: Log File Displays the selected processs log file at the bottom of the Launchpad.
Actions: Open Displays a window where you can view log messages.
Log Viewer
Actions: Set Log Opens a window where you can change the amount of information being
Level logged for the selected process. See the eIUM Foundation Guide for more
information on logging.
Actions: Host (A host must be selected.) Opens a window where you can change how all
Default processes on the host run unless specifically overridden by a particular
Properties process. See "Changing Default Host Properties" (on page 96) for more
information.
Actions: Opens a window where you can view and change how a particular process runs.
Properties See "Overriding Default Host Properties" (on page 99) for more information.
Actions: Edit (A collector or other server must be selected.) Opens a window where you can
modify a collectors or other servers configurations.
Actions: Start Starts or stops the selected process. For more information on the file service
and Stop and on reporting, see the eIUM Foundation Guide.
Actions: Cleanup (A collector, file collection service or file distribution service must be selected.)
Removes all data stored by the selected collector or service. The collector or
service must be stopped. Returns the collector or service to the state as if it
Actions: Delete (A collector, file collection service or file distribution service must be selected.)
Removes the selected collectors or servers configuration, effectively deleting
the collector or server.
Actions: Displays detailed information about the data the selected collector has read,
Statistics processed and stored.
Actions: Query Opens a window that displays the data stored in the selected collectors
Data datastore.
Actions: Open (A collector must be selected.) Opens a window that displays audit information
Audit Log from selected collectors audit log file. For more information on auditing, see
Viewer the eIUM Foundation Guide.
Actions: Set Opens a window where you can change the amount of audit information being
Audit Log Level logged for the selected process. For more information on auditing, see the
eIUM Foundation Guide.
Actions: View Opens a window that displays the contents of an AMA/BAF data file.
AMA/BAF File
Actions: Save as Saves the selected collector as a collector template in the deployment under
Template /templates/custom. You can create collectors based on this template when
you create a new collector.
Actions: Find in Moves the selected collector to the center of the collector diagram on the right
Map side of the Launchpad.
Actions: Restart (The configuration server must be selected.) Stops and restarts the
Config Server configuration server process.
Tools: IUM Web Opens a web page that lists the available eIUM web applications. This list
Applications depends on what web applications you have installed:
l The Reporting application lets you generate reports about data processed
by collectors. See the eIUM Foundation Guide for details on reporting.
l The Audit Reporting application lets you generate reports about audit data
collected by eIUM. See the eIUM Foundation Guide for details on reporting.
l The Operations Console lets you monitor the run-time status of all the
processes in your eIUM deployment. See the eIUM Operations Console User
Guide for more information.
Tools: NME Opens a window that lets you view the NME Schema and add NME attributes.
Schema Editor
Tools: Collector Opens a window that lets you view and modify the collector templates defined
Templates in the configuration under the configuration path /templates.
Editor
Tools: Runs the file service wizard to create a file collection service, file distribution
Deployment service and collectors to read and process files from the file distribution
Builders: Create service. For more information on the file service and using the file service
File Service wizard, see the eIUM Foundation Guide.
Components
Tools: Opens the structured NME schema editor. For more information see the eIUM
Deployment Foundation Guide.
Builders:
Schema Editor
Tools: Opens a window that lets you view and modify your entire deployment, under
Deployment the configuration path /.
Editor
Options: Lets you enable or disable automatic refreshing of the Launchpad screen,
Preferences removing of the Launchpad log file when exiting the Launchpad and saving of
the Launchpad screen layout when exiting the Launchpad. See also the File:
Save Layout menu item above.
NOTE: Restart the Launchpad for the new preferences to take effect.
Help: Displays information about the structured NME schema editor. For more
Components: information, see the eIUM Foundation Guide.
Structured NME
Schema Editor
Help: About Displays the Launchpad version and information about installed patches.
l From the Launchpad, select Tools -> Web applications. This launches your web browser and
displays the eIUM Web Tools page, which includes a list of the web-based tools enabled for your
deployment.
l Open your web browser and enter http://<Host or IP address>:8159 as the URL (for example,
http://iumserver.abc-co.com:8159. If you have enabled eIUM security, enter the URL as
https://<Host or IP address>:8159.
After opening the eIUM Web Tools page, click eIUM Operations Console to launch the application.
In order for a user to have minimal access, the following roles must be assigned:
For a limited operator, in addition to the above basic roles, they must have the Diagnostics role,
which allows access to statistics, and view and query logging. This role allows the limited operator to
view the History and Log File tabs.
For a senior operator, in addition to all the assigned roles for a minimal user and a limited operator,
they must have the ServerAdmin role. This enables the Operations tab, which allows the operator to
start, stop, and clean up a process, as well set logging levels. The Operations Console interface
changes to accommodate this set of privileges by displaying the Start, Stop, and Clean Up buttons
appear for a process, as well as the Start Group and Stop Group buttons (allowing the ability to
select multiple processes via the Select column, to act on one or more processes simultaneously).
NOTE: Cleanup operations only become available once you have edited the security-policy.xml file
to allow it.
For an administrator, in addition to all the assigned roles for a minimal user, limited operator, and a
senior operator, the Management role must be enabled. It allows the administrator to create, edit,
and remove groups, and also enables the Group Admin menu.
Meanwhile, RDM also includes an Audit Log feature to help track the kind of changes performed on
the database by different users of the RDM application. Lastlyand unlike traditional database
editorsRDM also has a robust table lookup functionality, which you can leverage to search for
exactly what you need. To begin working with RDM, select a database from the tree at left.
Getting Started 29
Initial Configuration 30
Audit Logging 53
Security 55
Authentication 55
Authorization 55
Getting Started
This section discusses what you need to get started with the RDM web application. Namely:
l Starting RDM.
l Initial administrator configuration, such as database, metatables, and cache refresh settings, as
well as information on RDMlogs.
l Database selection.
l Refresh Cache View for a database.
l From the Launchpad, select Tools -> Web applications. This launches your web browser and
displays the eIUM Web Tools page, which includes a list of the web-based tools enabled for your
deployment.
l Open your web browser and enter: http://<Host or IP address>:8159 (for example,
http://iumserver.abc-co.com:8159)
After opening the eIUM Web Tools page, click IUM Reference Data Manager to launch the
application.
NOTE: RDM must also be enabled during activation of eIUM. See the eIUMInstallation Guide for
more information on installation and activation.
If security is enabled, you will be directed to a login page where you must provide the required
authentication credentials. Otherwise, you can begin using the RDM tool.
Initial Configuration
In order for the Reference Data Manager web application to function in your deployment, it must
first be activated during eIUMactivation (see the eIUM Installation Guide for more information on
activation details). For the initial setup in your deployment, two main tasks must be performed:
l A database needs to be created and set up to store the reference data. This can be an external
database or eIUM's MySQL product extension if preferred. As a related preparatory step, the
corresponding JDBC driver (whether Oracle or MySQL) should first be copied to
C:\SIU\var\webappserver\lib directory (Windows), or /var/opt/SIU/webappserver/lib (UNIX).
l Metatable definition setup for reference tables RDM uses.
l Optionally, enabling of cache refresh functionality.
NOTE: RDMalso has a corresponding log file, rdm.log. See "Additional Log File Types" (on page
175) for more information on eIUMlogging and the RDM log file location.
Database Setup
The first time you launch the Reference Data Manager, the Configuration View setup page is
displayed, which allows you to specify the settings for the database that the Reference Data
Manager will use.
The following table describes the fields and entries you must complete to set up the database that
RDM will use to store its data. Entering the information in these fields assumes you have already
installed and set up your database.
Database Specify the name of the databasethis can be any name you choose to identify the
Node particular database, and is what appears as the node name under Reference
Name Databases.
Connection Specify the URLto connect to the database. For example, using the eIUMMySQL
URL product extension, "jdbc:mysql://localhost:3306/siu20" ("jdbc" is the access
mechanism, "mysql" is the database vendor, "//localhost" is the system name where
the database is, "3306" is the port number, and "siu20" is a database schema). The
connection type can vary depending on the type of database being used. For an
Oracle thin connection, an example URL would be:
"jdbc:Oracle:thin:@IPaddress:1521:siudb".
Driver Specify the JDBC driver class of the database. For MySQL, an example would be:
Class "com.mysql.jdbc.Driver". For an Oracle thin connection, this would be: "Driver =
oracle.jdbc.Driver, connection".
NOTE: The corresponding JDBC driver (whether Oracle or MySQL) should be copied to
C:\SIU\var\webappserver\lib directory (Windows), or /var/opt/SIU/webappserver/lib
(UNIX). After copying the driver to this location, you may need to restart the Web
Application Server in order for the RDM setup process to detect the change in the
system.
Field Description
Create Create the metatables after adding the database (typically this is the most common
MetaData scenario).
Tables
Drop and Remove any pre-existing meta-tables and create new ones.
Create
MetaData
Tables
Do not Metatables are not created. See "Metatable Definitions" (on page 34) for more
Create information.
MetaData
Tables
Before adding the new database, click Check Connection to first test that you can connect to your
database. If successful, a status message is displayed.
After selecting the chosen metatable creation option, click Add. Your database appears as a node
under the Reference Databases pane, and the RDM welcome screen is displayed.
For an initial RDMsetup, no reference tables exist yet. You must use external database tools to
manually create the reference tables, which must then be described in the RDMmetatables (also
using an external tool). Afterwards, RDM can be used to edit the reference tables. For more
information on metatable definitions and setup, see "Metatable Definitions" (on page 34).
The Refresh Cache View shown above is also the top-level page that is shown for a database, but
the refresh cache is not created by default. See "Reference Data Table Definition Example" (on page
36) for information on setting up cache refresh in RDM. Also see "Refresh Cache View" (on page 39)
for an example of where the reference tables are present and can be viewed and edited by an
operator or other RDM user.
Metatable Definitions
The information stored in the metatables defines the format of the reference data tables that are
used by eIUM processes, and managed by RDM. See the following metatable descriptions below for
definitions of what needs to be populated.
TABLE_LISTThis table contains the list of reference data tables that can be viewed and modified
in RDM.
TL_USER_ VARCHAR2(30) Name of the column that contains the user name of Y
COLUMN_ the last user updating the table.
NAME
TL_UPDATE_ VARCHAR2(30) Name of the column that contains the time at which Y
TIME_ the row was created or updated.
COLNAME
COLUMN_LISTThis table contains the column details of all reference data tables that can be
viewed or edited through RDM.
CL_DATATYPE VARCHAR Type of data used for field population and validation, N
(10) for example: STRING, INTEGER, DATE, ALPHA,
ALPHANUM.
CL_REF_ INTEGER(6) Foreign column ID from where data for this column Y Foreign
COLUMN_ID should be populated from. key to
COLUMN_
LIST
l 1Nullable
l 0Not nullable
The COLUMN_LIST table possesses several validation types that are performed on the RDMdata.
These validation types are specified in the Data Type column of the table.
Integers: For this the notation, NUMBER(x) is used, where x is the total number of digits in the
number. For example, using "NUMBER(3)" would make "324" a valid value.
NOTE: If you do not specify the number of digits, that is, if the notation is NUMBER, then the
default behavior is that the system will allow only integers and there is no restriction on the
length of the number. Out-of-database range values will be handled with the standard error
handling mechanism.
l DATE: Allows specifying the date using the MMM-dd-yyyy HH:mm:ss format.
l TIMESTAMP: Allows specifying a timestamp using the MMM-dd-yyyy HH:mm:ss format.
l IP4: Allows specifying an IPv4 data type, but validation does not check for accuracy of the IP
address when using expressions such as "starts with", "ends with", and so on. Accurate validation
is only performed when the search expression is "equals".
l HOSTIP: Allows validating both IPv4 addresses and host names.
SERVER_LISTThis table contains the list of eIUM servers that should have their cache refreshed.
[/deployment/ServerName/ProcessName/ReferenceDataService]
ClassName=RefDataServiceManager
QueryNames=BsidLocation
[/deployment/ServerName/ProcessName/ReferenceDataService
/BsidLocation]
ClassName=CachedQuery
ResultAttribute=VID_MatchFoundInteger
ResultIndexAttribute=VID_ResultIndexInteger
[/deployment/ServerName/ProcessName/ReferenceDataService
/BsidLocation/Cache]
ClassName=HashMapLookupCache
CacheAttributes=SUBS_DB_LatitudeDouble
CacheAttributes=SUBS_DB_LongtitudeDouble
CacheAttributes=SUBS_DB_ZIPCODEString
CacheKeyAttributes=SUBS_DB_BsidInteger
NMEKeyAttributes=SUBS_BsidInteger
[/deployment/ServerName/ProcessName/ReferenceDataService
/BsidLocation/Loader]
ClassName=JDBCLoader
FieldExtracted=BSID,SUBS_DB_BsidInteger
FieldExtracted=LATITUDE,SUBS_DB_LatitudeDouble
FieldExtracted=LONGITUDE,SUBS_DB_LongtitudeDouble
FieldExtracted=ZIPCODE,SUBS_DB_ZIPCODEString
JDBCDataSourceConnectorName=ExternalDataSourceConnector
QueryString=SELECT %FIELDS FROM BSID_LOCATION
Secondly, you must configure a SocketConnector component in your eIUM process (session server or
collector). You need this connector to be configured in order for the eIUM process to be able to
receive the cache refresh signal. Once configured, you should be able to execute the
refreshcache command. For example:
refreshcache -ip <ip address of the server where eIUM process runs>
-port <socket connector listen port>
-map <CachedQuery name - for example, BsidLocation>
After executing this command you should see the cache being reloaded in the eIUM process log file.
See the eIUMCommand Reference for more information on this command.
Next, configure RDM to enable editing of the reference data table, for example, the BSID_LOCATION
used in the RDS CachedQuery above. The configuration is done through populating the necessary
meta-information about the BSID_LOCATION reference table in the metatables. In this example,
RDM can be configured to edit the reference data table "BSID_LOCATION", which is used to store the
information about base station location. The table has the following columns:
1 BSID 1 ID NUMBER(8) 1 0
NOTE: For demonstration purposes and page spacing considerations, the CL_REF_COLUMN_ID,
CL_REF_COLUMNNAME_ID, and CL_OPTLENGTH columns (normally appearing between CL_
PRIMARY_KEY and CL_NULLABLE) were intentionally removed from this example table since they
have no values in this example. Ordinarily, however, these are included columns in the COLUMN_
LIST table. For more information on the COLUMN_LIST metatable, see "Metatable Definitions" (on
page 34).
Once you populate the above table data, you should see the BSID_LOCATION reference table in the
RDMtable list, and you should be able to view and edit the data accordingly.
Lastly, configure the SERVER_LIST table to map the BSID_LOCATION table to a particular
CachedQuery. For example:
Once you configure these details, you will be able to trigger the cache refresh of the BsidLocation
CachedQuery in the configured ProcessName eIUM process that runs on the ServerName physical
server. ProcessName must have the SocketConnector component configured and must use port
number 9000. For details on the RefDataServiceManager, SocketConnector, and CachedQuery
components, see the eIUMComponent Reference.
This view displays the list of all databases which can be connected to through RDM. The interface
allows you to interact with multiple databases, if configured in your deployment. To begin, select a
database from the tree at left. After selecting a database, the Refresh Cache view for the chosen
database is displayed. See "Refresh Cache View" (on page 39) for more information.
eIUM maintains a master list of lookup table caches in-memory to avoid delays in connecting and
fetching data from the database. The Refresh Cache function in RDMprovides the ability to have
the tables be refreshed to load their updated data. eIUM can work with reference data in two modes
for the processes, whether the session server or collector. The first mode is for processing
requests, and will directly query the database, while in the second mode, RDM will not query the
database for every request, but once it starts it will cache the entire table in memory, and then it
will use the information in the cache for processing (that is, it will not go to the database for every
request, but instead use the cache).
In such cases, it is necessary to refresh the cache when you need to change some information in the
tables. RDM would then need to refresh the cache of the processes, to let the process know that the
data has changed in the tables. When you select a database, the main Refresh Cache View for the
database shows all possible processes that use the reference data, and that are caching the
reference data (as shown in the above figure). Refresh Cache functionality is also available in the
Table Edit View for a particular table, except that you can only refresh, but cannot search for, a
cache.
The main database-linked page, however, allows you to both search for and refresh a cache. Under
the Search section, you can search for a cache based on the Server Name, Cache Name, or Table
Name. Combined search parameters can be defined by selecting the Equals, Starts With, Ends With,
Contains, or Regex (regular expressions) options from the drop-down list.
Caches Table
Field Descrption
Port Refers to which port the refresh cache signal is sent to for the particular process.
Number
Field Descrption
Table Specifies the (database) table name which is cached. The corresponding Refresh Cache
Name function will be available in the corresponding table's Refresh Cache function.
Specifying search criteria from the Search fields section will filter the table under Caches according
to the parameters you specify. By default, if no search criteria is used then all the caches will be
displayed and fetched within their respective page views. To view/refresh specific caches you can
use the search function.
By default, the first 10 entries are shown (if that many caches are available). To cycle through these,
use the navigation buttons at the top of the table to move through the entries. The following table
describes these:
Rows/page Controls the number of rows you can view per page. Default is 10.
Refresh Click to refresh the table after selecting a different value for Rows/page (for
example, if you want to view 20 rows per page, click this to reload the Caches table
view).
First When multiple pages are available, jumps directly to the first page.
Last When multiple pages are available, jumps directly to the last page.
Page Indicates the current page being viewed, versus the total. You can enter a page
number to go directly to the desired page.
To refresh a cache(s), select it from the Caches table and click Refresh Cache. Click Toggle
Selection to invert which cache checkboxes are currently selected. After clicking Refresh Cache, a
message is displayed at top to indicate whether or not the refresh was successful.
The Table Edit View has three main sections, corresponding to the related function: Add, Search, and
Search Results. By default, the Search Results section displays all the current entries in the table. By
default, the first 10 entries are shown. To cycle through these, use the navigation buttons at the top
of the table to move through the entries. The following table describes these:
Rows/page Controls the number of rows you can view per page. Default is 10.
Refresh Click to refresh the table after selecting a different value for Rows/page (for
example, if you want to view 20 rows per page, click this to reload the Search Results
table view).
First When multiple pages are available, jumps directly to the first page.
Field Description
Last When multiple pages are available, jumps directly to the last page.
Page Indicates the current page being viewed, versus the total. You can enter a page
number to go directly to the desired page.
The Search Results table also includes several buttons that correspond to various table entry
functions (such as editing, canceling, deleting, and saving). Namely:
Edit row
Save edits
Searching Tables
In this section you can search table entries by specifying values for each column (that is, table field).
To perform a search, click the Search bar, which opens the search parameter interface, shown
below.
Select the column name/field from the drop-down list (these correspond to the column names in
the Search Results table).
Selecting a column then populates the adjacent field with search expressions you can choose
(Equals, Less Than, Greater Than).
Selections from the drop-down list are also populated based on the field type. For example, date
columns will have a date selector, while lookup tables will have a lookup table component. You can
click the plus icon to chain together multiple search parameters. Some tables, however, have fields
whose values need to be referenced or are associated with IDs from another table. In such cases,
you do not need to go back to the table in question to fill in values. Instead, a search icon will be
available adjacent to the search text field, which you can click to open a new pop-up window for the
table being referenced. This pop-up provides a listing of ID-name pairs you can choose from.
Click the value you want, which will then appear in the text field (the pop-up selection window closes
after making your choice). When finished defining all of your search settings, click Search. The
Search Results table at bottom will be refreshed to display your search results.
The fields in this section are mapped to the columns (fields) in the table. Required fields are marked
with a red asterisk (*). When adding an entry, your input is validated to check for entry of incorrect
data types and required fields.
Editing Tables
To edit a table entry, click the Edit Row button, which is found in the Search Results table.
After clicking this button, the selected row becomes available for editing.
When editing, required fields are also indicated by the red asterisk. Notice that the Edit button
changes to an Update Row button. Edit the desired fields and click the Update Row button, or the
adjacent Cancel button to cancel any changes. The table then refreshes to include your changes.
NOTE: You can also delete items in bulk, either via what you see in the current Search Results
table, or after searching for specific entries and then deleting the search set. See "Bulk Search
and Delete" (on page 50) for more information.
l Update only the selected rowsThis method corresponds to which row(s) you may have checked
from the Toggled column of the Search Results table, so that only the selected rows are
updated.
l Update the searched resultsUpdating via this method updates according to everything that
matches the search criteria. For more information on table searches, see "Table Edit View:
Search, Add, Edit, and Delete" (on page 42).
Updating Selected Rows
To update specific rows from the Search Results table, first open the Search bar, and then click the
Replace bar.
Specify one or more Replace conditions by selecting them from the drop-down list, and then specify
the columns to be updated by selecting the rows in the Toggle column. To replace the selected rows,
select the Selected Results option.
In the above example, the selected rows will have their current ASP_ID and Profile_ID values
replaced with "11" and "90" as their new ASP_ID and Profile_ID, respectively. When ready to replace
the values, click Replace.
In this example, the Searched Results option is selected, so when the replace operation is executed,
these rows will all be replaced to have their ASP_ID set to "11" and their Profile_ID set to "90".
Clicking Replace replaces with these values.
Since all the table rows whose ASP_ID value was previously "1" are now "11", the Search Results
table is empty and no longer applicable (due to the original search filter being applied based on an
ASP_ID of "1", which no longer exists). If you refresh the table, the replaced values can now be
observed.
l Delete only the selected rowsThis method corresponds to which row(s) you may have checked
from the Toggled column of the Search Results table, so that only the selected rows are deleted.
l Delete the searched resultsDeleting via this method removes data according to everything
that matches the search criteria. For more information on table searches, see "Table Edit View:
Search, Add, Edit, and Delete" (on page 42).
NOTE: You can also delete rows individually by clicking the red Delete button found in the Toggle
column.
In the Search Results table, specify the entries to be deleted by selecting the rows in the Toggle
column. To delete the selected rows, select the Selected Results option.
The table entries you selected are deleted from the Search Results table.
In this example, the Searched Results option is selected, so when the Delete button is clicked, the
entries in the table are deleted.
Since the entries with the ASP_ID value of 11 have now been deleted, the Search Results table is
empty (since the original search filter no longer applies).
Audit Logging
The Audit Logging functionality in RDMhelps to determine which user performed certain changes on
the reference data. The database operations that are logged and that can be seen are:
l Insert
l Update
l Delete
l Selective update
l Selective delete
l Bulk update
l Bulk delete
The data and the order of the data that is logged are configurable for any operation, and each data
event has a specific code associated with it per below:
l Insert={OP_NAME}{USER_NAME}{DB_NAME}{TABLE_NAME}{NEW_VALUES_ALL}
l Update={OP_NAME}{USER_NAME}{DB_NAME}{TABLE_NAME}{OLD_VALUES_CHANGED}{NEW_
VALUES_CHANGED}{PRIMARY_KEY}
l Delete={OP_NAME}{USER_NAME}{DB_NAME}{TABLE_NAME}{OLD_VALUES_ALL}
l SelectiveUpdate={OP_NAME}{USER_NAME}{DB_NAME}{TABLE_NAME}{NEW_VALUES_
ALL}{PRIMARY_KEY}
l SelectiveDelete={OP_NAME}{USER_NAME}{DB_NAME}{TABLE_NAME}{PRIMARY_KEY}
l BulkUpdate={OP_NAME}{USER_NAME}{DB_NAME}{TABLE_NAME}{NEW_VALUES_
CHANGED}{SEARCH_KEY}
l BulkDelete={OP_NAME}{USER_NAME}{DB_NAME}{TABLE_NAME}{SEARCH_KEY}
For example, if you want to specify a format such as:
{OP_NAME}{USER_NAME}{DB_NAME}{TABLE_NAME}{OLD_VALUES_CHANGED}{NEW_VALUES_
CHANGED}{PRIMARY_KEY}
The RDMAudit Log configuration is stored in the configuration server under the
/webApplications/rdm x/AuditLogFormats node, as shown below (this can also be modified as
required).
NOTE: For general RDM logging information, see "Additional Log File Types" (on page 175).
Security
The following sections describe RDM-related security topics, related to authentication,
authorization, user roles, and access control.
Authentication
The Reference Data Manager uses the eIUM security infrastructure in exactly the same manner as
other Web Applications in eIUM, and any authenticated user that has appropriate roles assigned will
be able to login to RDM. For more information on security roles and privileges, see "Managing Users
and Security" (on page 106).
Authorization
In order to access RDM, a particular user needs to have the ConfigRead role assigned. This is
required to read the application-specific configuration, such as database details, audit log formats,
and so on from the eIUM configuration (ConfigServer). Apart from this role, the user needs to have
specific RDM roles to access certain content or perform operations. The LDAP roles that are
authorized by default in RDM are as follows (also see "User and Host Roles and Privileges" (on page
112)):
l RefdataRead
l RefdataWrite
l ServerAdmin
l ConfigRead
l ConfigWrite
l User
The following are the permission types available in RDM:
DEFAULT Tables
DEFAULT
Tables
Refresh
RDM User: User Rules: view edit add del Cache Admin
The policy configuration file (security-policy.xml) that implements the above setup is the following:
<!RDMAdmin -->
<policy>
<grant>
<principals>
<principal class="com.hp.usage.security.auth.Role"
name="ServerAdmin"/>
<principal class="com.hp.usage.security.auth.Role"
name="RefdataWrite"/>
<principal class="com.hp.usage.security.auth.Role"
name="RefdataRead"/>
<principal class="com.hp.usage.security.auth.Role"
name="ConfigRead"/>
<principal class="com.hp.usage.security.auth.Role"
name="ConfigWrite"/>
</principals>
<permissions>
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
target="DEFAULT" actions="view,edit,add,delete,refreshcache" />
<permission class="com.hp.usage.rdm.security.RDMSPermission"
target="rdm.view.cache"/>
</permissions>
</grant>
<!RDMProvisioner1 -->
<grant>
<principals>
<principal class="com.hp.usage.security.auth.Role"
name="RefdataWrite"/>
<principal class="com.hp.usage.security.auth.Role"
name="RefdataRead"/>
<principal class="com.hp.usage.security.auth.Role"
name="ConfigRead"/>
</principals>
<permissions>
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
In the above example, RDMAdmin has the roles ServerAdmin, RefdataWrite, RefdataRead,
ConfigRead, ConfigWrite and permissions to view, edit, add, delete, view the caches, refresh the
caches, and administrative tasks. The RDMProvisioner1 has all permissions on DEFAULT CATEGORY,
and the RDMViewer has only view permissions for the tables that belong to the category DEFAULT.
