###### ###### ###### ###### ######
# Example rules from an NT EVENTLOG instance showing the storing of events
# with a severity of 'Warning'. The stored events are then sent to a parent
# Enterprise Manager at 1 hour intervals.
# Events of severity 'Error' are sent immediately.
# These rules can be used if for example you are monitoring remote systems
# over an ISDN line. We are interested in 'Warning' events but rather than
# bringing up the ISDN line every time an event arrives they are stored and
# sent at a predefined time.
# Events of severity 'Error' need action immediately and are
# sent to the parent immediately.
###### ###### ###### ###### ######
# WideAwake scans the rules for all 'IF STARTING THEN' rules when starting
# this action creates an empty 'dictionary' called events
IF STARTING THEN
set (events, {})
# This rule matches events from the NT Eventlog with a severity of 'Warning' and
# stores them in the 'events' dictionary. A 'dictionary' holds 'KEY' and 'VALUE' # pairs. Keys have to be unique so we use the dummy 'log_call' function to
# return unique number.
# The 'VALUE', the actual event, is stored with each key.
# The log(events) action just logs the whole 'events' dictionary to the
# Enterprise manager log.
IF current_incident{ TYPE } MATCHES "Warning" THEN
log(("Matched event with a severity of",current_incident{TYPE}))
log_call(callno,current_incident)
set (events{*callno},current_incident)
log(events)
EXIT
# This rules matches NT Eventlog events with a severity of 'Error'. These are
# sent to the parent immediately.
IF current_incident{TYPE} MATCHES "Error" THEN
log(("Matched event with a severity of",current_incident{TYPE}))
send_to_parent (current_incident)
EXIT
# The 'EVERY ... THEN' rules sends the stored events to the parent every 60
# minutes. The set action then deletes all the stored events
EVERY 60 MINUTES THEN
send_to_parent(events)
set(events,{})
