A few days ago I was working on an issue with Support, and we came up with a neat way of doing "things" based on what happens in the event log on a server. This article describes how you can use a Windows XP / Windows 2003 tool called eventtriggers to do a simple SQL script when a particular event is logged in the Symantec Enterprise Vault event log.
Event Triggers - what is it?
EventTriggers is a Windows XP, and Windows 2003 command line utility, built into the Operating System which can monitor an event log (or all event logs) for a particular event id/category combination and then perform a command (run a script etc, etc) when that event appears.
The trigger I want
I want to run a bit of SQL every time the provisioning task completes. The provisioning task finishes with the following event id :
Event Type: Information
Event Source: Enterprise Vault
Event Category: Exchange Provisioning Task
Event ID: 41104
Date: 15710/2009
Time: 16:29:14
User: N/A
Computer: EVSERVER01
Description:
The Exchange mailbox provisioning task has completed.
Task: Exchange Provisioning Task for home.local
Domain: ev.local
The bit of SQL I want to run is simply
USE EnterpriseVaultDirectory
UPDATE ExchangeMailboxEntry set LegacyMbxDN=upper(LegacyMbxDN)
How to add the trigger
The best way to do this is build up the process in parts. First of all in many test labs (mine included) SQL is on the same server as EV.. so the process is very straight forward, I just need to run the bit of SQL above. eg
eventtriggers /create /TR "SQL Upper Case" /l "Symantec Enterprise Vault" /eid 41104 /t Information /tk "c:Toolsuppercase.cmd"
Uppercase.cmd contains :
CD "C:Program FilesMicrosoft SQL Server90ToolsBinn"
sqlcmd -i c:uc.sql
uc.sql contains
USE EnterpriseVaultDirectory
UPDATE ExchangeMailboxEntry set LegacyMbxDN=upper(LegacyMbxDN)
If the SQL server is remote, it's still pretty straight forward. We just use PSEXEC the SysInternals (now Microsoft) tool to remotely run the SQL above as follows :
eventtriggers /create /TR "SQL Upper Case" /l "Symantec Enterprise Vault" /eid 41104 /t Information /tk "c: Toolsuppercase.cmd"
C:Toolsuppercase.cmd contains :
psexec SQL_Server_Name c:uppercase.cmd
In this case uppercase.cmd contains the same as above, as does uc.sql, but the file is on the SQL server in the c: folder (or anywhere else you want to put it)
How to test it
For this scenario you would simply run the provisioning task. Check the event log correctly has the 41104 event logged in it, and lastly check that the SQL has run by doing a query on the LegacyMbxDN in the ExchangeMailboxEntry table.
Summary
It should be possible to see from the example above that the use of Event Triggers in this way could be quite powerful... For example if a particular event id is logged perform a service restart, or notify an administrator via email and so on.
References
http://technet.microsoft.com/en-gb/sysinternals/bb897553.aspx
http://support.veritas.com/docs/335411
Thanks
Thanks go to Mark Barefoot and Benoit Lionnet for input into this article.
Subscribe to this comment's feed
The performance counters on the EV server are also good for setting thresholds for journaling. You can set 2 thresholds one for a warning size say 15,000 and one for a emergency size say 30,000 so if journaling gets backlogged you can hunt it down before it gets out of hand.
Journal Threshold Setup and Configuration
Journal Mailboxes have thresholds that have been setup so when a Journal Mailbox goes over that threshold it will notify the monitoring team of warnings and critical alerts.
Setup
1.Under START/Programs/Administrative Tools/Performance open up the performance monitor.
2.Under Performance Logs and Alerts go to Alerts and right click. Create new alert
3.New Alert Setting will come up. Give it a name, and hit OK
4.Under the General Tab give the monitoring counter a comment
Once the counter has been given a name you will need to add the Performance Object. Drop down the performance object until you get to EnterpriseVault::Exchange Journaling. Choose Inbox Total and the instance. Then click on “Add”. This will add the performance counter.
Give the Alert Status Over and Limit: 20,000 (or a number to key on a specific threshold). Make the Sample Data Every interval to 2 and the Units: to Minutes. Then check OK.
Event ID 2037 will show when the Alert has been started or restarted. This event will be monitored by the Monitoring Team on all the Journal Servers.
Event ID 2031 will be thrown in the Application Log if a threshold is broken. 2 thresholds will be set, A warning threshold and a Critical Threshold. They will look the same in the event log with the same event ID. The monitoring team will need to read the description and figure out if this is a warning or critical event by the counter value limits.