DEFAULT Tables
DEFAULT
Tables
Refresh
RDM User: User Rules: view edit add del Cache Admin
CATEGORY1 Tables
CATEGORY1
Tables
Refresh
RDM User: User Rules: view edit add del Cache Admin
CATEGORY2 Tables
CATEGORY2
Tables
Refresh
RDM User: User Rules: view edit add del Cache Admin
In the above table examples, it can be seen that the RDMAdmin has (1) permission to view, add, edit,
and delete all the tables of all the categories; (2) can refresh the caches related to all the tables;
and (3) is authorized for administration tasks. The RDMProvisioner1 and RDMProvisioner2 have
access to only tables of CATEGORY1 and CATEGORY2, respectively. The RDMViewer has only view
permission for the tables belonging to CATEGORY1 and CATEGORY2.
The corresponding security-policy.xml file as per the table and the configuration would be as below:
<!-- RDMAdmin -- >
<grant>
<principals>
<!-- User must have all of these roles to be granted permissions
listed below -->
<principal class="com.hp.usage.security.auth.Role"
name="ServerAdmin"/>
<principal class="com.hp.usage.security.auth.Role"
name="RefdataWrite"/>
<principal class="com.hp.usage.security.auth.Role"
name="RefdataRead"/>
<principal class="com.hp.usage.security.auth.Role"
name="ConfigRead"/>
<principal class="com.hp.usage.security.auth.Role"
name="ConfigWrite"/>
</principals>
<permissions>
<!-- Users with ALL roles listed above will be granted all of these
permissions -->
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
target="DEFAULT" actions="view,edit,add,delete,refreshcache" />
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
target="CATEGORY1" actions="view,edit,add,delete,refreshcache" />
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
target="CATEGORY2" actions="view,edit,add,delete,refreshcache" />
<permission class="com.hp.usage.rdm.security.RDMSPermission"
target="rdm.view.cache" />
</permissions>
</grant>
<!-- RDMProvisioner1-->
<grant>
<principals>
<!-- User must have all of these roles to be granted permissions
listed below -->
<principal class="com.hp.usage.security.auth.Role"
name="Cat1Write"/>
<principal class="com.hp.usage.security.auth.Role" name="Cat1Read"/>
<principal class="com.hp.usage.security.auth.Role"
name="ConfigRead"/>
</principals>
<permissions>
<!-- Users with ALL roles listed above will be granted all of these
permissions -->
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
target="CATEGORY1" actions="view,edit,add,delete,refreshcache" />
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
target="CATEGORY2" actions="view" />
<permission class="com.hp.usage.rdm.security.RDMSPermission"
target="rdm.view.cache" />
</permissions>
</grant>
<!--RDMViewer -->
<grant>
<principals>
<!-- User must have all of these roles to be granted permissions
listed below -->
<principal class="com.hp.usage.security.auth.Role"
name="RefdataRead"/>
<principal class="com.hp.usage.security.auth.Role" name="Cat1Read"/>
<principal class="com.hp.usage.security.auth.Role" name="Cat2Read"/>
</principals>
<permissions>
<!-- Users with ALL roles listed above will be granted all of these
permissions -->
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
target="CATEGORY1" actions="view" />
<permission class="com.hp.usage.rdm.security.RDMSActionsPermission"
target="CATEGORY2" actions="view" />
<permission class="com.hp.usage.rdm.security.RDMSPermission"
target="rdm.view.cache" />
</permissions>
</grant>
Above it can be seen that Provisioner1 has full permission on CATEGORY1, with read permission on
CATEGORY2. Similarly, Provisioner2 has full permissions on CATEGORY2, while read permission on
CATEGORY1. Note that you can even remove the view permission on unrelated categories,
depending on how you want to give access.
Using eIUMCommands
You can use eIUM commands to accomplish most development and maintenance tasks with your
eIUM deployment, from implementation, configuration and testing to day-to-day monitoring and
administration. The eIUM commands are particularly useful for creating automated scripts that
perform routine tasks such as back ups.
See the eIUM Command Reference for complete details on all eIUM commands.
NOTE: When you use the Launchpad or the siucontrol command to start a process, the Launchpad
and the siucontrol command use the start-up properties stored in the configuration server. When
you use any other eIUM command to start a process, the command uses the start-up properties
in the file SIU.ini. For more information on start-up properties, see "Changing Collector and Server
Start-up Properties" (on page 93) and "Start-Up Properties" (on page 230).
Security 63
Command History 64
Accessing Help 64
Non-Interactive Mode 65
Chaining Commands 66
Example Scripts 76
Using processmanager 78
Commands 78
Scripting Support 79
Using configmanager 81
Commands 81
Scripting Support 82
Security
If you have installed the optional HP eIUM Security module, you must provide a valid user name and
password with the -login and -pw options whenever you use any eIUM commands. If you have not
installed the optional HP eIUM Security module, use the eIUM commands without providing a user
name and password.
See the eIUM Installation Guide for details on installing eIUM security. See "Managing Users and
Security" (on page 106) for information on creating users and setting their privileges.
core
import imports a descriptor file dynamically
help Prints the list of available commands with
description.
Type help -c commandName for individual commands.
exit exit interactive mode
security
login Authenticates a user identity and stores the user
identity
certificate in an in-memory keystore on successful
authentication.
logout logout
log
loglevel sets the log level of the application
builtin
exec executes a script file
run runs a batch file of CLI commands
register registers a script file as a new command
unregister unregisters a previously registered command
get Prints the value of a variable from the environment
set Sets the value of a variable in the environment
file
ls lists the files in the current working directory
pwd prints the current working directory
cd Changes the current working directory to the one
specified
iumconsole>>
When you execute the iumconsole command from the %BINROOT%/bin directory of your eIUM
installation, it opens the eIUM-specific shell with the basic commands loaded (shown above).
Connection to the repository and checkouts are done automatically when iumconsole starts up
and shuts down (see "Repository Service Integration" (on page 73) for more information). To exit the
console, use the exit command.
NOTE: Commands executed via the eIUM console are specific to the console environment only. By
contrast, the eIUM commands described in the eIUM Command Reference are of a different nature
and cannot be run inside the iumconsole shell.
You can also type the first letter of a known command, and for cases when there are multiple
commands matching what you enter, the eIUM console will suggest the commands beginning with
that character. For example, in the command shell, type e and then press the Tab key. The eIUM
console detects that there are two commands starting with the letter e, exec and exit, and
suggests these on separates lines. When more than one command exists that matches the
character(s) you enter, pressing the Tab key makes the eIUM console suggest all the available
commands that match the specified characters. Otherwise, when there is only one item that
matches what you have entered, the command line will be filled in with the specified command.
Command History
For the current console session, the eIUM console can remember each command you have executed
in the shell. Similar to other command shell environments, you can access the history of entered
commands by pressing the up and down arrow keys.
Accessing Help
You can review help information regarding the arguments taken by each command. To do this, enter
help -c <CommandName>, where <CommandName> is the name of the command you want help
with. For example, to get help on the import command:
help -c import
You can execute the a.txt sample script file using exec like the following (where -f is the
argument to call a file):
iumconsole>>exec -f a.txt
hello world
iumconsole>>
The script file should be written in the MVEL (2.0) scripting language, and use the special context
variable to print the text to the console. See http://mvel.codehaus.org/ for more information on
MVEL, and "Command Context Interface" (on page 77) for more information on this variable.
The batch file first sets a variable called age to the value of 40 using the eIUM console set
command. It then uses the console get command to print all the variables in the system. You can
execute this example script from within the eIUM console shell as follows:
iumconsole>>run -f b.txt
Variable age set to 40
age=40
iumconsole.metadir=C:\SIU\var\iumconsole\.meta-1282726394607
repository.client=com.hp.usage.jcr.repository.RepositoryClient@4d4f6e
$descdir=file:/C:/SIU/var/iumconsole/.scripts-
1282726394607/iumconsole/
secure=false
iumconsole>>
In this example, the repository.client, $descdir, and secure settings are internal variables used
by the eIUM console.
Non-Interactive Mode
You can execute iumconsole in non-interactive mode by passing the commands to be run as
command-line arguments. For example:
C:\SIU\bin>iumconsole help
Connected to the repository at: null
Successfully checked out: [iumconsole] to
C:\SIU\var\iumconsole\.scripts-1282726394607\iumconsole
core
import imports a descriptor file dynamically
help Prints the list of available commands with
description.
Type help -c commandName for individual commands.
exit exit interactive mode
security
login Authenticates a user identity and stores the user
identity
certificate in an in-memory keystore on successful
authentication.
logout logout
log
loglevel sets the log level of the application
builtin
exec executes a script file
run runs a batch file of CLI commands
register registers a script file as a new command
unregister unregisters a previously registered command
get Prints the value of a variable from the environment
set Sets the value of a variable in the environment
file
ls lists the files in the current working directory
pwd prints the current working directory
cd Changes the current working directory to the one
specified
There are no changes
Checkout discarded for: [iumconsole]
Disconnected from the repository
C:\SIU\bin>
In the above example, iumconsole is executed with the help command, which it executes and
returns to the operating system prompt, without going into interactive mode. This is a feature of
iumconsole, whereby it executes the commands and exits without going into interactive mode when
commands are provided as command-line arguments of iumconsole.
Chaining Commands
You can execute multiple, subsequent commands in the console using the double-hyphen (--)
command separator. In this manner, the eIUM console will execute these commands and then exit
back to the operating system prompt. For example:
C:\SIU\bin>iumconsole help -- get
Connected to the repository at: null
Successfully checked out: [iumconsole] to C:\SIU\var\iumconsole\
.scripts-1286283832263\iumconsole
core
import imports a descriptor file dynamically
help Prints the list of available commands with
description.
Type help -c commandName for individual commands.
exit exit interactive mode
security
login Authenticates a user identity and stores the user
identity
certificate in an in-memory keystore on successful
authentication.
logout logout
log
C:\SIU\bin>
In the above example, iumconsole is executed with the help command, followed by the get
command, which it executes and returns to the operating prompt, without going into interactive
mode.
NOTE: All commands include a -silent option, which runs the command in non-interactive mode.
exec exec -file <path> Executes a script file. -file <path>Location of the
[-silent] script file that should be
executed.
run run -file <path> Runs a batch file of eIUM console -file <path>Location of the
[-silent] commands. batch file that should be
executed.
register register [-args] Registers a script file as a new -argsWith this parameter
[-description command. set, the register command
<description>] - will prompt you for
file <path> - arguments for the new
name command.
<command> [-
-description <description>
silent]
Description of the command
being registered.
-name <command>Name
of the command under which
the script will be registered.
are printed.
set set -name Sets the value of a variable in the -name <variable>The
<variable> [- environment. name of the varible whose
silent] -value value is to be set.
<value>
-value <value>The value of
the varible to be set.
ls ls [-dir <arg>] [- Lists the files in the current -dir <arg>The name of the
silent] working directory. directory, relative to the
current working directory, for
which files should be listed.
cd cd [-silent] -to Changes the current working -to <arg>The name of the
<arg> directory to the one specified. directory, relative to the
current working directory,
which should be set as the
current working directory.
These services can be accessed through the configuration server HTTP URL. In eIUM, the ability to
fetch the IOR of the configuration server has been available by using http://localhost:8158/. This
URL, however, can also fetch the IOR of any eIUM service (eIUM admin agent, collectors query
interface, and so on), and can give you information about the topology of eIUM (specifically, its
collectors and hosts in the entire deployment). For example, entering the
http://localhost:8158/topology/* URL in your web browser displays the following XML as output:
<results>
<host name="testhostid" path="/host[@name='testhostid']">
<server name="AdminAgent" path="/host[@name='testhostid']/server[@name='AdminAgent']"
type="AdminAgent">
<service location="/deployment/testhostid/@AdminInterface" name="AdminAgent"
path="/host[@name='testhostid']/server[@name='AdminAgent']/service[@name='AdminAgent']"
type="corba"/>
<service location="/deployment/testhostid/@ProcessManagerInterface" name="ProcessManager"
path="/host[@name='testhostid']/server[@name='AdminAgent']/service[@name='ProcessManager']"
type="corba"/>
<service location="/deployment/testhostid/@AdminInterface" name="Admin"
path="/host[@name='testhostid']/server[@name='AdminAgent']/service[@name='Admin']"
type="corba"/>
<service location="/deployment/testhostid/@DiagManagerInterface" name="DiagManager"
path="/host[@name='testhostid']/server[@name='AdminAgent']/service[@name='DiagManager']"
type="corba"/>
<service location="/deployment/testhostid/@FileManagerInterface" name="FileManager"
path="/host[@name='testhostid']/server[@name='AdminAgent']/service[@name='FileManager']"
type="corba"/>
<service location="/deployment/testhostid/@ManagementServiceInterface"
name="ManagementService"
path="/host[@name='testhostid']/server[@name='AdminAgent']/service[@name='ManagementService']"
type="corba"/>
<service location="/deployment/testhostid/@SafeFileHandlerInterface" name="SafeFileHandler"
path="/host[@name='testhostid']/server[@name='AdminAgent']/service[@name='SafeFileHandler']"
type="corba"/>
</server>
<server name="Demo" path="/host[@name='testhostid']/server[@name='Demo']"
type="Collector">
<service location="/collectors/Demo/@AdminInterface" name="Collector"
path="/host[@name='testhostid']/server[@name='Demo']/service[@name='Collector']"
type="corba"/>
<service location="/collectors/Demo/@AdminInterface" name="Admin"
path="/host[@name='testhostid']/server[@name='Demo']/service[@name='Admin']"
type="corba"/>
<service location="/collectors/Demo/@BackupOperationInterface" name="BackupOperation"
path="/host[@name='testhostid']/server[@name='Demo']/service[@name='BackupOperation']"
type="corba"/>
<service location="/collectors/Demo/@QueryInterface" name="Query"
path="/host[@name='testhostid']/server[@name='Demo']/service[@name='Query']" type="corba"/>
<service location="/collectors/Demo/@UsageChannelControlInterface"
name="UsageChannelControl"
path="/host[@name='testhostid']/server[@name='Demo']/service[@name='UsageChannelControl']"
type="corba"/>
</server>
<server name="Parlay" path="/host[@name='testhostid']/server[@name='Parlay']"
type="SessionServer">
<service location="/collectors/Parlay/@AdminInterface" name="Admin"
path="/host[@name='testhostid']/server[@name='Parlay']/service[@name='Admin']"
type="corba"/>
<service location="/collectors/Parlay/@QueryInterface" name="Query"
path="/host[@name='testhostid']/server[@name='Parlay']/service[@name='Query']"
type="corba"/>
<service location="/collectors/Parlay/@TransactionManagerInterface"
name="TransactionManager"
path="/host[@name='testhostid']/server[@name='Parlay']/service[@name='TransactionManager']"
type="corba"/>
<service location="/collectors/Parlay/@UsageChannelControlInterface"
name="UsageChannelControl"
path="/host[@name='testhostid']/server[@name='Parlay']/service[@name='UsageChannelControl']"
type="corba"/>
</server>
<server name="ConfigServer" path="/host[@name='testhostid']/server[@name='ConfigServer']"
type="ConfigServer">
<service location="/" name="Config"
path="/host[@name='testhostid']/server[@name='ConfigServer']/service[@name='Config']"
type="corba"/>
<service location="/ConfigServer/ConfigServer/@AdminInterface" name="Admin"
path="/host[@name='testhostid']/server[@name='ConfigServer']/service[@name='Admin']"
type="corba"/>
</server>
<server name="RepositoryServer"
path="/host[@name='testhostid']/server[@name='RepositoryServer']" type="RepositoryServer">
<service location="/deployment/@RepositoryService" name="RepositoryService"
path="/host[@name='testhostid']/server[@name='RepositoryServer']/service[@name='RepositoryService']"
type="webservice"/>
</server>
</host>
</results>
This XML output shows the entire deployment with its single host (testhostid), five servers under
that host (AdminAgent, ConfigServer, Demo collector, Parlay session server, and RepositoryServer)
and the corresponding services under each server. eIUMs topology is organized in terms of hosts in
the uppermost node in the hierarchy, with servers (collectors, session servers, file collection servers,
and so) subsumed under each host. Meanwhile, each server contains a list of services.
The topology information, however, does not contain the runtime state of any of the processes.
Rather, it just shows the list of servers available under each node, and the list of services applicable
for each server. A server/service appearing in the topology service denotes that it is configured and
available under that node and does not mean it is actually running.
The eIUM topology output (derived above using http://localhost:8158/topology/*) can be searched by
specifying an XPath-like expression in the URL. For this example, an asterisk (*) was appended, which
signifies an XPath expression to fetch everything in the topology data. You can also, for example,
specify alternative XPath expressions to refine your search to a particular host:
http://localhost:8158/topology/host[@name='testhostid']
or a particular type:
http://localhost:8158/topology/host/server[@type='Collector']
The following are some additional XPath combinations you can use.
XPath Expressions
XPath Result
Each service exposes a path variable which can be used to get its IOR from the registry service. For
instance, browsing to
"http://localhost:8158/registry/host[@name='testhostid']/server[@name='Demo']/service[@name='Collector']"
returns the IOR of the Collector service of the Demo Collector in testhostid. Note that the URL has a
registry instead of a topology in its path. This tells the ConfigServer HTTP process to fetch the IOR
instead of the topology information.
The first line gets the ConfigServers Config interface from the registry interface and calls the
getConfigAttribute() method upon it. Next, it gets the Datastore configuration node and prints the
value of the ClassName attribute under it. The second line gets the ConfigServers Admin interface
and prints the starting time of the configuration server. Notice that the first method call had only
one argument while the second line has two arguments. Each server has a default interface which
will always be fetched by default. Calling the two-argument getService() method will explicitly fetch
that particular service of the server.
The third line fetches the AdminAgents AdminAgent interface and prints the IP address of the
host on which it is running. The fourth line prints the start time of the admin agent from its Admin
interface, while the fifth line prints the status of the Demo collector. Lastly, the sixth line prints the
start time of the Demo collector from its Admin interface.
Demo.Admin = 1273483594
iumconsole>>
The eIUM console will prompt you for any variable in the script that it cannot understand. For
example, consider the following script (called start.txt):
procManService = context.getService("testhostid/AdminAgent",
"ProcessManager");
process = procManService.getProcessByName("/deployment/testhostid/"
+ name);
process.startProcess(new com.hp.siu.corba.PropertyList(new
com.hp.siu.corba.PropertyInfo[] {}));
The above script uses the AdminAgents ProcessManager service to start a service. The second
line tries to get the process ["/deployment/testhostid" + name], where name is unknown to the
eIUM console. To resolve this issue, the eIUM console prompts you to enter the value for name as
follows:
iumconsole>>exec -f start.txt
name=Demo
...
With the value you have entered, it then tries to start the process identified by
/deployment/testhostid/Demo.
To remove a custom command, the unregister command allows you to remove it from the
repository server, thereby making it unavailable to other eIUM hosts. This process is illustrated in
the example steps below.
1. Start the eIUM Console. It will connect to the repository server automatically.
C:\Temp\console>c:\SIU\bin\iumconsole.exe
Connected to the repository at: null
Successfully checked out: [iumconsole] to
C:\SIU\var\iumconsole\.scripts-1282726394607\iumconsole
iumconsole>>
3. Since the help command lists help information for all the commands, you can use the help
display to confirm if the new custom command has been properly registered.
iumconsole>>help
core
import imports a descriptor file dynamically
help Prints the list of available commands with
description.
Type help -c commandName for individual commands.
exit exit interactive mode
security
login Authenticates a user identity and stores the user
identity
certificate in an in-memory keystore on successful
authentication.
logout logout
log
loglevel sets the log level of the application
builtin
exec executes a script file
run runs a batch file of CLI commands
register registers a script file as a new command
unregister unregisters a previously registered command
get Prints the value of a variable from the environment
set Sets the value of a variable in the environment
file
ls lists the files in the current working directory
pwd prints the current working directory
cd Changes the current working directory to the one
specified
custom
custom command to custom
iumconsole>>
5. Exit from the eIUM console. It will automatically save the registered custom command to the
repository.
iumconsole>>exit
=== Changes to submit for: [iumconsole] ==
Added:
C:\SIU\var\iumconsole\.scripts-1282726394607\custom-cli.txt
C:\SIU\var\iumconsole\.scripts-1282726394607\custom-cli.xml
--------------------------
=== Changes have been successfully submitted for: [iumconsole] ==
Added:
C:\SIU\var\iumconsole\.scripts-1282726394607\custom-cli.txt
C:\SIU\var\iumconsole\.scripts-1282726394607\custom-cli.xml
--------------------------
Disconnected from the repository
C:\Temp\console>
6. Preferably from a different host, start the iumconsole again. It will automatically import the
custom command from the repository.
C:\Temp\console>c:\SIU\bin\iumconsole.exe
Connected to the repository at: null
Successfully checked out: [iumconsole] to
C:\SIU\var\iumconsole\.scripts-1282726394607
imported from repository: custom-cli.xml
custom>>
9. View the console help to ensure the custom command does not appear in the list of available
commands.
iumconsole>>help
core
import imports a descriptor file dynamically
help Prints the list of available commands with
description.
Type help -c commandName for individual commands.
exit exit interactive mode
security
login Authenticates a user identity and stores the user
identity
certificate in an in-memory keystore on successful
authentication.
logout logout
log
loglevel sets the log level of the application
builtin
exec executes a script file
run runs a batch file of CLI commands
register registers a script file as a new command
10. Exit the console. The custom command will be deleted from the repository server, as shown
below.
iumconsole>>exit
=== Changes to submit for: [iumconsole] ==
Deleted:
C:\SIU\var\iumconsole\.scripts-1282726394607\custom-cli.txt
C:\SIU\var\iumconsole\.scripts-1282726394607\custom-cli.xml
--------------------------
=== Changes have been successfully submitted for: [iumconsole] ==
Deleted:
C:\SIU\var\iumconsole\.scripts-1282726394607\custom-cli.txt
C:\SIU\var\iumconsole\.scripts-1282726394607\custom-cli.xml
--------------------------
Disconnected from the repository
C:\Temp\console>
Example Scripts
The following are some sample scripts. As mentioned previously, scripts are composed using the
MVEL 2.0 scripting language (http://mvel.codehaus.org/), and can have any file extension. For
example, the following is a sample script to start a process:
procManService = context.getService("testhostid/AdminAgent",
"ProcessManager");
process = procManService.getProcessByName("/deployment/testhostid/" +
name);
process.startProcess(new com.hp.siu.corba.PropertyList(new
com.hp.siu.corba.PropertyInfo[] {}));
To stop a process:
procManService = context.getService("testhostid/AdminAgent",
"ProcessManager");
process = procManService.getProcessByName("/deployment/testhostid/" +
name);
process.stopProcess();
context.output(proc);
}
This script starts a process when loading a text configuration file. It adds the processes into the
configuration server using the addProcess() function, where the processes can then be started:
procManService = context.getService("iumindt28/AdminAgent",
"ProcessManager");
procManService.addProcess("/deployment/iumindt28/" + name);
process = procManService.getProcessByName("/deployment/iumindt28/" +
name);
process.startProcess(new com.hp.siu.corba.PropertyList(new
com.hp.siu.corba.PropertyInfo[] {}));
CommandContext Methods
Method Description
void error(String message) throws Outputs the message to the error stream of
IOException; standard output.
void error(Exception e) throws IOException; Outputs the exception stack trace to the error
stream of standard output.
void output(String message) throws Outputs the message to the standard output
IOException; stream.
boolean confirm(String question) throws Outputs the question to the user, waits until they
IOException; enter an answer, and returns with a Boolean
response.
String input(String question) throws Outputs the question to the user, waits until they
IOException; enter an answer, and returns with the response.
String input(String question, boolean mask) Same as input(String), but the users answer is
throws IOException; masked based on the masking flag.
String getArgumentValue(String argName) Gets the value of the argument that was entered
throws ArgumentNotFoundException; while executing the command.
String[] getArgumentValues(String Gets all the values of the argument that was
argName) throws entered while executing the command.
ArgumentNotFoundException;
Method Description
String[] getVariableNames(); Gets the list of all variables set in the application
environment.
Object getVariable(String name); Gets the value of the specified variable from the
application environment.
void setVariable(String name, Object value); Sets the value of the specified variable to the
specified value.
Remote getService(String name) throws Gets a remote service object from the registry
NotBoundException, RemoteException; service based on its name.
Remote getService(String name, String Gets a remote service object from the registry
type) throws NotBoundException, service based on its name and type.
RemoteException;
Using processmanager
processmanager is an eIUMConsole-based command that allows you to perform administrative
operations on eIUM processes, such as starting and stopping processes, obtaining process status,
performing cleanup, or setting the log level. processmanager also supports fetching the JMX
attribute values of managed components in the deployment.
Commands
The processmanager tool inherits all iumconsole commands and adds the following new
commands. Also see the eIUMCommand Reference for additional details.
processmanager Commands
Command
Name Description
start Starts one or more eIUM processes or services. Processes under localhost can be
referenced by just the process name. Processes under different hosts should be
referenced by the full path name, as seen in the configuration server
(/deployment/host2/collector2). FileCollectors under a File Collection Service can also
be started by referencing them using the full configuration path of the service under
the process (/deployment/host1/FCS1/DataSource1).
Command
Name Description
stop Stops one or more eIUM processes or services. Processes under localhost can be
referenced by just the process name. Processes under different hosts should be
referenced by the full path name, as seen in the configuration server
(/deployment/host2/collector2). FileCollectors under a File Collection Service can also
be stopped by referencing them using the full configuration path of the service under
the process (/deployment/host1/FCS1/DataSource1).
list Shows the list of processes under the local host, or under other hosts in the
deployment. The list can be filtered based on the process type (Collector,
SessionServer, and so on).
show Shows details about eIUM processes under the local host or other hosts in the
deployment. Processes under the local host can be referenced through just the
process name. Processes under other hosts should be referenced using the full
configuration path of that process (/deployment/host2/collector2). When no
argument other than the process name is provided, the status of that process will be
shown.
loglevel Sets the log level of the process or command. Processes under localhost can be
referenced by just the process name. Processes under different hosts should be
referenced by the full path name as seen in the configuration server
(/deployment/host2/collector2). When no process name is provided, the log level of
the processmanager command will be set. When no log level is specified, the current
log level of the process or processmanager command will be shown.
cleanup Cleans up one or more eIUM processes. Processes under localhost can be referenced
by just the process name. Processes under different hosts should be referenced by
the full path name as seen in the configuration server
(/deployment/host2/collector2).
jmx Shows the JMX attributes and its values exposed by a managed component in eIUM.
