Setting up event forwarding to Azure Log Analytics

You can configure Lenovo XClarity Administrator to forward specific events to Azure Log Analytics.

Procedure

Complete the following steps to create an event forwarder for Azure Log Analytics.

1. From the XClarity Administrator menu bar, click Monitoring > Event Forwarding. The Event Forwarding page is displayed.
2. Click the Event Forwarder tab.
3. Click the Create icon (). The General tab of New Event Forwarder dialog is displayed.
4. Select Azure Log Analytics as the event-forwarder type, and fill in the protocol-specific information:

   • Enter the name and optional description for the event forwarder.

   • Enter the primary key for the Azure Log Analytics interface.

   • Enter the time-out period (in seconds) for the request. Default is 30 seconds.

   • Optional: If authentication is required, select one of the following authentication types:

     • Basic. Authenticates to the specified server using the specified user ID and password.

     • None. No authentication is used.

5. Click Output Format to choose the output format of the event data to be forwarded. The information varies for each type of event forwarder.

   The following example output format is the default format for Azure Log Analytics recipients. All words between double square brackets are the variables that are replaced with actual values when an event is forwarded. The available variables for Azure Log Analytics recipients are listed in the Output Format dialog.

   {\"Msg\":\"[[EventMessage]]\",\"EventID\":\"[[EventID]]\",\"Serialnum\":
   \"[[EventSerialNumber]]\",\"SenderUUID\":\"[[EventSenderUUID]]\",\"Flags\":
   \"[[EventFlags]]\",\"Userid\":\"[[EventUserName]]\",\"LocalLogID\":
   \"[[EventLocalLogID]]\",\"DeviceName\":\"[[DeviceFullPathName]]\",\"SystemName\":
   \"[[SystemName]]\",\"Action\":\"[[EventAction]]\",\"FailFRUs\":
   \"[[EventFailFRUs]]\",\"Severity\":\"[[EventSeverity]]\",\"SourceID\":
   \"[[EventSourceUUID]]\",\"SourceLogSequence\":[[EventSourceLogSequenceNumber]],
   \"FailSNs\":\"[[EventFailSerialNumbers]]\",\"FailFRUUUIDs\":
   \"[[EventFailFRUUUIDs]]\",\"EventClass\":\"[[EventClass]]\",\"ComponentID\":
   \"[[EventComponentUUID]]\",\"Mtm\":\"[[EventMachineTypeModel]]\",\"MsgID\":
   \"[[EventMessageID]]\",\"SequenceNumber\":\"[[EventSequenceID]]\",\"TimeStamp\":
   \"[[EventTimeStamp]]\",\"Args\":[[EventMessageArguments]],\"Service\":
   \"[[EventService]]\",\"CommonEventID\":\"[[CommonEventID]]\",\"EventDate\":
   \"[[EventDate]]\",\"EventSource\":\"[[EventSource]]\",\"DeviceSerialNumber\":
   \"[[DeviceSerialNumber]]\",\"DeviceIPAddress\":\"[[DeviceIPAddress]]\",
   \"LXCA\":\"[[LXCA_IP]]\"}
   

   You can click Reset to defaults to change the output format back to the default fields.
6. Select Allow Excluded Events to prevent excluded events from being forwarded or clear Allow Excluded Events to forward excluded events. For more information, see Excluding events.
7. Select Enable this forwarder to activate event forwarding for this event forwarder.
8. Click Next to display the Devices tab.
9. Select the devices and groups that you want to monitor for this event forwarder.
   Tip

   To forward events for all managed devices (current and future), select the Match all systems checkbox.

   If you do not select the Match all systems checkbox, ensure that the selected devices do not have a DUMMY-UUID in the UUID column. A Dummy-UUID is assigned to devices that have not yet recovered after a restart or are not discovered completely by the management server. If you select a device with a Dummy-UUID, event forwarding works for this device until the moment when the device is fully discovered or recovered and the Dummy-UUID changes to its real UUID.

10. Click Next to display the Events tab.
11. Select the filters to use for this event forwarder.
    • Match by event category
      1. To forward all audit events regardless of the status level, select Include All Audit events.
      2. To forward all warranty events, select Include Warranty events.
      3. To forward all health-status-change events, select Include Status Change events.
      4. To forward all health-status-update events, select Include Status Update events.
      5. Select the event classes and serviceability level that you want to forward.
      6. Enter IDs for one or more events that you want to exclude from forwarding. Separate IDs by using a comma (for example, FQXHMEM0214I,FQXHMEM0214I).
    • Match by event code. Enter IDs for one or more events that you want to forward. Separate multiple IDs by using a comma.
    • Exclude by event category.
      1. To exclude all audit events regardless of the status level, select Exclude All Audit events.
      2. To exclude all warranty events, select Exclude Warranty events.
      3. To exclude all health-status-change events, select Exclude Status Change events.
      4. To exclude all health-status-update events, select Exclude Status Update events.
      5. Select the event classes and serviceability level that you want to exclude.
      6. Enter IDs for one or more events that you want to forward. Separate IDs by using a comma.
    • Exclude by event code. Enter IDs for one or more events that you want to exclude. Separate multiple IDs by using a comma.
12. Choose whether to include certain types of events.
    • Include All Audit events. Sends notifications about audit events, based on the selected event classes and severities.
    • Include Warranty events. Send notifications about warranties.
    • Include Status Change events. Sends notifications about changes in status.
    • Include Status Update events. Sent notifications about new alerts
    • Include Bulletin events. Sends notification about new bulletins.
13. Select the types of events and severities for which you want to be notified.
14. Select whether to filter events by serviceability.
15. Click Next to display the Scheduler tab.
16. Optional: Define the times and days when you want the specified events to be forwarded to this event forwarder. Only events that occur during the specified time slot are forwarded.

    If you do not create a schedule for the event forwarder, events are forwarded 24x7.

    1. Use the Scroll left icon () and Scroll right icon (), and Day, Week, and Month buttons to find the day and time that you want to start the schedule.
    2. Double-click the time slot to open the New Time Period dialog.
    3. Fill in the required information, including the date, start and end times, and whether the schedule is to be reoccurring.
    4. Click Create to save the schedule and close the dialog. The new schedule is added to the calendar.

    Tips

    • You can change the time slot by dragging the schedule entry to another time slot in the calendar.
    • You can change the duration by selecting the top or bottom of the schedule entry and dragging it to the new time in the calendar.
    • You can change the end time by selecting the bottom of the schedule entry and dragging it to the new time in the calendar.
    • You can change a schedule by double-clicking the schedule entry in the calendar and clicking Edit Entry.
    • You can view a summary of all schedule entries by selecting Show Scheduler Summary. The summary includes the time slot for each entry and which entries are repeatable.
    • You can delete a schedule entry from the calendar or scheduler summary by selecting the entry and clicking Delete Entry.
17. Click Create.

    The event forwarder is listed in the Event Forwarding table.

    
    
    
18. Select the new event forwarder, click Generate Test Event, and then verify that the events are forwarded correctly to the appropriate Azure Log Analytics server.