See the eIUM Command Reference guide for examples.
Scripting Support
processmanager supports a scripting interface for accessing the JMX attributes exposed by
managed components. Scripts can be executed using the iumconsole exec command, and saved
to the repository server using the register and unregister commands (see "Console
Command Reference" (on page 67) for more information on iumconsole commands, and
"Repository Service Integration" (on page 73) for more on the repository service). The scripting
interface has the following methods:
Scripting Methods
Method Signature Description
The following is a script that prints all the values of the JMX attributes exposed by the managed
component "http" under process "HttpTextXML", running under host "testhostid":
client = context.getVariable("jmx.client");
comp1 = client.getManagedComponent("testhostid", "HTTPTextXML",
"http");
attributes = client.getManagedAttributes(comp1);
int i=0;
for (i=0; i < attributes.length; i++) {
context.output(attributes[i] + " = " +
client.getManagedAttributeValue(comp1,
attributes[i]));
}
processmanager>>exec c:\temp\processmanager\jmx.txt
NumConnections = 1
TotalErrorMessages = 0
BytesReceived = 0
TotalRequestProcessingTime = 18416
NumPendingRequests = 0
NumPendingResponses = 0
TotalRequestsReceived = 22
BytesSent = 1299
TotalResponsesSent = 22
processmanager>>
Using configmanager
configmanager is an eIUMConsole-based command that allows you to load and save configurations
from the configuration server, and then find the changes made to a configuration file versus the
time it was saved on the configuration server. This allows you to track changes to your configuration
file and avoid overwriting other eIUM users' changes on the configuration server. The tool also
allows script files to get and make point changes on the configuration server, such as obtaining and
setting the value of a configuration attribute. This is useful in cases where the configuration tree is
too large and can take too long to load in the Launchpad to edit.
Commands
The configmanager tool inherits all iumconsole commands and adds the following new
commands. Also see the eIUMCommand Reference for additional details.
configmanager Commands
Command
Name Description
checkout Saves the specified configuration sub-tree on the configuration server to a file at
the specified location. The command also saves a copy as a backup file in its
meta-directory (%VARROOT%/configmanager/%login-name%/.checkouts), so
that it can find the changes made to the file checked out. The files checked out
are maintained across configmanager sessions. For this purpose, a list is
maintained of all files that have been checked out at
%VARROOT%/configmanager/%login-name%/.checkouts/list.xml.
undocheckout Discards a file that has been checked out, in addition to its associated meta-
information. All changes done to the checked out file will be lost. The file that was
checked out, as well as the backup file, will both be deleted after this operation.
checkin Loads a file that has been checked out to the configuration server, after ensuring
that the configuration on the server has not been modified by another user after
this file was checked out. This is accomplished by comparing the latest
configuration on the server with the backup file created when the user checked
out this file. The checkin operation will fail when the configuration on the server
was found to have been modified by another user.
changes Lists the changes made to the file that has been checked out, by comparing it
with the backup file created during the checkout operation.
list Lists the files that have been checked out so far. The files that have been
checked out are maintained across configmanager sessions. For this purpose, a
list is maintained of all files that have been checked out at
%VARROOT%/configmanager/%login-name%/.checkouts/list.xml.
Scripting Support
As with processmanager, configmanager supports a scripting interface for accessing the
configuration server via scripts. Such scripts can be executed using the iumconsole exec
command and saved to the repository server using the register and unregister commands
(see "Console Command Reference" (on page 67) for more information on iumconsole
commands, and "Repository Service Integration" (on page 73) for more on the repository service).
The interface has the following methods:
Scripting Methods
Method Signature Description
String[] Gets all the values of the specified attribute (name) under the specified
getAttributeValues configuration node (path). For example:
(String name,
getAttributeValues("NMEFields",
String path)
"/deployment/host01/collector01/Encapsulator");
String[] Gets the names of all the attributes under the specified configuration node
getAttributeNames (path). For example:
(String path)
getAttributeNames("/deployment/host01
/collector01/Encapsulator");
boolean Adds an attribute with the specified name and specified values under the
addAttribute specified configuration node (path) of the configuration tree. If an attribute
(String name, with the specified name already exists, the specified values will be appended
String[] to the existing value. For example:
values, String path)
addAttribute("NMEFields", new String[]
{"SrcIPv6,,::0::255,1"}, "/deployment/host01
/collector01/Encapsulator");
void setAttribute Replaces the specified attribute (name) with the new values specified, under
(String name, the specified configuration node (path) of the configuration tree. When the
String[] attribute does not exist, a new attribute will be created. For example:
values, String path)
setAttribute("NMEFields", new String[]
{"SrcIP,,15.0.0.1,15.0.0.19", "SrcIPv6,,::0::255,1"},
"/deployment/host01/collector01/Encapsulator");
String setAttribute Replaces the specified index of the multi-valued attribute (name) with the
(String name, new value specified, under the specified configuration node (path) of the
String value, int configuration tree. When the attribute does not exist, a new attribute will be
index, String path) created. When the specified index does not exist, an
ArrayOutOfBoundsException error will be generated. For example:
setAttribute("NMEFields", "SrcIPv6,,::0::255,1",
0 "/deployment/host01/collector01/Encapsulator");
boolean Deletes the specified attribute (name) under the specified configuration
deleteAttribute node (path) of the configuration tree. When the attribute does not exist, the
(String name, delete operation returns false. For example:
String path)
deleteAttribute("NMEFields", "/deployment
/host01/collector01/Encapsulator");
String Deletes the specified index of the multi-valued attribute (name) under the
deleteAttribute specified configuration node (path) of the configuration tree. When the
(String name, int attribute does not exist, the delete operation will return null. Otherwise, the
index, older value being deleted will be returned. For example:
String path)
deleteAttribute("NMEFields", 0,
"/deployment/host01/collector01/Encapsulator");
String[] Gets the names of all the configuration sub-nodes under the specified
getConfigNames configuration node (path). For example:
(String path)
getConfigNames("/deployment/host01");
void Sets a new configuration sub-node with the specified path in the
createConfigEntry configuration tree. All nodes in the path will be created if necessary. If a node
(String path) with that name exists already, it will be replaced with an empty entry. For
example:
createConfigEntry("/deployment/host01/collector01");
boolean delete Deletes the configuration sub-node at the specified path of the configuration
ConfigEntry tree. If a node with that name does not exist, this method will return false.
(String path) For example:
deleteConfigEntry("/deployment/host01/collector01");
The following example script prints all the values of the "NMEFields" attribute at
/deployment/testhostid/Demo/Encapsulator:
client = context.getVariable("config.client");
nmeFields = client.getAttributeValues("NMEFields",
"/deployment/testhostid/Demo/Encapsulator");
int i=0;
for (i=0; i < nmeFields.length; i++) {
context.output("NMEFields[" + i + "]=" + nmeFields[i]);
}
configmanager>>exec -f c:\temp\configmanager\attrs.txt
NMEFields[0]=StartTime,,0,20,*10
NMEFields[1]=EndTime,,20,30,*10
NMEFields[2]=SrcIP,,15.0.0.0,15.0.0.19
NMEFields[3]=SrcIPv6,,::0,::255,1
NMEFields[4]=NumBytes,800,100,5000,+100
configmanager>>
Creating Collectors
This documentation describes how to create collectors and other eIUM processes and servers. For
background information on eIUM collectors and servers, see the eIUM Foundation Guide. This
documentation assumes you are familiar with the eIUM Launchpad interface. For details on the
Launchpad, see "Using the HP eIUM Launchpad and Operations Console" (on page 20).
Testing Collectors 86
Deploying Collectors 87
l Create a collector or server from a template using the Launchpad then customize it for your
needs. This is the simplest way to create collectors and servers. HP eIUM includes many
preconfigured collector and server templates you can use to create your own collectors and
servers. See the HP eIUM Template Reference for a list of available templates. You can also create
your own templates from the collectors and servers you have already configured. See "Creating
Custom Templates" (on page 86).
l Create a collector using the deployment editor in the Launchpad. Open the deployment editor by
selecting a host and selecting the Tools -> Deployment Editor menu item. Open the desired
collector configuration node under /deployment/host/collector and right-click any node to
display the edit menu. Note that you must be familiar with configurations and the configuration
structure to use the deployment editor. For complete details on configurations of eIUM
components, see the eIUM Component Reference.
l Create a collector by loading a text configuration file into the configuration server with the
loadconfig command. You can use the saveconfig command to save the configuration for a
collector in a text file, edit the text file and load the modified configuration with the loadconfig
command. See the eIUM Command Reference for information on the saveconfig and loadconfig
commands. Note that you must be familiar with configurations and the configuration structure
to use the loadconfig command.
CAUTION: Make sure only one person modifies your configuration at a time. You can modify the
configuration with the Launchpad or the loadconfig command. If multiple people modify the
configuration simultaneously, some changes could be lost.
CAUTION: Loading the configuration for a collector while it is running can cause the collector to
be unreachable if the IOR information is overwritten. Be sure to stop a collector before loading its
configuration.
NOTE: When loading configurations with the Launchpad or the loadconfig command, make sure
you load valid configurations as the configurations are simply copied into the configuration
server.
Configuration attributes reside in a particular place in the configuration server. The configuration
server is a tree structure similar to a UNIX or Windows directory structure. Each node in the tree
contains configuration attributes and each node may have subnodes.
You can also create your own collector templates customized for your environment and create
collectors from them. See "Creating Custom Templates" (on page 86).
1. Select the File-> New Collector button or click on the Create Collector button. This opens the
New Collector window that lists all the available templates.
2. Select a template to use to create your collector or server. Select the custom template button
to see the templates you have created. See "Creating Custom Templates" (on page 86) for how
to create your own templates. Click Next.
3. Select the host on which this collector or server is to run.
4. Enter the collector or server name.
NOTE: Collector and server names must be unique across your entire deployment, even
across different hosts. These names must not start with a number and must not contain
dashes or spaces. Do not name any collector security because it is a reserved name. If you
are using an Oracle database, the sum of the number of characters in the collector name
and scheme name must not exceed 20 characters.
5. Enter a text description of the collector that will help you remember the collectors purpose.
6. Check the default configurations for the template and modify any as needed for your
requirements.
7. Click the Create button. This creates a collector on the specified host based on the template
you selected.
For example, if you have a large number of voice switches or other devices you need to collect from,
you can save a lot of time and trouble by creating a collector for your device, then creating a
template based on that collector and creating additional collectors based on your custom template.
1. In the Launchpad, select the collector you want to create a template based on.
2. Select the Actions -> Save as Template menu item.
3. Enter a name for your template and click OK. The next time you create a new collector, select
the Custom Template button and your custom templates will be available.
4. Use your new custom template when creating collectors as described in "Creating Collectors
from Collector Templates" (on page 85).
Do not modify any HP supplied collector templates under /templates/factory. These may be
overwritten in future releases and your changes would be lost. Create your own templates in
/templates/custom.
See also the white paper Managing Large Deployments from the HP eIUM customer support web site.
See the eIUM Release Notes for how to get to the HP eIUM customer support web site.
Testing Collectors
After you have created a collector, try starting it as described in "Starting a Collector or Server" (on
page 88). You may be able to use the sample input data files at C:\SIU\SampleData on Windows or
/opt/SIU/SampleData on UNIX. Or you can test with one of the demo collectors to generate pseudo-
random data based on the encapsulator configurations. Create a demo collector using one of the
Demo collector templates.
Check the collector's status with the Launchpad. If the collector is not running, check the collector's
log file with the Launchpad to determine why it would not run. Change the collector's configuration
as needed, clean up the collector and try starting it again.
If the collector runs, check the collectors status, statistics, log file, and diagnostics. Check the NMEs
being saved by the collector. If anything does not appear as you expect, stop the collector, modify
the collector's configurations, clean up the collector and run it again until you have the collector
configured properly.
Each of the tasks mentioned above is described in "Managing Collectors and Other Servers" (on
page 88). See also "Maintaining and Troubleshooting eIUM" (on page 206).
Once one collector is running properly, create and test the next collector in your deployment. Once
all your collectors are running correctly, integrate your deployment with the business application
you are using with eIUM, for example billing, reporting, capacity planning, and so forth.
Deploying Collectors
Once all your collectors are working properly and your application is integrated with eIUM,
automatically start the collectors as described in "Automatically Starting a Collector or Server" (on
page 89).
Add backing up of eIUM configuration data and collected data to your backup plans. See "Backing Up
Your eIUM Deployment" (on page 156).
If you are using OpenView or some other network management tool, integrate eIUM into that tool.
For more information, see the eIUM Foundation Guide.
Each collector and server running on a host uses the host default properties, unless the collector or
server explicitly overrides the host default properties. When the collector starts, it uses all the
explicitly set properties and host default properties for all other properties.
l Automatic The host admin agent will start the collector whenever it starts up. The host admin
agent is a Windows service or UNIX daemon so it will start the collector whenever the system is
rebooted.
l Manual The collector will not be started when the host admin agent starts. You must start the
collector manually using the Launchpad or the siucontrol command.
l %DEFAULTS% The collector will use the host default value for STARTUPMODE.
To make the collector start automatically, do the following:
3. Double click the STARTUPMODE property, or right click the STARTUPMODE property and select
the Edit Value menu item.
4. Modify the value to be either Automatic or Manual. If the host default value for STARTUPMODE
is automatic, you can set the value to be %DEFAULTS%.
5. Click OK. The collector will start automatically the next time the host admin agent is restarted
or whenever the system reboots.
You can also determine whether or not a host, collector or server is running as follows: In the
Launchpad, select a collector, host or other server and do either of the following:
l Hold the mouse pointer over the collector, host or server until the Launchpad displays the name,
host, state and description.
l Select the Status tab at the bottom of the Launchpad window. If the Status tab is not displayed,
select the View: View Operational Status menu item.
You can also use the siuquery command and the reporting application to view collector data. See the
eIUM Command Reference for information on the siuquery command. See the eIUM Foundation Guide
for information on reporting.
CAUTION: Clearing a collectors or servers data removes all the data they have collected.
1. In the Launchpad, select a collector or file collection service or file distribution service.
2. Do one of the following:
n Right click the server and select the Cleanup menu item, or
Alternatively you can create a new collector with the deployment editor or by importing a
configuration file using the File: Import Configuration menu item or the loadconfig command.
See "Creating Collectors" (on page 84) for complete details on how to create a new collector.
collector be stopped, cleaned up and restarted before the change can take effect. All components
and their attributes are described in the eIUM Component Reference.
CAUTION: Make sure only one person modifies the configuration at a time. Multiple simultaneous
changes can cause some changes to overwrite other changes.
4. To save the configuration in one file, select the File button and type in the path and name of a
file. To save the configuration in separate configuration files, one file for each node under the
item, select the Directory button and enter a directory path. Or use the Browse button to select
a directory.
5. Click the Ok button. This either saves one file containing the items entire configuration tree in
the specified file, or it saves the configuration in separate files corresponding to each item
under the specified item in the configuration tree. Each file is named with the configuration
tree node with a suffix of .config. For example, for a collector it saves Encapsulator.config,
Aggregator.config, Datastore.config, Properties.config and License.config in the specified
directory.
l Change the host default properties, which affects all processes running on the host unless the
process explicitly overrides the host default properties. See "Changing Default Host Properties"
(on page 96) for how to change host default properties.
l Specify that the collector should override the host default properties as follows.
1. In the Launchpad, select a collector or server.
2. Select the Actions: Properties menu item, or right click and select the Properties menu item.
(Not all servers have properties you can set.)
3. Double click the property you want to modify, or right click the property and select the Edit
Value menu item.
4. Modify the value. Set the value to be %DEFAULTS% if you want to use the host default property
value.
5. Click OK or Apply.
6. Stop the collector or server
7. Clean up the collector if needed.
8. Start the collector or server.
NOTE: The host admin agent must be running to change log levels using the Launchpad. See
"Ensure eIUM Components are Running" (on page 209) for more information.
NOTE: Using any of the Debug log levels can significantly reduce collector and server
performance. Only use the Debug levels temporarily when debugging a collector or server. Debug
log messages produce a large number of detailed log messages in a short amount of time. The
internal nature of many Debug messages can make them difficult to understand. The normal log
file rolling and aging process will remove old log files when they are full. Also see "Controlling Log
File Rollover and Aging" (on page 182), and "eIUM Logging" (on page 172).
n Right-click the collector, host or server and select the Diagnostics menu item, or
n Select the Actions: Diagnostics menu item.
3. Select one or more diagnostics to run.
4. Click the Execute button to perform the diagnostics and display the results of the diagnostic
tests. Click the Save button to save the results of the diagnostic tests to a file.
During eIUM activation, a database is selected. This can be MySQL if you purchased this product
extension with eIUM, or it can be some other external database (such as Oracle) that you maintain.
Several configuration variables are assigned with values corresponding to this database. As
described in "The Environment Node" (on page 98), these values are stored under
/deployment/<host>/Environment and can be used in the collector configuration. For example, when
creating a Demo collector and then examining its /Datastore] configuration node, the following can
be observed:
[/deployment/host01/collector1/Datastore]
ClassName=JDBCDatastore
Database=${DATABASEURL}
DatabaseClass=${DATABASECLASS}
Password=${DATABASEPASSWORD}
User=${DATABASEUSER}
Enabling IPv6 97
You can change the host default properties on each host system as described here. See also
"Changing Collector and Server Start-up Properties" (on page 93).
and select the Add Attribute menu item. Enter the name of the property to add and a value for
the property (see the below table).
4. Select Apply or OK to save the changes.
5. Restart the host admin agent as described in "Restarting the Host Admin Agent" (on page 100).
Any process started on the host with the Launchpad uses the new property values.
The host default properties are stored in the configuration tree under
/deployment/<host>/Defaults. Any properties for a particular process that override the host
defaults are stored in the configuration tree under that processs configuration node under
/Properties. For example, the property STARTUPMODE for a collector named C1 on host H1 would be
at /deployment/H1/C1/Properties/STARTUPMODE.
KEEPPROCESSALIVE Specifies whether the process should continue running even if the host
admin agent stops running. Set to TRUE or FALSE or %DEFAULTS%.
STARTUPMODE Determines whether the process should be started automatically when the
host admin agent starts, for example whenever the system is rebooted. If
you want the collector or server to be started automatically, set
STARTUPMODE=AUTOMATIC. Otherwise set STARTUPMODE=MANUAL. You can
also set STARTUPMODE=%DEFAULTS% to use the host default property value.
RESTARTWAITTIME Specifies how many seconds to wait before attempting to restart a collector
that has stopped running unexpectedly. The default is 60 seconds.
Enabling IPv6
To enable IPv6 on some systems, you will need to explicitly instruct the JVM to use the IPv6 stack.
You can enable this by specifying the following arguments in the eIUM Launchpad Actions -> Host
Default Properties JVMPROPERTIES settings: "java.net.preferIPv6Addresses=true" and
"java.net.preferIPv4Stack=false". See Oracle's web site for more information about IPv6 support in
Java.
eIUM components that support configuration and handling of IPv6 addresses include the following:
l Root: /Environment
l Host: /deployment/<host>/Environment
l Server: /deployment/<host>/<server>/Environment
The environment variables are defined in terms of ${variable} notation (for example,
${DATABASEURL}), and use a system of precedence based on the setting of the lowest-level node in
the configuration tree, versus the Environment levels above. For example, the precedence order is
defined as follows:
For attribute values that are repeated throughout a configuration, such a system allows you to set
environment variables globally (without having to manually search and replace all values), and also
control which Environment node in the configuration takes precedence over another. In eIUM, the
host-level environment (/deployment/<host>/Environment) exists by default and contains
database-related variables for the host. Root- and server-level environments can be created and
populated manually.
NOTE: During an upgrade installation of eIUM with the MySQL product extension, all existing
configurations in your deployment are updated to work with MySQL. This includes updating of: (1)
the /deployment/<host>/Environment node with values pointing to MySQL, and (2) all
configurations (including templates) with database values pointing to the Environment variables.
See "Managing the MySQL Database" (on page 95) for more information on these variables.
NotifyCommand This property only applies to the host admin agent. It specifies an external
command that is executed whenever a process on the host starts or stops.
No host default exists for NotifyCommand.
See the white paper Controlling eIUM with HP OpenView for an example of
how this can be used to integrate eIUM with HP OpenView.
PROCESSARGS This specifies command arguments to use when running an eIUM Java
process. No host default exists for PROCESSARGS. Each process must
specify its own PROCESSARGS.
STARTCONFIGSERVER This applies only to the host admin agent on the host where the
configuration server is to run. It specifies whether or not the host admin
agent should start the configuration server.
The property value %DEFAULTS% means use the host default values. Some multi-valued properties,
for example CLASSPATH, can use the host default values in addition to the overridden values. Specify
%DEFAULTS% as one of the values. Specify any values to be used in addition to the host defaults.
When the selected process starts, it uses all the overridden values and default values for properties
not overridden. To force the process to use the new configuration values immediately, stop and
restart the process.
The host admin agent is installed as a Windows service or UNIX daemon. Normally you do not need to
stop or start the host admin agent because it is started automatically after installation is complete
and whenever the system is rebooted. However, if you change any host start-up properties, you
need to restart the host admin agent for the changes to take effect.
Windows Commands
On Windows restart the host admin agent using one of the following ways. In a command window,
enter the following commands:
net stop SIU_AdminAgentServer
UNIX Commands
On UNIX restart the host admin agent as follows:
3. Start the host admin agent with one of the following commands:
This starts the host admin agent and all the processes it controls on the host. You can also use the
siucontrol command to restart the host admin agent. See the eIUM Command Reference for details
on eIUM commands.
See the eIUM Customer Support web site at http://www.hp.com/support/usage/supported/ for the
specific versions of Java that are supported by eIUM. For the user name and password to access the
web site, see the eIUM 8.0 Release Notes.
You must also download and install the Java Cryptography Extension (JCE) when eIUM security will be
enabled. See Securing eIUM in the eIUM Installation Guide for instructions.
1. Install the new version of the Java SDK and required patches, if any, according to the
instructions accompanying the software.
2. Determine where the java executable file is for the version of the Java SDK you have installed.
On Windows, also locate the javaw.exe executable file. The following table shows sample
directories.
NOTE: The following are only typical locations of Java executables. Be sure to check the Java
location before installation.
On HP-UX and Solaris, the default JVM supports both 32- and 64-bit address spaces. On such
64-bit platforms, the eIUM installer defaults to 32-bit mode, whereby certain instructions
must be followed when enabling the 64-bit version of eIUM. In addition, eIUM can be returned
to the 32-bit version by following the same setup instructions. For Linux and Windows, there
are dedicated 32- and 64-bit Java binaries, while for Solaris there are 32-bit installers plus
add-ons for 64-bit support. Conversely for HP-UX, a single installer supports both 32- and 64-
bit modes.
See the eIUM Installation Guide section After Installation - Enabling the 64-bit Version of
eIUM for more information.
HP-UX /opt/java1.6/bin/java
32-bit HP-UX uses the same Java executable for both 32- and 64-bit.
HP-UX /opt/java1.6/bin/java
64-bit HP-UX uses the same Java executable for both 32- and 64-bit.
Solaris /opt/java1.6/bin/java
32-bit Solaris uses the same Java executable for both 32- and 64-bit.
Solaris /opt/java1.6/bin/java
64-bit Solaris uses the same Java executable for both 32- and 64-bit.
Linux /opt/java1.6_32/bin/java
32-bit
Linux /opt/java1.6_64/bin/java
64-bit
3. In the Launchpad, select the host where you have installed the new Java SDK.
4. Select the menu item Actions -> Host Default Properties. This displays the properties that are
used by default by all eIUM processes running on the host.
5. Change the JVM and JVMW properties to refer to the appropriate version of the java executable
file. On Windows, set the JVMW property to the javaw.exe file. See the table below for example
settings.
Sample JVM and JVMW Properties
Operating System Sample JVM and JVMW Properties
HP-UX JVM=/opt/java1.6/bin/java
32-bit JVMW=/opt/java1.6/bin/java
HP-UX JVM=/opt/java1.6/bin/java
64-bit JVMW=/opt/java1.6/bin/java
Solaris JVM=/opt/java1.6/bin/java
32-bit JVMW=/opt/java1.6/bin/java
Solaris JVM=/opt/java1.6/bin/java
64-bit JVMW=/opt/java1.6/bin/java
Linux JVM=/opt/java1.6_32/bin/java
32-bit JVMW=/opt/java1.6_32/bin/java
Linux JVM=/opt/java1.6_64/bin/java
64-bit JVMW=/opt/java1.6_64/bin/java
The following activates the 32-bit version of eIUM and creates 32-bit command aliases for all
eIUM commands in the BINROOT directory:
java -jar /opt/SIU/sbin/activateSIUJava.jar /opt/SIU -act32
The following just creates command aliases for all eIUM commands in the BINROOT directory
based on the current size setting:
java -jar /opt/SIU/sbin/activateSIUJava.jar /opt/SIU -createAliases
See also "Viewing Collector, Host and Server Log Files" (on page 93) and "Maintaining and
Troubleshooting eIUM" (on page 206) for more information about log files.
See also "Changing Collector, Host and Server Logging Level" (on page 94) and "Maintaining and
Troubleshooting eIUM" (on page 206) for more information about log files.
NOTE: You must install the optional eIUM security module before you can create user logins. See
the eIUM Installation Guide for instructions on installing security.
eIUM security uses an LDAP directory for authentication and authorization. This documentation
assumes you are familiar with LDAP directories and commands and with your enterprise LDAP
directory structure.
CAUTION: It is strongly recommended you plan to restart your servers before their security
certificates expire to avoid the servers shutting down unexpectedly. See "Certificate Expiration
Alerts" (on page 120) for more information.
CAUTION: It is strongly recommended you change the security server port number and the shut
down command to custom values for added security. For instruction see "Changing the Security
Server Port Number" (on page 108) and "Changing the Security Server Shutdown Keyword and
Port Number" (on page 108).
Changing the Security Server Shutdown Keyword and Port Number 108
Groups 115
5. On each eIUM host, run the following command to regenerate the %VARROOT%/security-
login.config file with the updated Security Server port number.
secactivate init
3. Change the port number, if desired. Change the shutdown attribute value to the new command
name.
1. Locate the properties file containing your eIUM security server directory layout that you
created during eIUM activation. This file is based on the example layout properties file provided.
See the eIUM Installation Guide for more information.
2. Modify the directory layout properties file to reflect your new directory structure.
3. Regenerate the LDIF files for security identities as described in the eIUM Installation Guide. Use
the ldifgen command to generate the LDIF files.
4. Load the LDIF files into your secondary LDAP directory server.
5. Restart the eIUM security server to make the directory layout change take effect.
For complete instructions on installing eIUM security, see the eIUM Installation Guide.
To switch to LDAP bind authentication method or to use a different LDAP server, do the following.
2. Run a command like the following specifying your own LDAP server URLs and your own user and
password:
For Active Directory:
$SIUHOME/bin/secserveractivate init
-loginldapserver "ldap://primaryserver:10389/"
-lookupldapserver "ldap://secondaryserver:10389/"
-layout my-edited-external-dir.properties
-user "CN=Administrator,CN=Users,DC=example,DC=hp,DC=com"
-password "password" -force
For ApacheDS:
$SIUHOME/bin/secserveractivate init
-loginldapserver "ldap://primaryserver:10389/"
-lookupldapserver "ldap://secondaryserver:10389/"
-layout my-edited-external-dir.properties
-user "uid=admin,ou=system"
-password "secret" -force
For details on the securityserver and secserveractivate commands, see the eIUM Command
Reference. To switch to the Kerberos authentication method or to use a different KDC server, do the
following.
2. Run a command like the following specifying your own Kerberos host, port and realm and your
own user and password:
For Active Directory:
$SIUHOME/bin/secserveractivate init -krb -kdchost "<kdc host name>"
-kdcport "<kdc port>" -dr "<kerberos realm name>"
-lookupldapserver "ldap://secondaryserver:10389/"
-layout external-dir.properties
-user "CN=Administrator,CN=Users,DC=example,DC=hp,DC=com"
-password "password" -force
For ApacheDS:
$SIUHOME/bin/secserveractivate init
-krb -kdchost "<kdc host name>" -kdcport "<kdc port>"
-dr "<kerberos realm name>"
-lookupldapserver "ldap://secondaryserver:10389/"
-layout my-edited-external-dir.properties
-user "uid=admin,ou=system"
-password "secret" -force
For details on the securityserver and secserveractivate commands, see the eIUM Command
Reference.
1. Stop all eIUM processes on each eIUM host, except for the host admin agent. This includes all
charging managers, collectors, file services, Launchpads, Operations Consoles and so forth.
2. On any one of your eIUM hosts, open a command window in the directory SIUHOME\lib\patches.
3. Run the following command. This creates the file SIUHOME\lib\patches\jacorb.properties.
JDK_HOME\bin\jar -xvf ..\siuutils.jar jacorb.properties
For example, if your Java JDK were in the directory C:\Program Files\java\jdk1.6.0_04, then the
command would look the following:
C:\Program Files\java\jdk1.6.0_04\bin\jar -xvf ..\siuutils.jar
jacorb.properties
6. Restart the host admin agent. For instructions, see "Restarting the Host Admin Agent" (on page
100).
7. Copy the file you modified, jacorb.properties, to each of your other eIUM hosts. Place the file in
the directory SIUHOME\lib\patches.
8. Restart the host admin agent on each of your other eIUM hosts. For instructions, see
"Restarting the Host Admin Agent" (on page 100).
Setting up Users
When you create a new eIUM user in a secure eIUM environment, you must give the user appropriate
privileges based on what they will be doing with eIUM. This section describes three possible positions
and the corresponding roles. Also see "User and Host Roles and Privileges" (on page 112) for more
information on privileges.
For instructions on adding a new user to a secure eIUM deployment, see the eIUM Installation Guide.
User Designates a person who will use eIUM (as opposed to an eIUM host or
process.) Give this role to every user.
Monitor Allows the user to view the status of eIUM processes. See also the
Diagnostics role.
Diagnostics Allows the user to run diagnostics activities such as viewing log files and
process statistics. See also the Monitor role.
ConfigRead Allows the user to view the deployment configurations in the configuration
server, for example through the Launchpad or the saveconfig command. In
the Operations Console, this allows the user to see the deployment topology
of charging managers, collectors and so forth.
Query Allows the user to query the data of an eIUM process such as a collector or
charging manager using, for example the Launchpad or the siuquery
command.
ReportUser Allows view-only access to web applications, such as Reports and Audit
Reports. Users must have this role in order to access web applications.
RefdataRead View Reference Data Manager tables that belong to the DEFAULT category.
RefdataWrite View and edit Reference Data Manager tables that belong to the DEFAULT
category. See "Security" (on page 55) for more information on RDMsecurity.
RTPStudioViewer Allows the user to view the SNAP Studio with only read-only permissions. For
additional details on SNAP Studio, see the eIUMStudio User Guide.
RTPStudioDesigner Allows the user to create, update, and delete entities under Technical View
and Business View of SNAP Studio.
RTPStudioOperator Allows the user to manage operations under OMC and Administration.
ConfigWrite Allows the user to modify the configurations in the configuration server, for
example through the Launchpad or the loadconfig command.
Administrator
Role Privileges
ServerAdmin Allows the user to perform administrative operations on eIUM processes, for
example start, stop and clean up charging managers, collectors, file services
and other eIUM processes. Also allows the user to perform administrative
actions on the eIUM security server such as generating the host key.
SecurityAdmin Designates the eIUM security administrator. Allows the user to perform all
security-related activities such as security setup and configuration.
Management Allows the user to create, delete and modify groups of servers in the eIUM
Operations Console. For more information about the Operations Console, see
the Operations Console User Guide.
UserAdmin This role is deprecated and is only retained for backward compatibility.
ReportAdmin Allows report management, such as creating, editing, and deleting of reports.
ReportAdmin is required to access the Web Application server and Audit Report
server for access to eIUM web applications and managing reports when security
is enabled. ReportAdmin is needed if you create, edit, or delete reports (while in
contrast, only ReportUser is needed to just view the reports).
RTPStudioAdmin Allows the user to manage the SNAP Studio with all permissions. For additional
details on SNAP Studio, see the eIUMStudio User Guide. This role also includes
the permissions of all Real-Time Engine based-roles (namely, RTPStudioViewer,
RTPStudioDesigner, and RTPStudioOperator).
The following table lists additional eIUM roles only for eIUM hosts and processes.
Server Designates an eIUM server such as a charging manager, a collector, the configuration
server, the Launchpad and so forth.
Host Designates an eIUM host system where eIUM processes are running.
Identities Data
Identities data consists of distinguished names of all the identities that can be claimed in a secure
eIUM deployment. Identities data can be further classified into user identities representing a
person, host identities representing an eIUM host system and server identities representing eIUM
processes such as the configuration server, charging managers, collectors and so forth.
User identities
A user identity represents the identity of a human user in the deployment. Typically it is a subset of
the set of user identities in the enterprise and is stored in a database accessible to the
authentication server used. The user identity information includes information required to verify the
claimed identity such as a user password depending on the authentication method used.
If the authentication method used is LDAP bind, you can find your authentication server URL that is
in use in the ExternalUserLogin.java.naming.provider.url login module configuration attribute in the
configuration file SIUVARROOT/securityserver/conf/external-login.properties.
If the authentication method used is Kerberos, you can find your authentication server URL that is in
use in the kdc property of realms configuration in the kerberos client configuration file
SIUVARROOT/securityserver/conf/krb5.conf.
Host identities
Host identities represent eIUM host systems that are part of a secure eIUM deployment. These
identities are stored in the eIUM-specific LDAP server. You can find the eIUM security data LDAP
server URL that is in use in the LdapDirectoryUserLookupModule.java.naming.provider.url login
module configuration attribute in the configuration file SIUVARROOT/securityserver/conf/external-
login.properties.
Server Identities
Server identities represent eIUM servers that are part of a secure eIUM deployment, such as the
configuration server, charging managers, collectors and so forth. These identities are stored in the
eIUM-specific LDAP server relative to the identities of the hosts on which the server is hosted. You
can find the eIUM security data LDAP server URL that is in use in the
LdapDirectoryUserLookupModule.java.naming.provider.url login module configuration attribute in
the configuration file SIUVARROOT/securityserver/conf/external-login.properties.
Groups
Groups represent eIUM deployment roles that any identity can be associated with to give the
identity a set of privileges associated with the given role. Groups are stored in the eIUM-specific
LDAP server. See the eIUM Installation Guide for details on setting up the Group entries for your
eIUM deployment.
You can find the eIUM security data LDAP server URL that is in use in the
LdapDirectoryUserLookupModule.java.naming.provider.url login module configuration attribute in
the configuration file SIUVARROOT/securityserver/conf/external-login.properties.
Run one of the following commands depending on the LDAP server type:
Upload the generated $VARROOT/ldif/<user name>/user-add-<user name>.ldif file into the primary
LDAP server (ApacheDS, OpenLDAP, RedHat DS), or use vendor-specific administrative tools to create
the required user profile (Active Directory, RedHat DS). Upload the generated $VARROOT/ldif/<user
name>/user-groups-add-<user name>.ldif file into the secondary LDAP server.
NOTE: In a single-directory configuration, this is the same as the primary LDAP server.
Run one of the following commands depending on your LDAP server type.
NOTE: In a single-directory configuration, this is the same as the primary LDAP server.
Run one of the following commands, depending on the LDAP server type.
Upload the generated LDIF file $VARROOT/ldif/<eIUM host name>/host-add-<host name>.ldif into
the eIUM security data LDAP server. You do not need to restart the Security Server.
Run one of the following commands, depending on the LDAP server type.
Upload the generated LDIF file $VARROOT/ldif/<eIUM host name>/host-remove<host name>.ldif into
the eIUM security data LDAP server. You do not need to restart the Security Server.
Each of the certificates issued by the CA is valid only for a certain period of time. A certificate
expires once it passes its validity period and must be renewed.
The eIUM Security Server hosts the CA function in a secure eIUM deployment and associates the CA
with itself. All the certificates used in eIUM except for the CA certificate itself are signed and issued
by the CA in the Security Server in a secure deployment. The default CA certificate is self-signed.
Types of Certificates
Certificates in a secure eIUM deployment fall into the following three categories based on the type
of claimed identities:
The CA Certificate
The Security Server acts as the CA (Certificate Authority) in a secure eIUM deployment. The CA
attests that the public key contained in an eIUM secure deployment belongs to a user, a server or a
host identity. The CA identity is provided by the CA certificate and is typically attested by a trusted
third party. The CA certificate is the most important certificate in the deployment and forms the
basis of trust between all deployment entities.
The default CA certificate is self-signed and automatically generated by the Security Server. It is
recommended that you configure the Security Server to use a CA certificate issued by a trusted
third party. However, using a CA certificate attested by a trusted third party is not necessary for the
operation of a secure eIUM deployment.
Among the three types of certificates, a CA certificate expiration has the biggest impact on a secure
eIUM deployment as the CA certificate forms the basis of trust for every other certificate in the
deployment. Renewing the CA certificate requires refreshing the certificates of all the identities
that exist in the deployment. The default validity period for the self-signed CA certificate is 10 years.
The default validity period for the self-signed CA certificate is 10 years. You can configure the
validity period of this certificate as follows:
1. Open the following file in a text editor. This is the Security Server environment context
configuration file.
$SIUVARROOT/securityserver/conf/Catalina/localhost/security.xml
2. Locate the following line in this file. Modify the value attribute. The value 87,600 represents the
number of hours in ten years.
<Environment name="certificate/CA/duration" type="java.lang.Long"
value="87600" override="true" description="Duration in hours"/>
The CA certificate is provided to the Security Server as a keystore file. The default CA certificate
keystore is in the following file:
$SIUVARROOT/securityserver/keystore/issuer.p12
You can configure your own CA certificate keystore file by editing the Security Server environment
context configuration file $SIUVARROOT/securityserver/conf/Catalina/localhost/security.xml in a
text editor and modifying the value attribute:
<Environment name="keystore/CA/file" type="java.lang.String"
value="${catalina.base}/keystore/issuer.p12" override="true"
description="CA key store file"/>
Server Certificates
The eIUM CA (Certificate Authority) issues a server certificate to each eIUM server identity. Server
certificates are issued to the identities of each eIUM host, each eIUM admin agent, each charging
manager, file service, collector, the security server, the configuration server, the management
server, the web application server and the eIUM Operations Console.
The server certificate represents the identity of a specific server instance or host identity and
encodes the roles associated with the identity. The associated roles determine the privileges the
identity has in a secure eIUM deployment. For more information on roles and privileges, see "User
and Host Roles and Privileges" (on page 112).
The default validity period for a server certificate is one year. You can configure the validity period
of the server certificate as follows:
1. Open the following file in a text editor. This is the Security Server environment context
configuration file.
$SIUVARROOT/securityserver/conf/Catalina/localhost/security.xml
2. In this file, locate the following line and modify the value attribute. The value 8,760 represents
the number of hours in one year.
<Environment name="certificate/server/duration" type="java.lang.Long" value="8760"
override="true" description="Duration in hours"/>
3. Stop then restart the Security Server using the following commands:
$SIUHOME/bin/securityserver stop
$SIUHOME/bin/securityserver start
NOTE: When a server certificate expires, the server will be automatically shut down.
The server exit status is set to CMDR_CRASH which means the Admin Agent will attempt to
restart the shut down server automatically and renew its certificate.
It is highly recommended you set the server certificate expiration time and plan to restart your
servers before their certificates expire to avoid the servers shutting down unexpectedly. See
"Certificate Expiration Alerts" (on page 120) for more information.
User Certificates
The eIUM CA issues a user certificate to each authenticated user identity, that is, for each person,
when they begin a session by using any eIUM tool. The user certificate has the shortest default
validity period of the three types of certificates. By default, it is valid for only three days. Each user
certificate is valid only until the active user session terminates or until the validity period expires,
whichever occurs first.
As in the case of a server certificate, a user certificate also represents the identity of an
authenticated user (a person) and encodes the roles associated with the person. The associated
roles determine the privileges the user has in the secure eIUM deployment.
You typically do not need to do anything with user certificates because they are not persisted on
disk and the user login process renews the certificate held in the in-memory keystore.
l Level 1 Expiration Warning - The first level warns when the expiration is still relatively far away,
by default seven days and repeats once each day.
l Level 2 Expiration Warning - The second level warns when the expiration is nearer, by default one
day and repeats each thirty minutes.
The Security Server logs certificate expiration alert messages when the CA certificate expiration
date approaches and when the Security Server certificate expiration approaches. The warning
messages are similar to the following messages:
2008-08-19 09:58:05.035 WARNING Timer-0 (CERTIFICATE_MONITOR): CA
certificate stored in [Key Store
C:\sbin\siu\SIU\var\securityserver\keystore\issuer.p12] will expire on
[Tue Aug 19 10:58:05 IST 2008]. Please plan a CA certificate renewal
procedure to continue using the secure IUM deployment.
You can change the times of the multiple levels of the Security Server certificate expiration alerts
as follows.
1. Open the following file in a text editor. This is the Security Server environment context
configuration file.
$SIUVARROOT/securityserver/conf/Catalina/localhost/security.xml
2. Locate the following line in this file and modify the value attribute.
<Environment name="certificate/CA/expiry-alert"
type="java.lang.String" value="7d/12h,1d/3h,0" override="true"
description="Expiry alert configuration for the CA and the Security
Server certificates"/>
The format of the value attribute is <alert start interval/alert repeat period,
alert start interval/alert repeat period, , certificate expiry
handling>. The default is <7 days/12 hours, 1 day/3 hours, 0>. According to this
configuration, the Security Server certificate first-level expiration warnings start one week
prior to the expiration of the certificates, with the warning repeated twice daily. The second-
level alerts start on the expiration day and repeat every three hours. Finally, the certificate
expiration handler launches at the time the certificate expires (0 minutes before the
expiration).
3. Stop the Security Server using the following command:
$SIUHOME/bin/securityserver stop
Every eIUM server will attempt to automatically renew its certificate before it expires. This attempt
can be repeated several times before the certificate finally expires. If automatic renewal logic fails,
the server process will automatically shut down at the time the certificate expires, and then the
certificates will get renewed on the next server restart. The host admin agent (when present) will
detect the server shut down and restart the server process.
CAUTION: You should plan to shut down and restart your servers during a normal maintenance
period before the certificates expire and the servers shut down automatically.
The host certificate is automatically renewed using the same scheme and configuration if the host
admin agent is running. You can manually renew the host certificate using the
$SIUHOME/bin/secactivate hostkey command as described in "Renewing the Host
Certificate" (on page 123).
By default, the certificate expiration first-level warnings start one week prior to the expiration of
the certificates, with the warning repeated twice daily. The second-level alerts start on the
expiration day and repeat every three hours. Subsequently, 30 minutes before the expiration, the
automatic renewal routine attempts to renew the server/host certificate and apply it to the running
server process. This attempt will be repeated every 10 minutes in case of failure.
The server logs certificate expiration alert messages when the server certificate expiration date
and the host certificate expiration approach. The warning messages are similar to the following
messages:
2008-08-19 09:58:05.035 WARNING Timer-0 (CERTIFICATE_MONITOR): Server
certificate stored in [Key Store
C:\sbin\siu\SIU\var\ConfigServer\keystore.p12] will expire on [Tue Aug
19 10:58:05 IST 2008]. Please plan a server certificate renewal to
avoid an unexpected shutdown.
You can change the frequency of certificate expiration alert messages for all eIUM servers other
than the Security Server as follows. For instructions on changing the frequency of alert messages
for the Security Server, see "Changing the Expiration Alerts for the Security Server" (on page 121).
See the eIUM Command Reference for more information on the eIUM security commands, such as
secactivate.
1. Copy the keystore file that contains your external CA certificate in a location accessible to the
eIUM Security Server. eIUM supports the keystore file formats PKCS12 and JKS.
NOTE: The keystore contains not only the CA certificate, but also a private key, which is
required for generating other certificates.
2. Open the following file in a text editor. This is the Security Server environment context
configuration file.
$SIUVARROOT/securityserver/conf/Catalina/localhost/security.xml
3. Locate the following line in the file and modify the value element to point to the external
keystore file path.
<Environment name="keystore/CA/file" type="java.lang.String"
value="${catalina.base}/keystore/issuer.p12" override="true"
description="CA key store file"/>
4. Stop then restart the Security Server using the following commands:
$SIUHOME/bin/securityserver stop
$SIUHOME/bin/securityserver start
1. Stop the admin agent service on all eIUM hosts in your deployment. This shuts down all the eIUM
servers in your deployment. For instructions, see "Restarting the Host Admin Agent" (on page
100).
2. On the eIUM host where the Security Server is running, stop the Security Server using the
following command:
$SIUHOME/bin/securityserver stop
3. Run the following command on each eIUM host to clean up the existing keystore files that store
certificates issued by the expired CA certificate. Use the -force option to ensure the host
certificate already installed will be overwritten.
$SIUHOME/bin/secactivate cleanup -force
4. If the Security Server is configured to use an external CA certificate, copy the keystore file that
contains the renewed CA certificate to the configured location. Continue with Step 5.
If the Security Server is not configured to use an external CA certificate, start the Security
Server to automatically create a self-signed CA certificate and then stop the Security Server so
that the renewed certificate will take effect on the next start up. Use the following commands.
$SIUHOME/bin/securityserver start
$SIUHOME/bin/securityserver stop
6. Run the following secactivate command on each host to create the host keystore file.
$SIUHOME/bin/secactivate login -user <security admin user> -
password <password> --hostkey -force
7. Start the admin agent and restart the required eIUM servers. For instructions on starting the
admin agent, see "Restarting the Host Admin Agent" (on page 100).
Audit Logging
The Security Server can log information about its activities and user activities for audit purposes.
This section describes how you can control this audit logging.
The Security Server audit logging provides a security trail in an audit log file. The audit trail can be
used to verify each users access to privileged operations provided by the Security Server. The audit
trail can also be used for troubleshooting access control. By default, the audit log messages are
written to the following file: SIUVARROOT/securityserver/logs/SecurityService.<year>-<month>-
<day>.audit.log.
You can configure the volume of Security Server log messages by setting the appropriate property
to one of the values in the following table. By default, the Security Server logs all INFO level audit
messages.
TRACE Gives the most amount of information and the largest number of audit messages.
Level Description
DEBUG Gives fewer than TRACE and more than INFO levels of audit log messages.
WARNING Gives fewer than INFO and more than ERROR levels of audit log messages.
To configure the audit log level for the Security Server, do the following.
Audit logging provides a security trail for each eIUM server. Each eIUM server logs audit information
in its own separate audit log file. The audit trail can be used to verify user access to privileged
operations of the server. The audit trail can also be used for troubleshooting access control.
CAUTION: There can be a performance impact when enabling audit trails for high-traffic services
(such as the Management Server). In addition, audit log settings will always be applied to all
processes running on the given eIUM host system.
You can configure the volume of server log messages to one of the values in the following table, as
described below. By default, eIUM servers log all ERROR level audit messages.
Level Level
Number Name Description
1 CRITICAL Message explaining a fatal error just before a component goes down. An
example would be messages about being unable to connect to a necessary
eIUM component.
2 ERROR Message about a situation where the component cannot operate properly or
carry out a request. These error situations could eventually be fatal but the
component will continue to run.
Level Level
Number Name Description
3 WARNING Message about an unexpected event that might lead to further problems.
Examples are messages about connections lost but that will be retried,
parameters not specified and default values used instead, skipping invalid
input log records, packets dropped, files not found, and warnings about eIUM
license expiration.
5 DEBUG Least detailed and frequent debug messages. Debug messages are useful
only for developers.
To configure the audit log level for eIUM servers other than the Security Server, do the following.
CAUTION: If you raise the audit log level from ERROR to a level such as INFO or any of the DEBUG
levels, the increased logging activity may impact the server performance. This is especially
significant for the Management Server.
Alternatively, instead of modifying the SIU.ini file, you can also configure audit logging for other
servers using the following method:
2. Open the servername.config file, and add a Logging node under the server as the following:
[/deployment/<hostname>/<servername>/Logging]
ClassName=com.hp.siu.serverutils.logging.SvrLogManager
Loggers=AUDIT,<AUDIT_LOG_LEVEL>
3. Load the updated server node configuration back to the configuration store:
loadconfig -f servername.config
4. Open the Launchpad Deployment Editor and verify the Logging subnode has been added to the
server node.
Normally the configuration server runs as a process controlled by the host admin agent. A host
admin agent runs on each eIUM host as a Windows service or UNIX daemon that is started when you
install eIUM and whenever you reboot. The host admin agent and the configuration server must
always be running. If the configuration server stops running, your entire eIUM deployment will not
function.
All eIUM processes communicate with the configuration server. The configuration server exports its
CORBA address (IOR, or Interoperability Object Reference) to all other eIUM hosts. At installation, the
configuration server writes its IOR to a file, typically C:\SIU\var\ConfigServer.ior on Windows and
/var/opt/SIU/ConfigServer.ior on UNIX. The name of this file is in the property file SIU.ini with the
keyword IORFILE. A URL referring to the IOR file is in SIU.ini with the keyword IORURL. Each eIUM
process uses the IORURL to read the IORFILE and get the configuration servers IOR.
1. In the Launchpad, select the ConfigServer under the host where it is running.
2. Either right-click on the ConfigServer and select the Restart Config Server menu item, or select
the Actions: Restart Config Server menu item. This stops and restarts the configuration server.
l Change the host default properties on the host where the configuration server is running. This
affects all processes running on the host, including the configuration server. See "Changing
Default Host Properties" (on page 96).
l Specify that the configuration server override the host default properties. See "Overriding
Default Host Properties" (on page 99) for details.
After changing the configuration servers start-up configurations, restart it as described in
"Restarting the Configuration Server" (on page 128).
Once such an NME file is obtained from the error handling subsystem, you can edit and correct the
NMEs in the file with eIUMs error correction subsystem the CDR Editor utility.
You can use the CDR Editor to view the erroneous NMEs that are stored in the file and edit the NMEs
to make corrections. You can save the corrected NMEs to a file and reprocess them by sending them
to another collector, thereby feeding the corrected NMEs back into the mediation stream.
The following topics describe how to use the CDR Editor and perform various operations on the error
NMEs. For additional information and background on detecting and handling error data using eIUM,
see the eIUM Foundation Guide.
NOTE: If eIUM is in secure mode, the CDR Editor will prompt you to log in with a valid user name
and password. See "Managing Users and Security" (on page 106) and the eIUM Installation Guide
for details on secure mode.
NOTE: To test the editor you can use the sample files provided in the SampleData directory
under the CDR editor plug-in directory.
l Pink: An NME attribute that could not be parsed from the input data.
l Orange: An NME attribute that is successfully parsed but the value is invalid.
l In addition, a marker at the beginning of each NME displays the NME status.
l Red cross: This indicates that the NME contains error fields.
l Green check mark: This indicates that all the fields in that NME have been corrected.
You can navigate between different NMEs by using the scroll bar at the right side of the screen.
Hovering the mouse pointer over a particular erroneous cell displays the reason the cell is invalid.
In the case of a parse error, if you enter a hex value, this new value will be checked for correctness
by parsing it using the parselet configured for the attribute.
In the case of a validation error, the new value is set into the corresponding attribute without
performing any further checks.
When correcting the values, the right column shows the current value and cannot be edited.
Meanwhile, the left column is available for editing and allows you to compare the previous value in
the right column with the new value you enter.
The color coding of the cell (pink or orange) is then removed to indicate successful correction.
Initially, the column that displays the NME row numbers also displays the correction status for that
NME; a red cross is displayed if any attribute is uncorrected for that NME. Once every erroneous
attribute is corrected for an NME, a green check mark appears in the cell that displays the NME row
number.
A Replace Rule consists of one or more Filter Expressions and one or more Replace Expressions.
l The Filter Expressions define the search criteria. You can create Filter Expressions and later edit
them, if you have saved them as part of the new Replace Rule.
l The Replace Expression defines which NME attribute values to change in the CDRs selected by
the Filter Expressions. The Filter Expressions can also be saved if saved as part of the larger
Replace Rule (if you cancel the dialog, any Filter or Replace Expressions will disappear unless
saved as part of the overall Replace Rule).
Only CDRs that match the Filter Expressions are modified by the Replace Expression. You can create
and name Replace Rules for common bulk editing tasks you perform regularly.
1. Press the Add button to create a new Replace Rule. This displays an input dialog where you can
enter a name for your rule.
2. Enter a descriptive name for your rule in the dialog. After pressing OK, the rule name appears in
the drop-down list at the top of the Find-Replace dialog.
3. Under Replace Rule Properties, Filter Expression, press the Add button to create a new filter
expression. This adds a filter expression entry in the Filter Expression window that you can
create or edit.
4. Select the row corresponding to the filter expression entry, and in the associated fields, select
an NME attribute, an operator, and enter a value for the NME attribute. The Attribute field will
have its drop-down selections defined based on the NME attributes in the NME file you have
open. Also, the Operator drop-down has operator conditions that you can select, such as =, !=, >,
>=, <, <=, within, !within, starts, !starts, ends, !ends, contains, !contains.
5. To specify multiple logical expression conditions (AND or OR), select a condition (AND or OR)
from the Condition field, and repeat steps 3 and 4 above. The set of conditions will be combined
with a logical AND or a logical OR as specified, to create a single composite condition, as shown
below. To delete a particular Filter Expression, select the entry and press Remove.
6. Now that the filter (that is, the find) expression(s) are created, create a Replace Expression by
pressing the Add button. This adds an undefined Replace expression entry in the Replace
expression window.
7. Select an NME attribute and enter the new value, as shown below. The specified NME attributes
in all the NMEs selected by the Find Condition will be changed to the new value. Repeat the
previous step and this step for all the NME attributes you want to change. To remove a Replace
Expression, select the entry and press Remove.
1. With a file open in the CDR Editor, select either Edit -> Find-Replace, or press the Find-Replace
button. The Find-Replace dialog is displayed (see "Create a New Replace Rule" (on page 135) for
an example).
2. Select one of your Replace Rules from the drop-down list.
3. Under Files Selected, you can select one or more files you have already open, in order to
execute a bulk replacement across all the files.
4. Press Replace, which executes your Replace Rule.
NOTE: The undo history of all the edits performed on the file currently open will be lost after the
Replace Rule runs. The bulk edit operation, as well as any other operations performed before it,
cannot be reversed after this operation. By contrast, you can only undo changes when editing
individual errors in NME records (see "Editing Fields in Error Files" (on page 132) for more
information).
Since bulk editing can be time consuming, the editor indicates the progress of the operation as
shown below.
CAUTION: Use bulk editing carefully because it can affect large portions of CDR files, and the
operation cannot be undone.
1. With a file open in the CDR Editor, select either Edit -> Find-Replace, or press the Find-Replace
button. The Find-Replace dialog is displayed (see "Create a New Replace Rule" (on page 135) for
an example).
2. Select one of your Replace Rules from the drop-down list.
3. Edit the Replace Rule properties, and then press Save.
1. With a file open in the CDR Editor, select either Edit -> Find-Replace, or press the Find-Replace
button. The Find-Replace dialog is displayed (see "Create a New Replace Rule" (on page 135) for
an example).
2. Ensure the Replace Rule is viewable in the drop-down list.
3. Press Remove to delete the Replace Rule.
NOTE: As with individual Find-Replace operations on a single file, the undo history of all the edits
performed on the file currently open will be lost after a multi-file bulk edit. The bulk edit
operation, as well as any other operations performed before it, cannot be reversed after this
operation. Accordingly, ensure that you save any unsaved changes before performing the bulk
edit.
A dialog prompts you to enter the CDR row number for the CDR to navigate to. When you enter a
valid row number, the editor displays the specified CDR.
After pressing OK, the file view will jump to the entry you are searching for and highlight it
accordingly.
Saving Files
The file currently being edited can be saved by selecting File -> Save, or using the Save button on the
toolbar.
All changes made up to that point are saved. When you save the current file using File -> Save or the
Save icon, the CDR Editor saves a backup copy of the previous version of the file in the specified
backup directory, and then it saves the current changes in the open file. For more details, see
"Setting the Backup File Directory" (on page 153).
4. This saves the CDRs in a file named the same as the original file with a .csv extension, in the
directory specified in the CDR Editor options. See "Setting the CSV File Directory" (on page 154)
for more information on how to specify where the CSV files are saved.
1. Moves all the corrected CDRs to a separate file named with a .corrected file name extension
in the corrected file directory. You can set the location where the .corrected files are saved by
selecting Configure -> Options or the Options button, selecting the General Config tab and
changing the corrected file directory. See also "Setting the Corrected File Directory" (on page
154).
2. Saves all the remaining uncorrected CDRs in the original file.
3. Saves a copy of the original file, the file before the corrections were done, in the backup
directory with a .bak file name extension. You can set the location where the .bak files are
saved by selecting Configure -> Options or the Options button, selecting the General Config tab,
and changing the backup file directory. See also "Setting the Backup File Directory" (on page
153).
For example, if you were editing the file VoiceCDRs.log and you selected Extract Corrected CDRs, the
CDR editor would:
l Save the corrected CDRs in the file VoiceCDRs.log.corrected in the corrected file directory.
l Save the uncorrected CDRs in the file VoiceCDRs.log.
l Save the original file in the file VoiceCDRs.log.bak in the backup directory.
NOTE: If you have more than one file open, this only affects the displayed file. Use the Window
menu to display each file and extract the corrected CDRs from each file.
Each time you select Extract Corrected CDRs, the corrected CDRs are appended to the .corrected
file. When you correct all the CDRs and select Extract Corrected CDRs, the CDR editor deletes the
original file.
Applying Filters
You can display a subset of the CDRs in the file by using content-based filtering. Content-based
filtering displays only those NMEs that satisfy certain logical conditions that are applied to selected
NME attributes. To apply a content-based filter, do the following:
1. Select Configure -> Create Filters or the Create Filters button from the toolbar.
2. This displays the CDR Filters window that allows you to create one or more content-based
filters.
3. To create a filter, press the Create button. This displays the Edit Filters window.
4. Enter a name for the filter you are creating and press Add. A new row appears in the Edit Filters
window.
5. Select an NME attribute (Attribute field), an operator (Operator field) and enter a value for the
NME attribute (Value field). You can specify the same set of operators as when creating a Find-
Replace Filter Expression (see Step 4 in "Create a New Replace Rule" (on page 135)).
6. To specify another logical expression, select a condition (AND or OR) and press Add again.
Repeat the previous step. The set of conditions will be combined with a logical AND or a logical
OR as specified, to create a single composite condition. Conversely, if you want to remove a
filter during this process, select the entry and press Delete.
7. Press OK in the Edit Filters window when all your filter conditions are defined.
8. To apply one or more filters, select the check box next to the filters you want in the Enabled
column.
9. Press OK to display only those CDRs that match all of the specified conditions. That is, the
conditions are combined with a logical AND operation.
10. You can enable or disable individual filters from the CDR Filters list by selecting or clearing the
respective check boxes. Press OK to apply the selected filters.
11. To disable all filters, clear all selections (under Enabled) in the CDR Filters window and press OK.
This displays all the CDRs in the file.
Configuring Logging
The CDR editor writes log messages to two different log files during its operation.
l Standard logging saves information such as when the CDR editor starts, when it opens a file,
saves a file and closes a file, when it performs a bulk edit operation and the number of CDRs
modified. It saves this information in the log file IUM_CCU.log typically under /SIU/var/log on
Windows or /var/opt/SIU/log on UNIX. For more information see "Setting the Standard Logging
Level" (on page 151) and "Saving the Standard Log File" (on page 152).
l Audit logging logs more detailed information about the changes made to CDRs. It saves this
information in a separate audit log file for each eIUM user and each CDR editor session. The audit
log file contains the following information:
n When the CDR editor starts, it logs the user name of the person starting it. If security is not
installed, it logs that it is running unsecured. For more information on security and eIUM users,
see "Managing Users and Security" (on page 106).
n The directory and name of each file opened, saved and closed.
n For each changed CDR, the following information is logged:
o Which CDR was modified. That is, the CDRs ordinal position in the file.
Log Levels
You can control the type of log messages the CDR editor produces by setting the standard log level
and the audit log level. Select Configure -> Options or the Options button, and select the General
Config tab or the Audit Config tab. Select the log level from the available list. eIUM uses the following
log levels. Each level includes all messages from the levels above it. For example, the Error level
includes Accounting and Critical messages, but not Warning, Informative or any of the Debug
messages.
Log Levels
Level Description
Level Description
To turn audit logging off, set the level to Off. When you set the audit log level to Off, no audit
messages are logged by the CDR editor.
The new audit configuration takes effect only after you stop and restart the CDR editor. For the
current session there will not be any change in the log level or audit file name.
NOTE: The new audit configuration takes effect only after you stop and restart the CDR editor.
For the current session there will not be any change in the log level or audit file name.
the Backup File Directory. See "Saving the Standard Log File" (on page 152) for an example of where
this can be configured in the interface.
Set the Corrected File Directory as shown in the example in "Saving the Standard Log File" (on page
152).
Set the CSV Export Directory as shown in the example in "Saving the Standard Log File" (on page
152).
You should incorporate a comprehensive backup of all your eIUM hosts into your enterprise backup
strategy to enable recovery from a major system failure. You should back up the hard disk of all
your eIUM hosts using your standard backup strategy and backup systems.
Performing a full backup of eIUM hosts will facilitate the most rapid recovery in the event of a major
system failure. At a minimum, the eIUM backup strategy should include the following:
NOTE: Automatic database backups with MySQL are not supported. If you need to perform this
type of backup, certain operating system utilities should be used instead (such as the UNIX
cron utility).
l Perform a regular saveconfig and back up the resulting ASCII configuration files.
l Back up any input files the system is using.
l Back up any output files the system is creating.
For the fastest recovery in the event of a failure, perform a complete backup of the entire host on a
regular basis (weekly or daily) followed by an incremental backup (backing up only those files on the
host which have changed) daily or more frequently.
The ability to schedule regular backups (full, incremental, and other backup types) is already built in
to most standard backup solutions. The backup solution should determine which files need to be
backed up for a particular scheduled backup based on the backup type and verification of which
files on the host have changed since the last backup. It is strongly recommended that your eIUM
backup strategy be incorporated into your enterprise backup strategy.
Backup Strategies
There are two basic backup strategies to consider for eIUM: offline and online. Select the method
that works best for your environment.
An online backup strategy addresses how to back up an eIUM deployment while collectors and
other servers are running. This is the recommended strategy. See "An Online Backup Scenario" (on
page 157).
An offline backup strategy addresses how to back up an eIUM deployment if the collectors and
other servers can be shut down during backup. See "Offline Backup Strategy" (on page 165).
NOTE: The default installation location for eIUM is /opt/SIU, /etc/opt/SIU and /var/opt/SIU on
UNIX, and C:\SIU on Windows. These instructions use these default locations. If you installed eIUM
in a different directory, alter these instructions accordingly. The eIUM commands are located in
C:\SIU\bin on Windows and /opt/SIU/bin on UNIX.
A third collector, R1, receives and writes error CDRs into files for manual repair and reprocessing.
The repaired CDRs are read by collector A3 running on Server_2.
NOTE: The default installation location for eIUM is /opt/SIU, /etc/opt/SIU and /var/opt/SIU on UNIX
and C:\SIU on Windows. The instructions here use these default locations. If you installed eIUM in
a different directory, alter these instructions accordingly. The eIUM commands are in C:\SIU\bin
on Windows and /opt/SIU/bin on UNIX.
1. Decide how frequently to perform backups. For example, weekly full backups and daily
incremental backups are recommended (and depending on the value of your data). For this
scenario, we will describe how to perform a full backup weekly, and an incremental backup
daily.
2. Make sure you have enough disk space to save all the backup files before moving them to long-
term storage.
3. Back up your eIUM software, including patches you have installed. If you have a CD with the
eIUM software, ensure it is stored safely and can be used to reinstall eIUM. Document any eIUM
patches you have installed and back up the patch install files.
4. Create a temporary directory on each host where you can place the backup files until they can
be stored in long-term archives. In this scenario, /tmp/usage/<host name> on UNIX and
C:\tmp\usage\<host name> on Windows are assumed. This allows keeping each hosts files
separate.
NOTE: You can run the saveconfig command from any eIUM host. See the eIUM Command
Reference for complete details on the saveconfig command.
TIP: Write a backup script for each host to perform all these commands.
TIP: Back up the collectors in reverse order from the data flow, or in order from the highest level
collectors to the lowest level collectors. In our scenario, back up the Distribution collectors first
(D1, D2 and D3), then the correlation collectors (C2 and C3 followed by C1), then the aggregation
collectors (A1, A2 and A3), the repair collector (R1), and finally the leaf collectors (L1 and L2). This
helps ensure no data is lost if you ever have to restore from a backup.
1. On Server_1, create the temporary directory /tmp/usage/server_1 and make sure it has
enough disk space to hold the backup files.
mkdir /tmp/usage/server_1
2. Create a separate directory under /tmp/usage/server_1 for each collector with the same name
as each collector. The collectors on Server_1 are named L1, L2, and R1.
mkdir /tmp/usage/server_1/L1 /tmp/usage/server_1/L2
/tmp/usage/server_1/R1
3. Use the siubackup command as follows. The following commands back up these three
collectors and place their backup files in their respective directories under /tmp/usage/server_
1:
siubackup -n L1 -full -backupDir /tmp/usage/server_1/L1
siubackup -n L2 -full -backupDir /tmp/usage/server_1/L2
siubackup -n R1 -full -backupDir /tmp/usage/server_1/R1
NOTE: To perform an incremental backup, use the following siubackup commands. These
commands back up only changed data from the three collectors since the last backup and
place their backup files in their respective directories under /tmp/usage/server_1:
For more information see "Performing an Incremental Backup" (on page 162).
NOTE: You must run the siubackup command locally on each host. That is, you cannot back
up collectors remotely from a different host.
See "Commands for Backing Up eIUM" (on page 169) for information on the siubackup
command.
4. Create another directory to hold eIUM initialization files:
mkdir /tmp/usage/server_1/inifiles
8. Save any other files you deem necessary, for example any eIUM files you have modified or files
you have created uniquely for your deployment. For example, your collectors might read from
map files with the AdornmentRule or write to files with the WriteToFileRule. Consider exporting
your report templates from the Reporting application. Back up these files as appropriate.
Streaming Data
If your input data is streaming data, for example UDP packets from a router, and you have a
collector listening for these UDP packets, there is nothing to back up. If the collector receiving the
streaming data goes down, or the host it is running on goes down, the streaming data will be lost
until the collector can be brought up again.
Consider setting up a high availability solution so that if a collector or host goes down, a stand-by
collector can take over collecting from the streaming data source. If you are using a Session Server
for real-time authorization and charging, consider a high availability solution as well. A standby
Session Server can take over upon a system failure and minimize or eliminate loss of data.
File-Based Data
If your input data is in files, back these files up with the collectors other backup files. Place them in
a directory such as /tmp/usage/host/inputdata/. By backing up the data files with the collectors
backup data, you can ensure the input files are in sync with the collectors history and recovery
metadata.
Save the creation date and time of each input file. You can then determine which data files need to
be reprocessed after restoring a collector. The collectors recovery information determines which
input file it needs to process next. When you restore the collector, also restore the input files so the
collector can pick up where it left off.
If your input data is stored on an external device such as a voice switch and the collector fetches the
data files from the switch, check what happens to the files on the switch after they have been
transferred to the leaf collector. Back up the files on the switch itself if it supports backup. You
might also consider backing up each input file immediately after it is fetched from the switch (this is
sometimes a legal requirement). If a leaf collector terminates unexpectedly, its history and recovery
metadata can restore the collection to the appropriate input file.
TIP: Ensure your input data file aging policy is at least as long as the time between backups. This
will ensure no input data files are aged out before they have been backed up.
If you have an error reprocessing collector chain, collector R1 in our scenario, you could use this
chain of collectors to reprocess the data between the last backup and when the system went down.
This means you have to identify, restore and reprocess the input data files that arrived between the
last backup and when the system went down. The siurestore command restores the collectors so
they can continue processing incoming data. Use your error reprocessing collectors to process the
files that arrived between the last backup and when the system came back up.
Session Data
The siubackup command saves current in-memory session data and siurestore restores this data.
You simply back up your session collectors the same as any other collector and restore the collector
using siurestore.
Next, repeat the steps for Server_3, using corresponding Windows commands and tools, directories
and files.
If the next backup is to be a full backup, you can delete all the files on the host after they have been
saved to the long-term archive.
1. Prepare for an incremental backup by making sure the XML files from the previous backup (full
or incremental) are still in the backup directory for each collector. In our scenario, this would be
/tmp/usage/server_1/L1, for example. The siubackup command uses these XML files to
Assuming the existing backup files are in /backup/Voice01, the following command performs an
incremental backup of the collector named Voice01 and places the additional backup files in the
directory /backup/Voice01:
siubackup -n Voice01 -incremental -backupDir /backup/Voice01
1. Make sure all collectors to be restored have STARTUPMODE set to Manual, not Automatic.
If the Configuration Server is running on another host (that is, not the host being restored),
change all collectors on the host being restored to start manually. They must not start
automatically when you restore eIUM. In the Launchpad, select each collector and open the
Properties window either by right-clicking on the collector and selecting Properties, or by
selecting the collector and selecting the Actions:Properties menu. Change the STARTUPMODE
property to Manual if it is set to Automatic.
(If the system you are restoring hosts the Configuration Server, you cannot change the
STARTUPMODE property until the Configuration Server starts. You will modify the configuration
as described below before loading it from backup.)
2. Install the eIUM software from your original product CD or from your backup. Install any eIUM
patches, as appropriate.
3. Make sure eIUM is running properly on the host system. Check the log files and the status
information in the Launchpad.
4. Obtain the backup files you stored from the most recent backup (full or incremental) and place
them in the directory /tmp/usage/<host name> on the eIUM host.
5. For each collector to be restored, obtain all the backup files for each collector starting with the
last full backup, followed by each successive incremental backup in chronological order. Copy all
these files to the directory /tmp/usage/<host name>/<collector name>. Make sure you have
the XML files from the most recent incremental backup.
6. If you are restoring the host with the configuration server, edit the configuration file and make
sure the STARTUPMODE property for each collector on the host being restored is set to Manual.
Each collectors STARTUPMODE property is under the configuration node /deployment/<host
name>/<collector name>/Properties.
NOTE: When loading configurations with the Launchpad or the loadconfig command, make
sure you load valid configurations as the configurations are simply copied into the
configuration server. See the eIUM Command Reference for details on the loadconfig
command.
8. Restore each collector on the host using the siurestore command and the most recent backup
file. Use the full path to the backup file. Make sure the most recent full backup file is restored
and all following incremental backup files are restored.
siurestore -f /tmp/usage/server_1/L1_070620041725_1.jar
10. Optionally copy the log files from the backup directory:
cp /tmp/usage/server_1/logfiles/* /var/opt/SIU/log
11. Restore any other files you backed up such as map files or other files used by the collectors.
12. Restore your input data, if applicable.
When the collector starts running, it first reads its recovery data to determine what input file it
processed last. Most encapsulators then read the next file they are configured to read. The
collector will start reading from where it was as of the last backup.
13. Start each collector. Check the collectors status in the Launchpad and its log files to make sure
it is running properly and processing the restored data files properly.
14. Restore each collectors STARTUPMODE property. In the Launchpad, select each collector and
open the Properties window either by right-clicking on the collector and selecting Properties or
by selecting the collector and selecting the Actions:Properties menu. Set the STARTUPMODE
property to Manual, Automatic, or %DEFAULTS%. See "Automatically Starting a Collector or
Server" (on page 89) for more information.
In general, the recovery would be just like ungracefully shutting down a collector in the hierarchy.
For example, powering off the machine rather than stopping collecting. eIUM is designed to recover
in this situation. The failed collector will be behind the others once restored and will catch up from
the point of its restoration. If higher level collectors depend on it, these collectors will simply wait
for the recovering collector to catch up and pass its previous point, and then begin to read new
NMEs.
If the failed system is the configuration server, there are additional considerations if a collector on a
remote system was configured between the time of the last backup and the failure. In this case,
save the new collectors configuration and then load the new collector configuration information
after the Configuration Server is restored.
Depending on the type of input data, it is possible the restore would roll back the collector to a point
where input data is missing. In cases where the input data for the recovered collector is no longer
available, complete recovery from the last backup to the time of failure will not occur automatically.
The best way to completely avoid losing data is to employ a high availability solution.
When determining the backup strategy for an eIUM deployment with multiple hosts in a collector
hierarchy, it is important to understand the eIUM configuration including items like data sources and
data aging policies so that a strategy that minimizes opportunities for data loss can be avoided.
An offline backup strategy requires stopping all collectors and other eIUM components, performing
a backup, then restarting all the components and collectors. This approach allows individual
collectors to finish active processes, write information that is in memory to disk, and write recovery
information to disk. The information saved on disk while a collector is stopped enables the collector
to start processing from a precise point in time. This method ensures all data has been committed
to disk prior to backup and there are no inconsistencies in where the collector should start
processing.
If using an offline backup strategy, collectors may miss data during the shutdown period if collecting
from certain types of data sources. For example, a Netflow collector that consumes data
transmitted via UDP from an assigned port on a Netflow enabled Cisco device would miss UDP
packets transmitted during its shutdown period.
For an offline backup strategy, follow these basic steps for each eIUM host. These steps can be
automated using scripts executed at appropriate time intervals.
NOTE: The default installation location for eIUM is /opt/SIU, /etc/opt/SIU and /var/opt/SIU on
UNIX, and C:\SIU on Windows. The instructions use these default locations. If you installed eIUM in
a different directory, alter these instructions accordingly. The eIUM commands are in C:\SIU\bin
on Windows and /opt/SIU/bin on UNIX.
1. Stop all collectors on the host. Use the Launchpad or the siucontrol command to stop all
collectors. Stop the collectors in reverse order of the data flow. That is, stop the highest level
collectors first and work down, stopping the leaf level (or first level) collectors last.
2. Back up the Configuration Store for the entire eIUM deployment in an ASCII file.
The ASCII version of the configuration store is created manually using the saveconfig command
or the Launchpad. Prior to a backup, execute a saveconfig for the entire eIUM deployment. This
writes all configuration information into a single file or directory structure in ASCII format that
can be easily and cleanly backed up and restored. Be sure to select a specific directory location
and filename for saving the configuration file and use this directory consistently as the backup
location.
This does not need to be done daily but should be done as a part of a regular full eIUM backup
and after configuration changes have been made.
For example, the following command saves all configuration information under the
configuration tree root (the / path) to the file IUMHost01-07152004.config:
saveconfig -p / -f IUMHost01-07152004.config
For complete details on the siucontrol command, see the eIUM Command Reference.
4. Back up your database. For MySQL backups, use the mysqldump command-line utility. This
utility is included with eIUM, along with other mysql binaries, and is located in C:\SIU\mysql\bin
(Windows) or /opt/SIU/mysql/bin (UNIX).
Before backing up the database, the database server must be running when performing the
backup. The mysqldump utility produces an SQL script that contains the structure and content
of the database tables, and can be used to later restore your database.
To restore data from this backup file, use the mysql command line tool (also see "Managing the
MySQL Database" (on page 95) for more information on this tool). The following are detailed
backup steps you can use for both UNIX and Windows operating systems.
For UNIX, use the mysql.sh script (located in /opt/SIU/sbin), which also includes functionality for
various database operations (for example, starting/stopping/restarting the database server,
and connecting to the server with the mysql command-line tool). The script also includes a
backup option, which allows you to launch mysqldump with the appropriate arguments, and to
store the output to the /var/opt/SIU/mysql/backup directory (using date and time of backup as
the file name). User name and password details must also be passed, using the u and p
options, just as with the mysql tool. For example, a command to execute a backup is the
following:
[root@swtsscn sbin]# ./mysql.sh backup -usiu20 -psiu20
Backup file created:
/var/opt/SIU/mysql/backup/2010-08-10-07h-38m.sql
NOTE: In the above examples, ./mysql.sh connect -usiu20 -psiu20 does not
itself restore a backup, but is instead a convenient way for you to start the command line
client and connect to the corresponding instance of the MySQL server (which corresponds to
the eIUM installation in question).
For Windows, there is no eIUM-specific script for MySQL operations, so the mysqldump utility
should be launched directly. For example:
C:\SIU\mysql\bin>mysqldump.exe -A -usiu20 -psiu20 > .\backup\2010-
08-10.sql
5. Back up the eIUM software. The following describes the directories and files you should back up.
These tables give the default installation locations. If you installed eIUM in an alternate
location, change these to match your environment. For UNIX:
/var/opt/SIU eIUM log files and data files. Binary configuration store files,
named *.db and *.db.last.
For Windows, back up the C:\SIU directory, which contains all eIUM software, log files and data
files.
6. Back up all directories containing your input and output data files. Examples of input data files
are CDR files, log files and other usage and session data files. Check the configurations of your
collector encapsulators for input files and directories.
Examples of output files are IDR files, XML files and binary data files. Check the configurations
of your collector datastores for output files and directories.
7. Back up the file system and the operating system software using your standard backup
solution.
8. Start the Configuration Server. Use an siucontrol command like the following:
siucontrol -n ConfigServer -c startProc
9. Start each collector. Check the collectors status in the Launchpad and its log files to make sure
it is running properly and processing the restored data files properly.
1. Stop all collectors and eIUM processes. Use a command like one of the following:
On Windows: net stop SIU_AdminAgentServer
On HP-UX: /sbin/init.d/SIU stop
On Linux or Solaris: /etc/init.d/SIU stop
2. Restore all eIUM files using your backup solution.
3. Start eIUM on the host with the Configuration Server.
On Windows: net start SIU_AdminAgentServer
On HP-UX: /sbin/init.d/SIU start
On Linux or Solaris: /etc/init.d/SIU start
4. Start any other collectors configured to start manually, if any, on all remaining eIUM hosts.
5. Check to make sure all collectors and other processes that start automatically are running
properly. Check status in the Launchpad, examine log files and output data.
Troubleshooting Recovery
If there are errors after restarting eIUM, then the restored version of the Configuration Store may
be corrupted. In this case, use the ASCII form of the Configuration Store, which you created using the
saveconfig command, to start the Configuration Server using the command: configserver -f
<configuration file name>.
If the Configuration Server starts when manually loading the Configuration Server using the ASCII
configuration file do the following:\
1. Use the loadconfig command to reload the configuration from the ASCII configuration file. For
example, use a command like the following:
loadconfig -f UsageBackup07062004.config
When loading configurations with the Launchpad or the loadconfig command, make sure you
load valid configurations as the configurations are simply copied into the configuration server.
2. Stop the Configuration Server. Use a command like the following:
siucontrol -n ConfigServer -c stopProc
3. Start eIUM.
On Windows: net start SIU_AdminAgentServer
On HP-UX: /sbin/init.d/SIU start
On Linux or Solaris: /etc/init.d/SIU start
For complete information on eIUM commands, see the eIUM Command Reference.
siubackup Command
The siubackup command saves all data associated with a collector. The collector must be running
when you use siubackup. After running this command, save the resulting files using your routine
system backup procedures. Use the siurestore command to restore a collector from backup files.
l Collector configuration.
l Meta data for the collector. That is, the history table and the recovery table.
l Usage data in the collectors datastore.
This command does not save the collectors log file.
Syntax
siubackup -n <collector name> [ -full] [ -incremental] [ -dir
<directory name>] [ -maxfilelimit <files number>] [ -usage] [ -l
<loglevel>] [ -version] [ -propertyFile <file>] [ -host <host>] [ -
iorURL <URL of IOR file>] [ -binRoot <directory>] [ -cfgRoot
<directory>] [ -varRoot <directory>] [ -login <user>] [ -pw
<password>]
Some common options are highlighted in the following table. See the eIUM Command Reference for a
full listing of siubackups options.
Examples
The following example performs a full backup of the collector named SWITCH01 and places the
backup file named SWITCH01_FULL_060620041725_1.jar in the directory /var/opt/backup/usage:
siubackup -full -n SWITCH01 -backupDir /var/opt/backup/usage
The following example performs an incremental backup of the collector named Correlator03 and
places the backup file named Correlator03_060620041725_1.jar in the directory
/var/opt/backup/usage:
siubackup -incremental -n SWITCH01 -backupDir /var/opt/backup/usage
siurestore Command
This section describes the siurestore command for restoring a collector from backup files. The
collector to be restored must be stopped when running siurestore. However, the admin agent and
the configuration server must be running to use this command.
As an added precaution, perform an offline backup, if possible, particularly if there is data in the
collectors to be restored, and if the intent of the restore is to roll back to a given point in time.
To restore one or more collectors, shut down the collectors and clean them up using the Launchpad
or the siucleanup command. Then run siurestore using the backup file for each collector.
After restoring each collector, start each restored collector and make sure it is running correctly by
checking status in the Launchpad, and the collectors log file and output data.
Syntax
siurestore -f <file name> [ -noConfig] [ -l <loglevel>] [ -version] [
-propertyFile <file>] [ -host <host>] [ -iorURL <URL of IOR file>] [ -
binRoot <directory>] [ -cfgRoot <directory>] [ -varRoot <directory>] [
-usage] [ -login <user>] [ -pw <password>]
Some common options are highlighted in the following table. See the eIUM Command Reference for a
full listing of siurestores options.
Examples
The following example stops, cleans up, restores and restarts a collector using the backup file
Correlator03_060620041725_1.jar. The name of the collector is Correlator03.
eIUM Logging
The following topics describe eIUM logging and how you can use logs and configure logging for your
deployment.
eIUM maintains a detailed record of activities by generating operational and audit log messages and
storing them in log files. An eIUM deployment typically consists of several collectors and servers,
such as the configuration server, admin agent, and report server. Your deployment may also include
optional servers such as the report server, session server, and schedule server. Each server can
generate operational messages about activities. Some processes, such as collectors, can also
generate audit messages to monitor data processing. For more information on auditing, see the
eIUM Foundation Guide.
The logging system supports a distributed deployment in which processes run on multiple hosts.
Figure 10-1 shows the logging system in a distributed deployment with two hosts. The logging
system allows each process to write messages to its own log file on local storage.
Basic Logging
Basic use of the eIUM logging system involves:
l Setting log levels: You can set the log levels for different servers and processes. eIUM processes
start with logging enabled at the default level of 4=Informative.
n For a definition of the log levels available, see "Log Levels" (on page 178).
n For instructions on setting log levels through the Launchpad, see "Setting the Log Level from
the Launchpad" (on page 181).
l Viewing log messages: You can view log files using any text editor or the Launchpad. For
instructions on viewing log files with the Launchpad, see "Viewing Log Files in the Launchpad" (on
page 180) for more information.
NOTE: You can use other interfaces, such as the command-line or the properties file to set log
levels. However, for basic logging, using the Launchpad is the most straight-forward way to
adjust log levels.
Advanced Logging
Although setting log levels and viewing logs through the Launchpad are usually sufficient for
monitoring individual eIUM servers from day to day, eIUM also provides fine-grained control of
logging across the deployment. Taking advantage of these additional capabilities may involve
several advanced tasks, including:
l Configuring advanced logging: The eIUM logging system supports a Logging configuration node in
the configuration tree of the Launchpad, through which you can configure logging for a single
process, configure differentiated logging for packages or classes invoked by that process, or and
optionally, to share the logging configuration with other processes. For instructions on
configuring advanced logging through the Logging configuration node, see "Advanced Logging
Configuration" (on page 184).
l Setting up centralized logging: To manage large numbers of log files generated by many
different collectors and servers, you can set up centralized logging to consolidate log messages
and view them in a single, central log file. Options for setting up centralized logging include using
the UNIX syslog daemon, using HP OpenView Operations (OVO), or configuring the eIUM
LogConsolidator. For instructions on consolidating log files, see "Setting Up Centralized Logging"
(on page 188).
Date mm/dd/yyyy
Time hh:mm:ss.ms
Time xxT
Zone
Message (pp.ccc.nn), where pp is the numeric code of the package, ccc is the numeric code
ID of the class, and nn is the numeric code of this message.
Field Description
Level
The following example shows a log message that is Informative in severity level:
03/20/2003 09:37:19.500 PST main (02.010.09) INFORMATIVE: Server
starting in non-secure mode
You can specify whether or not to save Launchpad log files by choosing Options and Preferences and
setting or clearing the Delete Launchpad log file on exit checkbox.
Changing whether or not to save the Launchpad log file takes effect the next time you start the
Launchpad. The current setting is used when the Launchpad closes. If you change the setting to save
the log file on exit, but you want to save a copy of the current Launchpad log file, you must manually
make a copy of the log file before exiting the Launchpad.
Collector log files contain a record of the collector activity, including when a collector starts, when it
flushes records to the datastore, and details of any errors encountered.
Collector log files are typically located in C:\SIU\var\log on Windows and /var/opt/SIU/log on UNIX:
If a primary log file reaches the maximum size, it rolls over to a new file that is renamed to the
rollover log file name, and a new primary log file is created. For example, if the log file for a collector
named voice_collector reaches the maximum size, the primary log file voice_collector.log rolls over
and is renamed voice_collector.logOLD, and then a new voice_collector.log file is created. For more
information on configuring log file rollover and aging, see "Controlling Log File Rollover and Aging"
(on page 182).
Logging output is controlled by the logging level (by default, 4=INFORMATIVE). Logged messages with
a severity below the logging level are not written to the log file. For example, if a collector generates
a DEBUG level log message, the DEBUG message is not written to the log file if the logging level is
set to WARNING.
Setting the LOGDEBUG property or using the -d command line option specifies that the collector use
stderr for logging messages instead of a log file.
NOTE: If a collector throws and logs a Java exception, the messages begin with the problem
followed by a stack trace. That first message is the actual problem encountered, while the stack
trace can give clues about what the collector was trying to do when it encountered the problem.
Read the stack trace from the bottom, where the first class is invoked, to the top, where the
most recent class is invoked, which is the class with the error.
The configuration server uses the same logging mechanism as the eIUM collectors and supports the
same properties. To change the logging level of the configuration server, select the node of the
configuration server, and choose Set Log Level to specify a new logging level. Alternatively, use the
siucontrol utility to change the logging level of the configuration server, for example, enter the
following command to set the log level to 5:
siucontrol -n ConfigServer -c setLogLevel 5
The configuration server uses a primary log file called C:\SIU\var\log\ConfigServer.log on Windows
and /var/opt/SIU/log/ConfigServer.log on UNIX, for the host on which the configuration server runs.
The rollover log file name is ConfigServer.logOLD.
On Windows platforms, the host admin agent and the MySQL database run as Windows Services and
log additional messages about start-up and shutdown. You can use the Event Viewer application to
view messages related to service start-up and shutdown. The service names are SIU_
AdminAgentServer and SIU_MySQL.
On UNIX platforms, when the HP-UX system starts or shuts down, it executes the /sbin/init.d/SIU
script and logs the output to the /etc/rc.log file on HP-UX and /dev/msglog on Solaris. The script
/sbin/init.d/SIU starts the host admin agent daemon and the MySQL database server daemon.
l MySQL server logLog messages concerning server operation are logged to this file, such as
server start-up, shutdown, and any error messages. This log file is located in
C:\SIU\mysql\data\$HOST_ID.err (Windows), or /var/opt/SIU/mysql/data/%HOST_ID%.err (UNIX).
l General query logThe server writes information to this log when clients connect or disconnect,
and it logs each SQL statement received from clients. To activate this logging, execute the
following SQL command:
SET GLOBAL general_log = 'ON';
To disable it:
SET GLOBAL general_log = 'OFF';
general_log_file is a MySQL server variable that points to the general MySQL log location. This file
is typically in C:\SIU\mysql\data\%HOST_ID%.log (Windows), or /var/opt/SIU/mysql/data/my.log
(UNIX).
l my.ini/my.cnf configuration fileThis stores configuration parameters for the MySQL server.
The full list of configuration options can be found at
http://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html.
This file is typically found in C:\SIU\mysql\my.ini (Windows), or /opt/SIU/mysql/my.cnf (UNIX).
To execute SQL statements to enable logging, you can use the mysql.sh command-line tool
described in "Managing the MySQL Database" (on page 95). Using mysql.sh, you can first connect to
MySQL using the following command:
%BINROOT%/sbin/mysql.sh connect usiu20 psiu20
Log files related to eIUM's command line interface and console are found in %VARROOT%/log. For
example, the log file for the repositorymanager command (repositorymanager.log) is located in this
directory. See "Using eIUMCommands" (on page 62) or the eIUMCommand Reference for more
information on eIUMcommands.
Both the RDM log file (rdm.log) and Operations Console log files (OperationsConsole.log,
OperationsConsole.audit.log) can be found in C:\SIU\var\webappserver\logs on Windows, or
/var/opt/SIU/webappserver/logs on UNIX.
For RDM, there are four types of logs that you can look at for additional Information about
operations and errors in RDM.
Log Levels
Each log message has an associated log level that reflects the importance and urgency of the
message. eIUM defines nine log levels listed in descending order of severity in the table below.
Log levels are cumulative. That is, each level includes all the levels numerically below it. For example,
if you set the log level to 2 = Warning, only 0 = Critical, 1 = Error and 2 = Warning messages are
generated. All levels greater than 2 = Warning are suppressed and not published to the log file.
Setting the LOGLEVEL property or using the siucontrol -loglevel command line option controls the
initial collector logging level. Additionally, you can change the collector logging level while the
collector is running by using the Launchpad to choose Actions and Set Log Level or the siucontrol
command. The default logging level for collectors is 4=INFORMATIVE.
You can selectively raise the debug level on individual components or Java classes to target your
debugging and minimize extraneous logging messages, as described in "Setting the Log Level in a
Secondary Property File" (on page 185).
0 CRITICAL Message explaining a fatal error just before a component goes down, for
example, messages about being unable to connect to an eIUM
component.
3 WARNING Message about an unexpected event that might lead to further problems.
Level
Number Level Name Description
Examples are messages about connections lost but that will be retried,
parameters not specified and default values used instead, skipping
invalid input log records, packets dropped, files not found, and warnings
about eIUM license expiration.
5 DEBUG Least detailed and frequent debug messages. Debug messages are
useful only for developers.
Using any of the Debug log levels can significantly reduce collector and server performance. Debug
log messages produce a large number of detailed log messages in a short amount of time The
internal nature of many Debug messages can make them difficult to understand. Only use the
Debug levels temporarily when debugging a collector or server.
In addition to the server logger, eIUM uses an audit logger to track important events during data
processing. The eIUM audit system generates log messages and stores them either in the audit log
files or in the server log files along with the standard operational log messages. Because the audit
logger not a general purpose logger, it supports only a subset of the general server log levels, as
listed below. For more information about the audit system, see the eIUM Foundation Guide.
2 WARNING Indicates that the process encountered an unexpected event that might
lead to an error later.
With the Launchpad running, select the node of the component for which you want to view logs.
Then refer to the following table for what to do next.
IF you want to
view logs... THEN...
in the log viewer Choose Actions and View Log File. The messages contained in the log file are
pane of the shown in the lower log viewer pane of the main window.
Launchpad
in a separate Choose Actions and Open Log Viewer. The log viewer displays as much of the
window through logging file as possible, continually updating the display with messages as
the Log Viewer the component writes them to the file.
tool
If required, click Pause to stop the live screen updates. You can also do a
text search of the log file contents or wrap the text in the Log Viewer tool.
using the siudiag Refer to the eIUM Command Reference for a description of using this
command command.
The logging system supports both static and dynamic configuration control. Static control allows you
to specify a configuration and then re-launch the process with the new settings. Dynamic control
allows you to update the configuration for a running process.
All eIUM processes start with logging enabled. The default log level is 4=INFORMATIVE. See "Log
Levels" (on page 178) for a description of the log levels available. The eIUM logging system provides
the following interfaces, which you can use to change the log level to increase or decrease the
granularity of log messages.
l Launchpad
l Command Line
l Process Properties Node
l Configuration Tree
l Inherited Property File
The following sections show you how to configure the log level from each interface.
Precedence of Settings
If any of the logging settings conflict across these different interfaces, the settings apply in the
above, numbered order of precedence. Namely, configuration set using the command line or the
Launchpad takes precedence over the remaining interfaces and configuration set through the
process property file takes precedence over that set using the configuration tree or inherited
property files.
1. With the Launchpad running, select the node of the eIUM component for which you want to set
the log level.
2. Choose Actions and Set Log Level, or right-click and choose Set Log Level.
3. Choose a log level. For a description of each log level, see "Log Levels" (on page 178).
4. Click OK. eIUM writes an accounting message to the log file of the component recording that
the log level is changed.
NOTE: The log level set from the command-line or the Launchpad overrides the log level set in the
process property file or the Properties configuration node.
To change the log level of a running process, execute the following command:
siucontrol -n <collector-name> -c setloglevel <log-level>
You must specify an integer value from 0 to 8 as the <log-level> as described in "Log Levels" (on
page 178).
You can also start a collector at a specific log level by executing the following command:
siucontrol -n <collector-name> -loglevel <log-level> -c startProc
The eIUM logging system supports simple log file rollover and again. Simple log file rollover involves
archiving the old log file and starting with a new one. You can configure processes to roll over their
log files based on the size of the current log file. When a log file, say netflow_collector.log,
reaches its maximum size, it is renamed netflow_collector.logOLD. Subsequent log
messages are written to the now-empty primary log file netflow_collector.log. If an old file
already exists, it is overwritten. The logging system maintains at most one current and one previous
log file for each process at any given time.
NOTE: To configure time-based rollover, you must disable automatic rollover and use an external
script to perform this operation. For instructions on configuring collectors to create time-based
log files based on simple file roll policies, such as date and time based policies, see "Reading and
Processing Log Files with a Collector" (on page 183).
for all the Edit the following line in SIU.ini file of your eIUM installation directory, where
processes in your the default value is 50,000 lines maximum allowed in the primary log file:
eIUM deployment
LOGLINELIMIT = 50000
for an individual Determine whether a .properties file containing the LOGLINELIMIT setting is
process, through already created by looking in the /var/<Collector Name> directory of your
the process eIUM installation, where Collector Name is the name of the collector or
.properties file server:
To change the
LOGLINELIMIT... Take these steps...
for an individual With the Launchpad running, select the node of the collector or server for
process through which you want to change the LOGLINELIMIT.
the Launchpad
1. Right-click on the node, and choose Properties.
2. Right-click on the Properties node, and choose Add Attribute.
3. Enter LOGLINELIMIT for the new attribute name.
4. For the attribute value, specify the maximum number of lines that you
want the primary log file to contain before rolling over, for example,
25000.
5. Click Apply and OK.
The collector log file contains various eIUM system messages about errors, warnings, informational
notes, and other operational results and audit details, depending on the logging configuration. By
default, the LogFileHandler component of a collector writes these messages to the collector log file,
rolling over messages to a new log file once the number of lines exceeds the LOGLINELIMIT. You can
use a higher level collector to read these log files, however, this may be tedious due to the rolling
nature of the files. Therefore, you may prefer that your collectors generate log files with time and
date-based file names. In this case, you can configure the RollingLogFileHandler component.
When this file reaches the log limit based on the file size or number of lines or timestamp, it
renames the log file with a logOLD name (based on the configured LogFileRollPolicy) and continues
logging messages from the beginning of the current log file. If abc.log was the current file, then the
history of files created would look like this:
In this mode, the downstream collectors which reads the log file using a RenameFilePolicy cannot
read the files in time, accurately and completely.
The LogFileHandler generates each new log file with a new name, rather than reusing the original
file and renaming it when it is full. It creates the log files as follows:
The RollingLogFileHandler changes the name of the current log file whenever a roll is triggered
instead of renaming them. When the log file is full, the RollingLogFileHandler opens a new file with a
new name, as specified by the log roll policy, and starts populating it with log messages. The
RollingLogFileHandler creates each log file with a unique name, and the name is retained after the
file is full and closed. Once this component creates a log file, it does not rename the file. For more
information on the RollingLogFileHandler component, refer to the eIUM Component Reference.
l Configuring server logging. You can configure server logging through the eIUM configuration tree
in the Launchpad. Performing advanced logging for a single process, such as a collector, requires
creating a Logging configuration node. For instructions on configuring logging for a single
process, including setting the Loggers and HandlerNames configuration attributes, see
"Configuring Server and Process Logging" (on page 184).
l Configuring logging for packages and classes. The eIUM logging system supports differentiated,
granular logging for functional areas of the system, namely classes and packages. For example,
you can configure differentiated logging if you want eIUM processes to log at level
4=INFORMATIVE, and you want the encapsulator package to perform more detailed logging, such
as DEBUG level logging. For information on configuring logging for packages and classes, see
"Configuring Logging for a Package or Class" (on page 184).
l Sharing with Linked Configurations. With linked configurations, you can define a logging
configuration once and reuse it across several processes. For instructions on sharing logging
configuration, see "Using Linked Configurations" (on page 188).
On creation of the Logging configuration node, the default log level of 4=INFORMATIVE is set.
This is equivalent to -l 1 with ProcessArgs.
2. To change the log level for the collector, specify the level in the Loggers attribute as
Loggers=com.hp,<log level>. For example:
[/deployment/Host/Collector/Logging/]
ClassName=com.hp.siu.serverutils.logging.SvrLogManager
Loggers=com.hp,CRITICAL
3. Set the Loggers configuration attribute. For a description this attribute, see "Loggers
Configuration Attribute" (on page 186).
4. Set the HandlerName attribute. For a description this attribute, see "HandlerNames
Configuration Attribute" (on page 186).
existing logger with whose name the new loggers name startsis identified (as close a match as
possible) as its parent. Similarly, a child, if any, is identified for the new Logger object.
Each Logger object has a useParentHandlers condition. When set to true, whenever the Logger is
asked to log a message (apart from asking the handler object under it to publish the message), it
also publishes the message to its parents handler, its parents parents handlers, and so on. By
default, useParentHandlers is set to true.
In a typical scenario, none of the logger objects, apart from the one having the name com.hp has a
Handler object. The handler object under the com.hp Logger object is the one logging messages at
%VARROOT%/log/collector.log.
To configure logging for a package or class, you can add another Logger attribute under the parent
Logger, setting the value to the package name of the encapsulator component. An example
configuration node follows:
[/deployment/Host/Collector/Logging/]
ClassName=com.hp.siu.serverutils.logging.SvrLogManager
Loggers=com.hp,INFO
Loggers=com.hp.siu.collector.encapsulator,DEBUG
Furthermore, you can change the log level for one or more individual components or Java classes.
For example, if you suspect that a particular encapsulator has configuration problems, you can raise
the log level for just the encapsulator and all its subcomponents. This avoids the potential problem
of generating large numbers of unrelated log messages. A process can store its run-time properties
in a property file, which can be read whenever the process starts. Each process uses the SIU.ini
property file by default.
The default SIU.ini property file sets the log level to 4=INFORMATIVE. This is the default for the host
and is used by all processes except where it is overridden. You can modify the LOGLEVEL value in
SIU.ini to change the default log level for all eIUM processes on the host.
NOTE:Be careful when modifying the SIU.ini file because your changes could render eIUM
inoperable. You should not modify the lines indicated at the top of the file.
Specify this property file in the -propertyFile option of any eIUM command. For more information on
setting the log level in a property file, see "Start-Up Properties" (on page 230) or the eIUM Command
Reference.
l Loggers
l HandlerName
Also see the eIUM Component Reference for more information on SvrLogManager.
l LoggerName: Gets the name of the logger that logged the event.
l Level: This is an optional value that you can set to override the value that may have been set
previously, for instance, passed as a run time parameter through the command line. The value of
level specifies the log level for this logger and all the children of this logger, as defined by the
Logger name.
l useParentHandlers: Another optional value. When set to false, messages sent to this Logger are
not propagated to the handler object of the parents in the Logger hierarchy. If this value is set to
true for any children of the Logger, all messages of the children are propagated to handler
objects of the parents. For example, you may want to set useParentHandlers to false if you want
to redirect all messages sent to a particular Logger to a Handler other than the default Handler.
The default value for this component is true.
If the ClassName attribute of the specified configuration node is not set, the HandlerName
configuration attribute uses the LogClassLoader instead of the ConfigNodeName. When the
LogClassLoader is loaded, the configuration node can have the following attributes:
1. The FilterClass, if specified, is loaded, configured, and set for the handler. When a message is
ready to be logged, it passes through the filter, which confirms that the message can be
logged. The Handler then publishes the message.
2. The FormatterClass, if specified, is loaded, configured, and set for the Handler.
[/deployment/ASAWCZYN/Demo/Logging]
ClassName=com.hp.siu.serverutils.logging.SvrLogManager
Loggers=com.hp.siu.collector.datastore,DEBUG4
Loggers=com.hp.siu.collector.datastore.JDBCMetaStore,DEBUG,false
Once you define a Logger for a package, which in this example is the datastore package, by default,
all classes under datastore have the same log level. If you want different classes under a hierarchy
to use different log levels, you need to define a separate logger for each class, for example:
Loggers=com.hp.siu.collector.datastore.JDBCMetaStore,DEBUG
Loggers=com.hp.siu.collector.datastore.JDBCFileDataStore,DEBUG2
Loggers=com.hp.siu.collector.datastore.MuxDataStore,DEBUG4
[/deployment/testhostid/demo/Logging]
ClassName=com.hp.siu.serverutils.logging.SvrLogManager
HandlerNames=TestHandlerNode
Loggers=com.hp.siu.collector.datastore,DEBUG4
Loggers=com.hp.siu.collector.aggregator.HashMatchRule,DEBUG4,false
[/deployment/testhostid/demo/Logging/TestHandlerNode]
FormatterClass=com.hp.siu.logging.SimpleLogFormatter
HandlerClass=com.hp.siu.utils.LogFileHandler
LoggerNames=com.hp.siu.collector.aggregator.HashMatchRule
LogLevel=8
l The LogFileHandler, by default, logs all messages into the error stream, namely, the collector_
stderr file under the %VARROOT%/collector directory. When the demo collector runs with the
following configuration, all log messages from the HashMatchRule should be stored under the
demo_stderr file and must not appear in the demo.log file.
[/deployment/Host/MyCollector/Logging]
Link=/deployment/Host/DemoCollector/Logging
In addition, you can partially override the linked configuration by specifying attribute values locally.
For example, to override the log level of MyCollector while retaining other configuration attributes
of DemoCollector, specify the Loggers attribute value as follows:
[/deployment/Host/MyCollector/Logging]
Link=/deployment/Host/DemoCollector/Logging
Loggers=com.hp.siu.collector.encapsultor,DEBUG4
[/deployment/Host/MyCollector/Logging]
ClassName=com.hp.siu.serverutils.SvrLogManager
Loggers=com.hp.siu.collector.datstore,DEBUG
Loggers=com.hp.siu.collector.encapsulator,DEBUG
As this example shows, you can use linked configurations to improve the manageability of complex
configurations.
UNIX Syslog For eIUM deployments on the HP-UX platform, you can use the UNIX syslog
Daemon daemon to set up centralized logging. This allows eIUM to send log messages
from each eIUM process to a local syslog daemon, which then writes the log
messages in time sequence to the syslog log file. For instructions on setting up
centralized logging using the UNIX syslog daemon, see "Configuring Centralized
Logging Using Syslog" (on page 190).
LogConsolidator For eIUM deployments on any of the certified platforms, you can use the eIUM
LogConsolidator to set up centralized logging using a third-party provider, such
as JBoss. Using LogConsolidator allows you to centralize eIUM log messages
from multiple collectors to a single log file. For instructions on setting up
Option Description
HP OpenView You can use the built-in eIUM logging mechanism to centralize logging if you are
Operations managing your eIUM deployment with OVO to send log messages to the OVO
(OVO) message browser. For instructions on setting up centralized logging with HP
OVO, see "Configuring Centralized Logging Using OpenView Operations" (on page
200).
The eIUM logging framework allows you to stack additional handler-formatters. Each handler in the
stack processes messages at its log level and passes the log messages down the chain. The eIUM
logging system provides two handlers that you can stack to set up centralized logging, UDPHandler
and OVOHandler.
To centralize log messages, you need to configure a handler and a formatter. Optionally, you can
also configure a filter to send the log messages to the central log and a file roll policy to manage the
central log file. The eIUM logging system provides a handler-formatter combination for use with
syslog and a handler for use with OVO, as follows:
l For use with Syslog, the UDPHandler and SyslogFormatter send log messages to the syslog
daemon, which writes all messages to the central log file.
l For use with OVO, the OVOHandler sends log messages in the form of events to the OVO Message
Browser.
NOTE: Although the OVOHandler consumes more system resources than the UDPHandler and
SyslogFormatter, you may find this option preferable if you are managing your deployment with
OVO.
The eIUM logging system is built on an implementation of the JSR (Java Specification Request) 47
Logging API Specification and includes the following key elements:
l LoggerThe main component to which applications make logging calls. eIUM uses one Logger
object for each class to log messages for a each eIUM process.
l LogRecordUsed to pass logging requests between the logging framework and individual log
handlers.
l HandlerObject that takes log messages from a Logger object and imports the log messages.
For example, a Handler may write logs to a console or file, or it may send them to a network
logging service or the log file of an operating system.
l LevelDefines a set of standard logging levels that you can set to control the level of detail in
log messages. eIUM extends JDK log levels with its own log levels. You can configure processes to
output logging for some levels while ignoring output for others.
l FilterProvides fine-grained control over what gets logged beyond the control provided by log
levels. The eIUM logging API supports a general-purpose filter that you can use to attach
arbitrary filters that control logging output.
l FormatterSupports the formatting of LogRecord objects. The JDK package includes two
formatters, including SimpleFormatter, which formats log messages in plain text, and
XMLFormatter, which formats logs in XML. In addition, eIUM provides the SyslogFormatter.
For more information on using the JDK package to provide specific levels of detail in log messages,
see "Logging SDK Javadocs" (on page 190) or the JSR 47 Logging API Specification.
As shown in the figure, an eIUM process makes logging calls on a Logger, which allocates LogRecord
objects and passes them to a Handler. Both the Logger and the Handler use logging levels, and
optionally, filters to determine whether they want to receive a particular LogRecord. A Handler may
use a Formatter to localize and format the LogRecord before writing the log message to an external
destination.
NOTE: The eIUM logging system has been tested with syslog on the HP-UX 11i platform. Although
eIUM should operate properly with syslog on other platforms, they have not been tested and are
not certified on this version of eIUM.
The following figure provides a high-level view of centralized logging with Syslog.
As shown in the figure, the eIUM logging system sends log messages from servers and collectors to
the syslog daemon, which in turn consolidates the logs to a single file. The syslog daemon uses the
UDPHandler and SyslogFormatter to convert eIUM messages into the syslog format. Based on the
eIUM log level, you can control which messages are sent to the syslog daemon and at what syslog
level. For a definition of each Syslog level, see "Syslog Levels Corresponding to eIUM Log Levels" (on
page 195).
The standard HP-UX implementation of the syslog daemon receives messages over UDP. UDP
packets are connectionless datagrams that may be discarded on the network before reaching their
destination. Therefore, you should configure eIUM processes to send messages to the syslog
daemon on the local host only, rather than on a remote host so that packets are not lost in transit
across the network.
l Invoking a Handler
l Configuring the Handler as a UDPHandler
l Configuring the SyslogFormatter
l Configuring the FileRollPolicy
A syslog message is an ASCII string that consists of a message priority, a timestamp, and the
message string. Priority is encoded as an ASCII string enclosed by the angle brackets < and > at the
beginning of the string. Message priority is the ASCII integer encoding of an 8-bit quantity. This
quantity is a combination of a 3-bit field (bits 0 through 2) used for log level and a 5-bit field (bits 3
through 7) used for the facility. Thus message priority level can have 8 possible values, and message
facility up to 32 possible values.
Fore more details, refer to the The BSD syslog Protocol, IETF RFC 3164, August 2001, at
http://www.ietf.org/rfc/rfc3164.txt.
SYSLOG Components
The syslog system consists of the following components:
l Message Format Specificationsyslog messages are encoded as ASCII strings. The syslog
message format is defined in the include file /usr/include/syslog.h.
l A set of calls for creating those messagesMessages are created through one of the
standard interfaces to syslog. The library call syslog(3c) is a C-code interface for creating
message strings. The logger(1) command creates syslog messages from the command line or
within a shell script. eIUM uses these interfaces to generate log messages.
l A set of locations from which messages can be readEvery syslog message must be directed
to one of many communication channels, such as /dev/log, /dev/klog, and UDP port 514. eIUM
sends log messages at UDP port 514 by default.
l A daemon that reads from these locationsThe syslogd daemon is a user-space process. It
waits for messages on specific communication paths and directs the message to specific output
locations. A message that is logged (to a file, a logged-on user, or the console) is also formatted
and tagged with the system name. The syslogd daemon may also do some filtering of messages
to, for example, prevent repeated messages from flooding the system.
l A set of locations to which messages can be directedYou can direct messages to one or
more locations, including sockets, files, the system console, and logged-on users. You must
specify the location of the log file as /var/opt/SIU/log/syslog.log.
l Rules for how messages are directedYou can specify configuration rules that determine how
messages are logged and the locations to which they are logged in the /etc/syslog.conf file.
[/deployment/Host/DemoCollector/Logging/]
ClassName=com.hp.siu.serverutils.logging.SvrLogManager
Loggers=com.hp,INFO
Loggers=com.hp.siu.collector.encapsulator,DEBUG
HandlerNames=MyCentralLogHandler
[/deployment/Host/DemoCollector/Logging/MyCentralLogHandler]
HandlerClass=com.hp.siu.serverutils.logging.UDPHandler
Because the eIUM logging system uses the UDPHandler in the context of centralized logging, all
other configuration attributes have default values set for this purpose. You may, however, change
any of these attributes:
DestinationHostName=localhost
DestinationPort=514
LocalPort=<random available>
LogLevel=INFO
LoggerNames=com.hp
NOTE: You can configure the destination hostname to be other than the localhost, but this
configurationin which the syslog daemon is on a remote hosthas not been certified with this
release of eIUM. Also, you can specify a localport to which the UDPHandler binds in order to send
messages to syslog if you need to use a fixed port number.
FormatterClass=com.hp.siu.serverutils.logging.SyslogFormatter
SyslogFacility=USER
NOTE: SyslogFacility must match the syslog facility defined in the syslog daemon configuration.
Optionally, you can enable the UDPHandler to manage the syslog log file by rolling over the file at
specific intervals and aging the previous log file. The SyslogFormatter supports this function using
SyslogTimeIntervalLogFileRollPolicy. To use this file roll policy, specify the following required
attributes:
LogFile=/var/opt/SIU/log/syslog.log
LogFileRollPolicyClass=SyslogTimeIntervalLogFileRollPolicy
RollIntervalClass=DaysInterval
RollInterval=7d
NOTE: The path to the log file must be /var/opt/SIU/log/ because the host admin agent may not
have access to files outside the eIUM directory hierarchy.
SyslogPIDFile=/var/run/syslog.pid
SyslogdHUPCommand=/usr/bin/kill -HUP
[/deployment/Host/DemoCollector/Logging/]
ClassName=com.hp.siu.serverutils.logging.SvrLogManager
HandlerNames=MyCentralLogHandler
[/deployment/Host/DemoCollector/Logging/MyCentralLogHandler]
HandlerClass=com.hp.siu.serverutils.logging.UDPHandler
LoggerNames=com.hp
FormatterClass=com.hp.siu.serverutils.logging.SyslogFormatter
SyslogFacility=USER
LogFile=/var/opt/SIU/log/syslog.log
LogFileRollPolicyClass=SyslogTimeIntervalLogFileRollPolicy
RollIntervalClass=DaysInterval
RollInterval=1d
To view the central log file created by syslog, specify the syslog file location and launch the central
log viewer in the Launchpad as described below.
The central log file on a host contains log messages consolidated from processes that have been
configured with the UDPHandler and the SyslogFormatter. You can have more than one central log
file on a host. To specify the location of the central log:
Viewing the central log file is similar to viewing a log file for an eIUM process. The central log view is
disabled if a UDPHandler and SyslogFormatter have not been configured on the host. To view the
central log file in the main window:
Alternatively, you can view the central log file in a separate window. The Central Log Viewer provides
a search function that you can use to wrap the text of the log message and pause the screen
refresh of the log viewer. To open the Central Log Viewer:
NOTE: If you have more than one central log file configured on the host, the Launchpad prompts
you to select the log file you want to view.
- 0 LOG_EMERG
- 1 LOG_ALERT
CRITICAL 2 LOG_CRIT
ERROR 3 LOG_ERR
WARNING 4 LOG_WARNING
ACCOUNTING 5 LOG_NOTICE
INFO 6 LOG_INFO
You can download JBoss 3.2.1 and later versions compatible with eIUM from
http://www.jboss.org/jbossas/downloads/.
NOTE: Until version 4.5 Feature Pack 6, the JBoss server was bundled with eIUM as the default
JMS provider for the LogConsolidator. However, as of eIUM 5.0, no default JMS Provider is
supplied. Use the JMS provider of your choice.
This section describes the components involved in consolidated logging and also describes
configuring LogConsolidator using a third party provider, including JBoss.
LogConsolidator is an eIUM process that you deploy to consolidate log messages from multiple
collectors into a single log file. The LogConsolidator and collectors communicate over JMS. The
collectors, the LogConsolidator, and the JMS provider each play a part in consolidating logs.
l Collector: You can configure an eIUM collector for centralized logging by selecting the
appropriate handler in the logging section of the collector configuration. A configured collector
opens a JMS Topic (Topic/IUMLogging) for publishing messages, encapsulating all messages that
can be logged in a JMS message and posted on this topic.
l LogConsolidator: LogConsolidator is a server that subscribes to a JMS topic called IUMlogging.
LogConsolidator listens to messages on this topic and logs them into a single, consolidated log
file.
l JMS Provider: Any third party provider, such as JBoss. The provider opens a topic on which
collectors can post messages and from which the LogConsolidator can read them.
LogConsolidator is preconfigured to look for topic/IUMLogging.
l Naming Service: A JMS Provider generally includes a naming service. eIUM processes, namely
Collector and LogConsolidator, use this service to look up the registered topic (topic/IUMLogging).
This topic is a JMS object on which publishers and subscribers can post and read messages.
The figure below illustrates the interaction between these components:
Subsequent sections illustrate with examples how to configure each component to enable
consolidated logging with eIUM LogConsolidator.
FormatterClass=com.hp.siu.utils.LegacyLogFormatter
HandlerClass=com.hp.siu.serverutils.logging.JMSHandler
LoggerNames=com.hp
LogLevel=INFO
Password=guest
Topic=topic/IUMLogging
UserName=guest
JNDI-
Prop-
erties=java.naming.factory.initial,org.jnp.interfaces.NamingContextFactory
JNDIProperties=java.naming.factory.url.pkgs,org.jnp.interfaces
JNDIProperties=java.naming.provider.url,jnp://localhost:1099
To create a Log Consolidator, from the Launchpad, choose File, New, and Collector. Then from the
list of temples, choose LogConsolidator, and click Next. Specify the Host and Collector Name, and
click Create.
Any JMS provider can be used for LogConsolidator. LogConsolidator needs a Naming Service and
Messaging Service from the provider. Naming Service looks up the topic while the Messaging Service
reads and writes messages.
A. Activating Naming Service: By default the Naming Service is active and uses port 1099. However,
if the Naming Service is not found to be active, edit the jboss-service.xml
(<jbosshome>/server/default/conf/) file, uncomment the service configuration, if commented, and
record the port used.
<mbean code="org.jboss.mq.server.jmx.Topic"
name="jboss.mq.destination:service=Topic,name=IUMLogging">
<dependsoptional-attribute-
name="DestinationManager">jboss.mq:service=DestinationManager</depends>
<depends optional-attribute-
name="SecurityManager">jboss.mq:service=SecurityManager</depends>
<attribute name="SecurityConf">
<security>
<role name="publisher" read="true" write="true" create="false"/>
<role name="guest" read="true" write="true" create="false"/>
<role name="durpublisher" read="true" write="true" create="true"/>
<role name="subscriber" read="true" write="true" create="true"/>
</security>
</attribute>
</mbean>
C. Adding Users: Add users to the JBoss user list with iumlog as both the user name and password
and assign the roles of publisher, subscriber and durpublisher.
If you are using JBoss 3.2.1, you can add users by adding a jboss-mq state file to
<jbosshome>/server/default/conf/. The content of the file appears as follows:
</DurableSubscriptions>
</StateManager>
With JBoss version 4.0, add users by editing the file hsqldb-jdbc-state-service.xml located under
<jbosshome>/server/default/deploy/jms. Add the highlighted portion in the example to this file.
JNDIProperties= java.naming.factory.initial,
org.jnp.interfaces.NamingContextFactory
l JNDIProperties=java.naming.factory.url.pkgs, <org.jboss.naming:org.jnp.interfaces>
The value of the property should be a colon-separated list of package prefixes for the class
name of the factory class that will create a URL context factory.
For JBoss:
JNDIProperties= java.naming.factory.url.pkgs,
org.jboss.naming:org.jnp.interfaces
Where IP address is the IP address of the host on which earlier configured Naming Service is
running and the port number is where the JNDI service is bound to.
Client Libraries
Every JMS Provider has client libraries (jboss-client-all.jar for JBoss) that provide a means of
communication to the JMS Provider. These libraries must be visible to the LogConsolidator process
and the Collector process. To make them visible, copy the client jar files to a convenient location and
add the jar file location to the eIUM class path using the Launchpad. To add the jar file location,
select the host machine in the Launchpad and select Actions -> Host Default Properties. Right click
ClassPath and select Add Value, then add the jar file location.
NOTE: eIUM provides OVO template files that provide corrective actions in response to specific
events. For instructions on uploading these templates and configuring OVO to use them, see the
eIUM Foundation Guide.
eIUM can send log messages to any version of OVO, including previous versions of OpenView
VantagePoint Operations and OpenView IT/Operations. If you set up centralized logging using OVO,
the process logger uses the OVO log handler. The OVOHandler creates a custom OVO log formatter
to send log messages to the OVO message browser. You can control which messages eIUM sends to
the OVO message browser based on the eIUM log level and at what severity level the messages are
displayed in the message browser.
To prevent eIUM collectors from sending a storm of log messages to OVO, each of which must be
acknowledged by the OVO operator, only 20 non-CRITICAL messages are sent to OVO in any 5-minute
period. CRITICAL messages are exempt from this restriction and no limit applies to the number of
CRITICAL messages that OVO can receive. If messages cannot be sent to OVO for any duration, a
special message indicating the number of messages dropped is sent to OVO after logging resumes.
The siulogmerger utility combines eIUM log files into a centralized file of the format required by
OVO. This utility continually monitors eIUM log files, adding new log messages to the centralized file
as they are created. The OVO templates provided with eIUM instruct OVO to read the centralized log
file and display the messages into the OVO Message Browser.
To start siulogmerger and create the central log file, use the following command:
Add this command to a local boot script so that each time the system or the eIUM components start,
this command is run.
NOTE: When adding to a boot script, it is recommended that you use the nohup command to start
the script by preceding the above command with nohup. For more information on this
command, see the nohup main page on UNIX.
3. Select the check box to send eIUM log messages to OVO. This setting applies to all hosts that
OVO is managing in the eIUM deployment. If an eIUM host is not running an OVO agent, you
cannot monitor the eIUM components on that host using OVO.
4. Map each eIUM log level to the corresponding OVO severity. These mappings apply uniformly to
all collectors in the eIUM deployment. You should not send INFORMATIVE messages to OVO.
5. Click OK. Your changes are saved to the configuration server. From now on, each collector that
starts sends log messages of the specified levels to OVO. Collectors that are already running
are not affected by this change. You must restart them for the changes to take effect.
6. Restart each collector in your eIUM deployment to which you want to apply these changes.
NOTE: eIUM provides templates for OVO v.7 and VPO v.6 on HP-UX and Oracle Solaris.
1. Copy the appropriate version of the process.pl Perl script to the directory where local system
tools are located.
/opt/SIU/OV/hpux.bin/process.pl (HP-UX)
/opt/SIU/OV/solaris.bin/process.pl (Solaris)
This script requires Perl to be present on the system. Make sure that the first line of the script
refers to the location of Perl on this system.
2. Run the Launchpad.
3. Right-click the host to be configured and, from the pop-up menu, select Properties. The
Launchpad displays the parameters used whenever this hosts admin agent starts.
4. Right-click the Properties node and, from the pop-up menu, select Add Attribute. The
Launchpad displays the Add Attribute dialog box.
5. In the edit box, type in the property NOTIFYCOMMAND and click OK. The Add Attribute dialog box
requests a value for the attribute.
6. Type in the complete path name of the process.pl script. Specify the location where you
installed it; DO NOT run it directly from /opt/SIU/OV.
7. Click OK.
You can enable eIUM processes to send log messages to the OVO agent running on that host using
the OVOHandler. The operator can then view these messages as events in the OVO Message
Browser. Because OVO has its own definition of severity levels, eIUM log levels must be mapped to
OVO severity levels. This correspondence can be changed, but eIUM recommends the following
(default) mapping:
CRITICAL critical
ERROR major
WARNING warning
ACCOUNTING minor
NOTE: Log messages at level 4=INFORMATIVE and higher should be withheld from the OVO
message browser because the volume of messages at these levels would drown out the relatively
rare but more important messages at other log levels.
l "Troubleshooting" (on page 207) describes ways to examine your eIUM deployment to determine
if it is running properly.
l "Solving Specific Problems" (on page 218) describes specific problems you may encounter and
how to resolve them.
l "Security Issues" (on page 220) describes several security-related troubleshooting scenarios.
Troubleshooting 207
Troubleshooting
The following sections describe ways you can examine your eIUM deployment to determine if it is
running properly.
This uses the IOR URL to contact the eIUM configuration server on the remote host. For a secured
host, this can only be performed from hosts that have had eIUMsecurity properly installed and that
have been added to the secured deployment. See "Check the IOR URL and the IOR" (on page 208) for
more information. Also see the eIUM Installation Guide for details on the IOR URL.
If you have installed any eIUM patches, examine the host log file to make sure the patch information
appears there.
1. Open the SIU.ini file in <VARROOT>, typically C:\SIU\SIU.ini on Windows and /var/opt/SIU on UNIX.
2. Find the line beginning with IORURL. For example, the following is a possible IORURL:
IORURL=file:/C:/SIU/var/ConfigServer.ior
3. Copy the value of the IORURL to a web browser address line and view the URL destination. The
result should be a string beginning with IOR: and followed by several lines of numbers. This is
the IOR. If you do not get this result, see the eIUM Installation Guide for details on configuring
the IOR URL.
To test the IOR itself, try running the Launchpad from a command line using the IORURL. That is, run
the launchpad command with the -iorurl option and provide the IORURL from the SIU.ini file.
For example, if the IORURL were file:/C:/SIU/var/ConfigServer.ior, the following command runs the
Launchpad and displays the deployment:
launchpad -iorurl file:/C:/SIU/var/ConfigServer.ior
If the Launchpad does not display your deployment properly, the configuration servers IOR could be
invalid. You can regenerate the IOR as follows.
You can use the HP eIUM Launchpad to examine the current status of each eIUM process as follows:
To test the collector administrative interface, use the Launchpad or siucontrol command to perform
an administrative task, such as getting statistics. An active collector should show a growing NME
count.
To test the collector data retrieval interface, use the siuquery command to extract some of the
collected data.
If the collector appears to be running but the interfaces do not appear to be operating, the collector
IOR information in the configuration server may be incorrect.
To test that the configuration server administrative interface is operational, use the Launchpad or
siucontrol command to perform an administrative task, such as getting statistics.
To test the configuration server configuration retrieval interface, use the loadconfig utility to
extract some portion of the configuration.
On Windows, make sure the service named <eIUM instance name>_AdminAgentServer is running. On
UNIX, make sure the daemon of the same name is running.
View the admin agents log file in <VARROOT>/log/<host>.log and look for any error messages.
See also "Troubleshooting Windows Services" (on page 215) and "Troubleshooting UNIX Daemons"
(on page 216) for specifics on checking the host admin agent.
Test that the MySQL database process is running on the host by looking for the mysqld process. On
Windows use the Task Manager. On UNIX platforms, use the ps -ef command.
See the HP eIUM Component Reference for more information on the collector datastore.
On Windows, MySQL runs as a separate service and its status can be checked using the Windows
Services tool. MySQL can also be started, stopped, and restarted in the Services interface. On UNIX,
the MySQL start/stop script (%BINROOT%/sbin/mysql.sh) can be used to check MySQL server status.
For example:
$>./mysql.sh status
MySQL is running [SUCCESS]
For example, each eIUM host runs a process called the admin agent. The admin agent manages
other eIUM processes on the host and communicates with other eIUM hosts. The pid for the admin
agent process is in the file VARROOT/<host id>/pid.txt. For example, if eIUM is installed at C:\SIU on a
host named IUMhost01, the admin agents pid would be in the file C:\SIU\var\IUMhost01\pid.txt.
The pid for a collector named Radius12 on a UNIX installation at /opt/SIU would be in the file
/var/opt/SIU/Radius12/pid.txt.
You can use the pid number to get system status about the eIUM server process. For example, you
can use the UNIX ps command to check the status of a server process. On Windows systems you can
use the Task Manager to view the status of a server process.
Perform Diagnostics
HP eIUM can perform several different diagnostics that can inform you of potential problems with
your deployment. Use the eIUM Launchpad to view diagnostics for the entire deployment, any
particular host, collector, or the configuration server as follows:
Deployment Diagnostics
You can request the following diagnostics for your entire deployment:
Deployment Diagnostics
Diagnostic Description
Host Diagnostics
You can request the following diagnostics for any host in your deployment:
Host Diagnostics
Diagnostics Description
eIUM Displays the version number of eIUM, configuration files and other configuration
Installation information.
System Displays information about the host system environment, such as the type of
Environment system the host is (for example, Windows or HP-UX), and the time zone.
Admin Agent Displays whether or not the host admin agent is running and a list of processes
controlled by the host admin agent.
Collector Diagnostics
You can request any of the following diagnostics for a collector:
Collector Diagnostics
Diagnostic Description
Startup Parameters Displays the parameters used when the collector started
running.
NME Schema Displays all the types of fields an NME can contain.
Database Check connection, Contacts the collectors data store and displays the results.
query time range.
Diagnose History Table Checks the collectors history table and reports the results.
Read Recovery Table Displays the name of the collectors recovery table.
Startup Parameters Displays the parameters used when the configuration server started
running.
Check CORBA Performs a check of the CORBA communications layer and reports
communication the results.
You can also use the saveconfig command to examine the configuration. Ensure that the NME
schema and the collector configurations exist in the configuration server.
If necessary, use the loadconfig command to reload the eIUM product templates or a saved backup
configuration. Use caution when loading configurations because existing configurations can be
overwritten.
NOTE: Use caution when running multiple instances of the Launchpad. Only one program at a time
should be changing the eIUM configuration, as the configuration server has no mechanism to
prevent multiple programs from saving the configuration. Only one person at a time should be
using the Launchpad or the loadconfig command since these can change the eIUM configuration.
NOTE: Do not modify these initialization file because your changes will get overwritten when you
set or modify the corresponding property, for example during activation or in the Launchpad.
NOTE: Be careful when modifying the SIU.ini file because your changes could render eIUM
inoperable. You should not modify the lines indicated at the top of the file.
You may find it useful to copy the SIU.ini file, modify your copy, and run eIUM commands with your
file using the -propertyFile command line option. See the eIUM Command Reference for details on
commands and this option.
This file can be customized to control behavior of all eIUM components on the system, such as the
default logging level. Additionally, other property files can be created and used when running eIUM
components by specifying the -propertyFile command line option. This causes the component to use
any properties defined in the file rather than those defined in the default property file. Options
specified on the command line have precedence over properties defined in property files.
Check that this file has valid property values and is readable by all eIUM components. The most
critical property in the file is the IORURL, which all collector components use when making requests
to the configuration server. See "Check the IOR URL and the IOR" (on page 208). Other important
values are the BINROOT, VARROOT, and CFGROOT properties, which should never be changed once
the product has been installed. See also "Product Root Directories" (on page 230).
Edit Start-up Properties. You can view but do not modify these parameters in the file typically at
C:\SIU\SIUJava.ini on Windows and /etc/opt/SIU/SIUJava.ini on UNIX.
CAUTION: Do not modify the SIUJava.ini file because your changes will get overwritten.
You can also use the-echo option on other eIUM commands, for example:
launchpad -echo
These commands display the Java command used when starting processes from the command line.
The output should look something like the following on Windows:
Java options:
-Xbootclasspath/p:C:\SIU/lib/jacorb.jar -Xms8m -Xmx120m
-Djava.class.path=C:\SIU/lib/patches;C:\SIU\lib\patches\IUM45FP04.jar;
C:\SIU\lib\commons-cli-
1.0.jar;C:\SIU\lib\JainSipApi1.1.jar;C:\SIU\lib\nist-sip-
1.2.jar;C:\SIU/-
lib/siuloader.jar;C:\SIU/lib/siuutils.jar;C:\SIU/lib/siucolls.jar;
C:\SIU/lib/-
siuaudit.jar;C:\SIU/lib/siucfg.jar;C:\SIU/lib/siugui.jar;C:\SIU/lib/
siu-
tools.jar;C:\SIU/lib/siuagent.jar;C:\SIU/lib/siudiag.jar;C:\SIU/lib/
siu-
ses-
sion.jar;C:\SIU/lib/siusecurity.jar;C:\SIU/lib/mysqlDriver.jar;C:\SIU/lib/
Federation.jar;C:\SIU/lib/jce.jar;C:\SIU/lib/commons-net-
1.0.0.jar;C:\SIU/lib/
jakarta-oro-2.0.6.jar;C:\SIU/lib/jakarta-regexp-
1.1.jar;C:\SIU/lib/dnsjava.jar;
C:\SIU/lib/jndi.jar;C:\SIU/lib/ldap.jar;C:\SIU/lib/ldapbp.jar;C:\SIU/li-
b/
providerutil.jar;C:\SIU/lib/OracleDriver.zip;C:\SIU/lib/xerces.jar;
C:\SIU/lib/jdom.jar;C:\SIU/lib/castor.jar;C:\SIU/lib/netgraph.jar;
C:\SIU/lib/jRegistryKey.jar;C:\SIU/lib/AdventNetSnmp.jar;C:\SIU/lib/
JimiProClasses.zip;C:\SIU/lib/ipdr.jar;C:\SIU/lib/msbase.jar;
C:\SIU/lib/mssqlserver.jar;C:\SIU/lib/msutil.jar;C:\SIU/jboss-3.2.1
/client/jbossall-client.jar;C:\SIU/jboss-3.2.1/client/jnp-client.jar;
C:\SIU/jboss-3.2.1/client/jboss-common-client.jar;C:\SIU/jboss-3.2.1/
client/jboss-system-client.jar;C:\SIU/jboss-3.2.1/client/jbossmq-
client.jar;
C:\SIU/jboss-3.2.1/client/concurrent.jar;C:\SIU/jboss-
3.2.1/client/log4j.jar;
C:\SIU/jboss-3.2.1/server/deploy/jboss-net.sar/jboss-net.jar;
C:\SIU/jboss-3.2.1/lib/jboss-jmx.jar;C:\SIU/jboss-3.2.1/lib/jboss-
system.jar;
C:\SIU/jboss-
3.2.1/client/jnet.jar;C:\SIU/lib/3rdparty/FieldsConcat.java_1.0.jar;
C:\SIU/lib/3rdparty/WriterExample.java_1.0.jar;C:\SIU/lib/3rdparty;.
-DSystemRoot=C:\WINDOWS -DSIUINI=C:\SIU\SIU.ini -DSIUHOME=
C:\SIU -Dcom.hp.pid=3772 -Dorg.omg.CORBA.ORBClass=org.jacorb.orb.ORB
-Dorg.omg.CORBA.ORBSingletonClass=org.jacorb.orb.ORB
The actual Java command used by the admin agent may be somewhat different.
When you install eIUM on Windows, the admin agent and MySQL database are registered as Windows
services so they run continuously in the background. Provided information includes what can be
useful in diagnosing and handling problems related to eIUM components running as Windows
services.
l Open the Services window from the Control Panel, Administrative Tools. You should see the
services SIU_AdminAgentServer and SIU_MySQL in the Services window, with the status
Started. The MySQL service name is typically of the form <SIU_INSTANCE_NAME>_MySQL, for
example, SIU_MySQL. The process name is mysqld.exe.
l If either service is registered but not running, try starting it manually.
l Next, open the Event Viewer from the Control Panel, Administrative tools. This displays the
Windows event log. Click on Application. You should messages for SIU_AdminAgentServer and
SIU_MySQL. If you double-click one of the messages, you should see that the service was
registered or started successfully.
l Run the Windows task manager and verify that the JVM process (java or jre) is running and
also that mysqld.exe is running. There should be one instance of a JVM for each eIUM component
running on that host.
Windows provides a service called the EventLog that can be used to log administrative messages.
This EventLog service is started whenever you boot Windows. The EventLog service logs messages
into three areas: Application, System and Security.
SIUNTService (called by the siusvc_*.bat scripts) logs information (blue icons), Warning (Yellow icons)
and Critical (red icons) messages into the Event Viewer's event log. These messages can be used for
debugging the service and to understand what went wrong, when there is a problem with the
service. SIUNTService logs its messages into the Application area of the Event Viewer's event logs.
Specific OS related failures are also logged into the System area of the Event viewer's event logs.
l Click on Start -> Programs -> Administrative Tools -> Event Viewer. This opens the Event Viewer
main window.
l To look at the application log messages, click on Log -> Application.
l To look at the system log messages, click on Log -> System
See the Event Viewer screen above for an example of the Windows Event Viewer window. When you
double click on any of the messages in the event log, it displays information about the messages.
Runtime Parameters
Environment
Variables Description
SIU_ADMINAGENT_ A value of 1 (one) automatically starts the host admin agent when the
START system is started.
SIU_MYSQL_START A value of 1 (one) automatically starts the MySQL database server when the
system is started.
The commands described above start and stop all eIUM daemons on UNIX. The following commands
start and stop these daemons individually (use /etc/init.d/SIU on Solaris).
OS Commands
Performance Problems
If usage data collection is too slow, see "Tuning for Performance" (on page 226).
When you purchased eIUM, you received a license file that is required for the eIUM software to run.
Without a valid license file, eIUM processes will not run. You specify the location of the license file
when you install eIUM. The location of your license file is also specified in the SIU.ini file, typically
located at C:\SIU on Windows and in /opt/SIU on UNIX.
Your eIUM license file will expire at the time specified in the license file. eIUM periodically checks
your license and writes several warning messages to your host log file well before the license
expires to give you plenty of time to renew your license. See the eIUM Installation Guide for how to
obtain and install a new eIUM license.
If your eIUM license expires, all eIUM processes and servers will eventually shut down. You will need
to obtain a new eIUM license from HP and reinstall it. See the eIUM Installation Guide for instructions
on obtaining and installing an eIUM license file.
l eIUM license expired - See "eIUM License Expired or About to Expire" (on page 218).
l Configuration Server IOR invalid - You can easily regenerate a new config server IOR file simply by
renaming the old IOR file and restarting the configuration server. The configuration server IOR
file is typically in C:\SIU\var\configserver\ConfigerServer.ior or in
This exception can occur when a collectors aggregation scheme has been changed to add or
remove attributes without creating a new scheme. At flush time, the attributes no longer match up
with the datastore and the exception is thrown.
To correct the problem, configure the collector to use a new scheme and restart it. Alternatively,
you can use the siucleanup command to remove the tables and their associated data from the
datastore.
13
00929 4:31:45 [ERROR] Plugin 'InnoDB' init function returned error.
00929 4:31:45 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE
failed.
00929 4:31:45 [ERROR] Unknown/unsupported table type: InnoDB
00929 4:31:45 [ERROR] Aborting
Such an error is due to permissions problems with user bin on UNIX, which must have read and
execution permissions for the /opt and /var/opt directories. See "Additional Log File Types" (on page
175) for more information on MySQL logs.
Security Issues
The following topics discuss security-related troubleshooting tips. For more information on installing
eIUM security, see the eIUM Installation Guide. For more information on the commands discussed in
this section, see the eIUM Command Reference.
An invalid command or command option was specified using -<option name syntax. In this case,
error messages of the following form are displayed:
C:\sbin\siu\SIU\bin>ldifgen -xyz
Command execution resulted in error: Unrecognized option: -xyz
See the log file for details.
The eIUM security tools save their log files under %VARROOT%/log. For example:
The log file will typically have a detailed exception log which can be useful for giving clues to what
went wrong, and for troubleshooting by the eIUM support team.
In this case, because the secserveractivate command was not executed, a property file the ldifgen
command requires was not generated. As a result, the tool assumes you are not running ldifgen on a
security server hosting node.
secactivate login was executed without executing init. eIUM security command line tools can handle
command options specified in any order. The commands are automatically ordered in the correct
sequence for execution. However, if a command option that is required to be executed prior to
another command option that was omitted on the command line, the tool can not process it. In this
case, the executed command option will fail with an error message. For the secactivate login
command to succeed, secactivate init must be executed before it.
secactivate login user thomson password secret
In this example, init will still succeed, even though init is specified after login. The tool does
automatically reorder the commands for execution. However:
secactivate login user thomson password secret
will fail if the init command was not executed beforehand. This is true because login is dependent on
files that are created by init.
In the above scenario, secactivate could not find the %VARROOT%/security-login.config file. Another
error follows:
C:\sbin\siu\SIU\bin>secserveractivate init -force -user edwards -
password secret -loginldapserver ldap://localhost:389
-lookupldapserver ldap://localhost:389 -layout
C:\sbin\siu\SIU\var\securityserver\conf\my-external-dir.properties
Command execution resulted in error : No directory layout properties
file specified.
Use -layout option to specify a layout file.
See the log file for details.
In this case, the specified custom directory layout file did not exist.
C:\sbin\siu\SIU\bin>secactivate init
[java.security.auth.login.config configuration] file :
[C:\sbin\siu\SIU\var/security-login.config] already exists and it was
not updated.
In the above command scenario, the configuration files were not overwritten since the -force option
was not used.
You might encounter several different error messages reported by the security server when there
are problems with the login module configuration information. Troubleshooting this can be more
challenging, since the actual error messages are most often generated by the LDAP server itself and
can be difficult to understand. The error message and the amount of details given can vary
depending on the LDAP server implementation used.
Some of the common scenarios with Microsoft Active Directory as the LDAP server used are:
The : HTTP/1.1 401 Unauthorized is a generic message that is shown whenever a login
operation with the eIUM security server fails. To learn the specifics of the error, open the
%VARROOT%/log/SecurityActivator.log file and find the cause exception message. For example:
06/26/2008 13:07:23.528 IST main (ConsoleApplication) ERROR: Command
execution resulted in error .javax.security.auth.login.LoginException:
HTTP/1.1 401 Unauthorized at
com.hp.usage.security.login.RemoteLoginException.newLoginException
(Unknown Source)
Caused by: com.hp.usage.security.login.RemoteLoginException:
javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece
at
com.hp.usage.security.directory.DirectoryLoginModule.authenticate(Unknown
Source)
at com.hp.usage.security.login.BasicLoginModule.authenticate(Unknown
Source)
at com.hp.usage.security.login.BasicLoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
The 52e code corresponds to invalid user credentials. To solve this error, execute secserveractivate
again with appropriate user account lookup. The user information is stored in the
%VARROOT%/securityserver/conf/external-login.config file.
You might encounter several different error messages reported by the security server when there
are problems with the data contained in the file. This leads to a mismatch between what the
security server thinks is the layout and what is actually present in your LDAP server. Troubleshooting
this can be more challenging, since the actual error messages are most often generated by the
LDAP server itself and can be difficult to understand. The error message and the amount of details
given can vary depending on the LDAP server implementation used.
There are a few typical mistakes involved with the directory layout properties file, using Microsoft
Active Directory as the example LDAP server. This mainly concerns incorrect values for the
properties in external-dir.properties file, and results in symptoms that are similar wherein a user
does not exist situation. This occurs because the LDAP server cannot find existing information with
incorrect layout property values. Two example scenarios involved:
The : HTTP/1.1 401 Unauthorized is a generic message that is displayed whenever a login
operation with the eIUM security server fails. To learn the specifics of the error, open the
%VARROOT%/log/SecurityActivator.log and find the cause exception message:
Caused by: com.hp.usage.security.login.RemoteLoginException:
javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 525, vece
From the Active Directory error codes, 525 user not found is already known. The behavior
explained above will repeat if you specify an incorrect context_pattern property value as well. For
example, the property value could incorrectly be specified to be:
com.hp.usage.security.directory.config.user_dn_pattern =
CN={User},CN=MyUsers,{RootContext}
Meanwhile (according to the current directory organization), the correct value should be:
com.hp.usage.security.directory.config.user_dn_pattern =
CN={User},CN=Users,{RootContext}
Again, the : HTTP/1.1 401 Unauthorized is a generic message that is shown whenever a
login operation with the eIUM security server fails. To learn the specifics of the error, open the
%VARROOT%/log/SecurityActivator.log and find the cause exception message.
Caused by: com.hp.usage.security.login.RemoteLoginException:
javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 525, vece
From the Active Directory error codes, 525 user not found is already known. In summary, the 525
error code can be a common symptom caused by any of the property errors. To solve this type of
problem, examine each of the property values in the external-dir.properties file against the actual
directory layout.
A short lifetime for tickets is used to prevent attackers from performing successful brute force
attacks or replay attacks. Since clock synchronization is vitally important in the security of the
Kerberos protocol, if times are not synchronized, Kerberos will report authentication errors. Clients
attempting to authenticate from a server with an inaccurate time setting will be rejected by the KDC
in authentication attempts, due to the time difference with the KDCs time. Consequently, you
should synchronize time on all the hosts with an NTP time server, so that servers using Kerberos
have their time automatically synchronized.
NOTE: You can also use the Operations Console to monitor statistics for a process. For more
information, see the Operations Console User's Guide.
Besides changing the JVM maximum heap size described here, there is an HP-UX imposed limit on
the amount of memory a process is allowed to take. The parameter is maxdsiz and it can be
changed using SAM. See "eIUM Host Heap Memory Requirement" (on page 228) for details.
To solve this problem, first decide what the new maximum heap size should be. The default
maximum heap size for a JVM is 120 MB, so you probably want at least twice this amount if your
collector needs more. Heap memory is usually part of virtual memory and can go up to the size of
the hard disk, but the value should not be larger than the amount of physical memory on the host.
To prevent paging, it is recommended that you set the heap size to approximately 70% the physical
memory size.
Consider that the number and size of aggregated NMEs is the major component to the unknown
heap size for the Java Virtual Machine. Thus, the necessary heap size is based on:
l The size of an NME (the number and types of attributes stored in the NME);
l The maximum number of aggregated NMEs before a flush;
l The concurrent flush policy (implies you need room for up to twice the maximum number of
aggregated NMEs);
l The TrafficTime set in the correlator (used to generate the query time range). This value controls
when and how the correlator flushes, which controls the number of aggregated NMEs retains
before a flush.
CAUTION: Do not modify the SIUJava.ini file directly as your changes will be overwritten.
To change Java start-up settings for all eIUM processes on a host, change host defaults as
described in "Changing Default Host Properties" (on page 96) and modify the JVMOPTS property.
Stop and restart all collectors and servers you want to use the new host defaults.
To change Java start-up settings for individual eIUM collectors or other eIUM processes, override the
host defaults as described in "Overriding Default Host Properties" (on page 99) and modify the
JVMOPTS property. Setting JVMOPTS to %DEFAULTS% means to use the host default values. Stop
and restart the collector that overrides the host default properties.
values should be set to 65536 for open files, and 16384 for maximum user processes. With the
default memory value, the central management server is able to handle about 100 configured
session servers or other eIUM servers. If you have more eIUM servers, increase the JVM heap size.
Every eIUM server requires about 3-5 MB additional heap space. The maximum heap size for the JVM
is defined using the -Xmx option (see also "JVM Maximum Heap Size" (on page 226)). To change this
value, start the Deployment Editor in the eIUM LaunchPad, select the Properties for the
ManagementServer, and change the number of MB defined in the -Xmx option.
NOTE: You can also use the "ulimit" shell command to view or modify current limits values. In
addition, the /etc/security/limits.conf file can be used to set limits for a particular user.
NOTE: The JVM settings for SIUJava.ini can differ if you are using the JRockit JVM. For more
information on JRockit parameters and migration from the Oracle JDK to JRockit, see:
http://download.oracle.com/docs/cd/E13150_01/jrockit_
jvm/jrockit/geninfo/diagnos/migrate.htm.
1. Stop the MySQL service (from the Windows Services panel or run /sbin/init.d/SIU stop). This will
stop the host admin agent and collectors as well.
2. Open the my.ini file (in C:\SIU\mysql\my.ini for Windows, /var/opt/SIU/mysql/my.ini for UNIX
platforms) for editing.
3. Find the line starting with innodb_buffer_poolsize in the my.ini file. It should look something like
this:
# InnoDB, unlike MyISAM, uses a buffer pool to cache both indexes
and
# row data. The bigger you set this the less disk I/O is needed to
# access data in tables. On a dedicated database server you may set
this
# parameter up to 80% of the machine physical memory size. Do not
set it
# too large, though, because competition of the physical memory may
# cause paging in the operating system. Note that on 32bit systems
you
# might be limited to 2-3.5G of user level memory per process, so
do not
# set it too high.
innodb_buffer_pool_size=47M
4. Change the innodb_buffer_poolsize to the new value, save changes, and close the file.
5. Restart the MySQL service (and collectors) from the Windows Services panel or run
/sbin/init.d/SIU start. MySQL will reread the my.ini file and use the new values.
The maxdsiz configurable parameter must be at least the collector heap size (512 MB by default).
l <BINROOT> or %BINROOT% This is the main root directory for the product, typically C:\SIU on
Windows and /opt/SIU on UNIX. This directory is determined by you when you install eIUM.
l <CFGROOT> or %CFGROOT% This is the root directory for the product configuration files. For
example, it contains the SIU.ini property file. This is typically C:\SIU on Windows and /etc/opt/SIU
on UNIX.
l <VARROOT> or %VARROOT% This is the root directory for dynamic files that are expected to
change or grow as eIUM operates. This is typically C:\SIU\var on Windows and /var/opt/SIU on
UNIX. For example, most log files are stored in <VARROOT>/log, or C:\SIU\var\log on Windows or
/var/opt/SIU/log on UNIX.
Start-Up Properties
Whenever any eIUM process starts, it uses start-up properties defined either in the configuration
server under the /Properties configuration node or in the file SIU.ini located in the <BINROOT>
directory of each of your eIUM hosts.
When you use the Launchpad or the siucontrol command to start a process, the Launchpad and the
siucontrol command use the start-up properties stored in the configuration server. When you use
any other eIUM command to start a process, the command uses the start-up properties in the file
SIU.ini.
You can change some properties globally by editing the file SIU.ini. eIUM commands have a
command-line option, -propertyFile, to override this default and let you specify your own separate
SIU.ini file. This can be useful for troubleshooting. Finally, you can also override some properties with
command line options such as -iorURL. See the eIUM Command Reference for complete details on all
eIUM commands and options. See the SIU.ini file for the complete list of properties and a description
of each property.
NOTE: Be careful when changing any start-up properties as incorrect values can make your eIUM
deployment inoperable.
Property Precedence
Here is the precedence of start-up properties for each eIUM component, starting with the lowest
precedence properties:
1. eIUM default values defined in siuutils.jar (these cannot be modified by the user; they are the
lowest precedence).
2. Values found in the local files SIU.ini. A separate copy of this file resides on each eIUM host.
3. Values found in the file specified with -propertyFile command line option.
4. Specific values specified with command line arguments (highest precedence). For example, the
value specified with the -IORURL command line option would take precedence over the value
specified in the -propertyFile file or the local SIU.ini file.
Higher precedence values override lower precedence values.
This file contains an attribute-value mapping of all translation keys and strings used to translate
Operations Console screen labels into the local language. The ATTR_zh_CN.properties example file
(included in the same /i18n directory) contains the list of all currently existing keys. The ATTR_en_
US.properties only contains a subset, because the default eIUM language is English (when no
matching locale property file is found). However, the example ATTR_zh_CN.properties file serves as
a model for all the keys that need to be translated in order for the Operations Console to be set up
for the local language (described in "Operations Console Attribute-Value Mappings" (on page 233)).
The following guidelines should be adhered to when creating the properties file for another
language:
l All properties files must begin with ATTR and end with .properties. The naming rule format for
the properties file is:
ATRR_ + default language setting + _ + system's region + .properties
For example, ATTR_en_US.properties, ATTR_zh_CN.properties.
l In general, non-Latin character alphabetical strings should be converted to the Unicode string by
using the native2ascii command. For example:
$>native2ascii -encoding gb2312 ATTR_zh_CN.properties.i18n ATTR_zh_
CN.properties
l Users should be allowed to configure parameters in the properties file. For example, given the
following configuration:
message.employee.update.success=Successful update of Employee {0}
This configuration carries one parameter({0}) Likewise, extending this, the following
configuration:
.employee.update.success=Successful update of Employee {0} {1}
Product Names
Attribute Value
Date/Time Format
Attribute Value
i18n.Date.format MMM/dd/yyyy
i18n.Time.format HH:mm:ss
i18n.start Start
i18n.stop Stop
Attribute Value
i18n.cleanup Clean Up
Process Detail
Attribute Value
i18n.process.statistics Statistics
i18n.process.history History
i18n.process.properties Properties
i18n.data.flow.map Data Flow Map (corresponds both for the Dashboard and for the
corresponding tab when viewing a group)
Tree Menu
Attribute Value
i18n.bygroup By Group
i18n.byhost By Host
i18n.all All
i18n.general General
i18n.operations Operations
i18n.history History
i18n.properties Properties
i18n.processes Processes
i18n.page Page
i18n.of of
i18n.row.per.page Rows/Page
Process Information
Attribute Value
Group Management
Attribute Value
i18n.group.cancel Cancel
i18n.group.create Create
i18n.group.remove Remove
View Group
Attribute Value
Create Group
Attribute Value
Edit Group
Attribute Value
Remove Group
Attribute Value
i18n.group.total Total
i18n.group.description Description
i18n.group.running Running
i18n.group.stopped Stopped
i18n.group.crashed Crashed
i18n.group.alarmed Alarmed
i18n.process.select Select
i18n.process.name Name
i18n.process.state State
i18n.process.host Host
i18n.process.type Type
i18n.process.warn Warn
i18n.process.err Err
i18n.process.crit Crit
i18n.nodata.symbol --
Attribute Value
i18n.parameter Parameter
i18n.meter Meter
i18n.message Message
i18n.date Date
i18n.level Level
i18n.msgid Msg ID
i18n.thread Thread
i18n.value Value
i18n.CmQt.StatTbl.Rq.Revd TotalRequestsReceived
i18n.CmQt.StatTbl.Rp.Sent TotalResponsesSent
i18n.CmQt.StatTbl.Rq.Sent TotalRequestsSent
i18n.CmQt.StatTbl.Rp.Revd TotalResponsesReceived
i18n.head.mainpage.dash Dash
i18n.head.mainpage.admin Admin
i18n.head.exit Exit
i18n.head.help Help
i18n.head.back Back
i18n.head.forward Forward
Status States
Attribute Value
i18n.start Starting...
i18n.stop Stopping...
i18n.cleanup Cleaning...
i18n.running Running:
i18n.stopped Stopped:
i18n.crashed Crashed:
i18n.alarmed Alarmed:
i18n.unknown Unknown:
i18n.total Total:
i18n.running Running
i18n.stopped Stopped
i18n.crashed Crashed
i18n.alarmed Alarmed
i18n.unknown Unknown
i18n.collector.scheme Scheme
i18n.collector.target Target
i18n.collector.format Format
i18n.fds.time Time
i18n.collector.inputs.tbl Inputs
i18n.collector.outputs.tbl Outputs
i18n.fcs.collection.jobs Collection
Jobs
i18n.fcs.collection.activity File
Collection
Activity
i18n.fcs.collection.count File
Collection
Count
i18n.fcs.collection.detail File
Collection
Details
i18n.fds.map.src.destination Sources
Destination
Mapping
i18n.cm.connectors Connectors
Attribute Value
i18n.preloginpanel.connecting Connecting...
Attribute Value
i18n.preloginpanel.cancel Cancel
Text Descriptions
Attribute Value
i18n.eventpanel.title.description This panel will show a table of recent server events. Any
Attribute Value
i18n.operationpanel.setting.loglevel Change the log level of the process. DEBUG should not be
used in a production environment, as it will significantly
affect process performance
i18n.operationpanel.purge.oldstatistics Select this option if you want to purge all statistical history
data after the process restarts
i18n.logviewpanel.search Search:
i18n.logviewpanel.go Go
i18n.logviewpanel.clear Clear
i18n.propertypanel.title.description All properties of this process that are available from the
deployment are listed below. Check on the Show
Descriptions box to get a description of each property.
i18n.groupadmin.grouplist Select the group you wish to modify or delete from the table
below
i18n.editgroup.select_option1 Select the group you wish to modify or delete from the table
below.
i18n.editgroup.select_option2 Edit the type and description of the group, and then click Next
to continue. Click Cancel to return to the Group List view
Attribute Description
i18n.editgroup.select_option3 Select the processes to include in the group from the list below
i18n.removegroups.grouplist Select the group(s) you want to delete and click Remove.
i18n.creategroup.select.option1 Enter the type and description of the new group, and then click
Next to continue. Click Cancel to return to the Group List view.
i18n.machine.ipaddress IP Address:
i18n.machine.ostype OS Type:
i18n.machine.osversion OS Version:
i18n.machine.libraries libraries
i18n.machine.patches Patches
i18n.password Password:
i18n.login Login
NOTE: By default, the management server does not configure the HistoryService for long-term
history collection. Once it is configured (which must be done manually), then the management
service will start collecting statistics in the database by default. The Options Pane -> Tools ->
Management Options control panel in the Operations Console will only display if the
HistoryService is configured in the ManagementService (see below).
The license audit feature in eIUM (discussed in the next section) requires the management server to
collect statistics over a longer time range, to support license auditing. The management servers
internal statistics collection supports the collection of data over a few hours or up to one year. Using
an efficient persistency mechanism, and by aggregating data over intervals, the management
server can store several months worth of statistical data that will be available for clients (such as
the Operations Console) to display. Accordingly, a setting in the Operations Console allows an
administrator to control the collection activity in the management server, once the corresponding
HistoryService component has been configured. See the eIUM Component Reference for more
information on the ManagementService and HistoryService components.
Enabling this option activates history statistics collection in the Management server, while
deselecting it will disable collection. For more information on the Operations Console, see the
Operations Console online help or the Operations Console User Guide.
NOTE: This option will also only appear in the Operations Console interface if eIUM security is
disabled, or if the user viewing the Operations Console has the Administrator ReportAdmin role
applied. See "Setting up Users" (on page 111) and "Roles and Privileges Access" (on page 26) for
more information on managing user roles.
To generate the license audit activity log file, click Generate License Audit Report. The results of the
activity file generation are printed below.
This is a JAR-formatted file that contains ActivityLogGen.jar, derby.jar (Apache Derby, an ApacheDB
sub-project, which is an open-source relational database implemented entirely in Java), and a
collection of JAR files responsible for generating log files that can be tracked on the performance
logic (slf4j-api-1.5.6.jar, slf4j-log4j12-1.5.6.jar, log4j-1.2.15.jar).
Each file contains the contents of a database table, which are actually exported tables from the
JavaDB database (Derby). The HP representative can use the ActivityLogGen.jar executable to
generate reports based on the data in the file. By default, AcitivityLogGen.jar will generate a report
based on the entire set of processes in the activity log file. The activity log file is read in by
ActivityLogGen and then constructs a JavaDB database instance inside the running process. It takes
the content of the files to populate tables in the database, and effectively replicates the database
used in the management server. Once the database is replicated, you can also run SQL queries on
the tables to generate deployment activity reports.
NOTE: The data collected via the Operations Console Generate License Audit Report feature
(described above) will be used by HP auditors to generate reports.