Creating Event Subscriber CIM extensions

This topic describes how to extend IBM Director Event Subscriber Client to support additional CIM events.

Subtopics

Related topics

Related sample

Understanding Event Subscriber CIM extensions

The IBM Director Event Subscriber Client ships with a CIM event source library. This library can support multiple CIM queries simultaneously (acting as a temporary consumer to the CIM object manager for each query). Query information is provided via extension files that are loaded when the CIM event source library is loaded.

CIM extension discovery

When the Event Subscriber Client TWGESCLI.EXE is started, it loads and initializes the CIM event source library (ESCIM.DLL). This library, in turn, searches for CIM extension files. To be discovered by the CIM event source library, a CIM extension file must:

Creating a CIM extension file

A CIM extension file is a file that is loaded by the CIM event source library when the Event Subscriber Client is started.

To add a new CIM extension file, create a file in the bin subdirectory of Director, using the convention cim*.ini, where * is one or more alphanumeric characters that uniquely identify the file.

This file should contain a header section and one or more query sections. The format of each section is as follows:

[CIM]
This section is the header for the INI file. It contains the following keys:

locale (available with version 2.11 or later)
This optional keyword specifies the locale of this extension. If not specified, the default value of en is used.

group (available with version 2.11 or later)
This optional keyword specifies a group of related extension files that differ only by locale. If not specified, the value specified for name is used. This string is used internally as the second level qualifier for events; i.e. CIM.group.

name
The name of the CIM extension. This name is used externally as the second level qualifier for events; i.e. CIM.name.

sections
Comma separated list of one for more section headers which actually define the CIM queries.

[query]
One or more sections that define the CIM queries. Each section should contain the following keys:
name (available with version 2.11 or later)
This optional keyword specifies the locale specific name of this query section. If not specified, the value of the query section is used.

namespace
The CIM namespace.

language (optional, defaults to WQL)
The language of the CIM query. At this time, the only language supported by CIM is WQL.

query
The CIM query to execute.

severity
The severity of the CIM event. Valid values are:
  • FATAL
  • CRITICAL
  • MINOR
  • WARNING
  • HARMLESS
  • UNKNOWN

text
The message text of the event. The text can be either a literal or the name of a CIM event property. To specify a property name use an @ prefix followed by the event property name. For example:
text=@TargetInstance.Message
                
For literal values, the event text can contain substitution variables. The place holders for these values are specified using the format: %n, where n is a positive integer starting with 1. For example:
text=The %1 Service has started
                
The value of these substitution variables are defined using the variables and variable.n keywords.

variables
Specifies the number of substitutable variables that are defined for this query. Specify 0 if the message text is not a literal or contains no substitution variables.

variable.n
Defines one or more substitution variables for the message text. n is a positive integer whose value can range from 1 to the value specified on the variables keyword (inclusive). The value of each variable can be either a literal or the name of a CIM event property. To specify a property name use an @ prefix followed by the event property name. For example:
variable.1=@TargetInstance.DisplayName
                

Sample CIM extension file

[CIM]
locale=en
group=ntevt
name=Windows NT Event Log
sections=application, security, system

[application]
name=Application
namespace=\\.\ROOT\CIMV2 
query=SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA "Win32_NTLogEvent" AND TargetInstance.Logfile = "Application"
language=WQL
text=@TargetInstance.Message
severity=HARMLESS
variables=1
variable.1=Application

[security]
name=Security
namespace=\\.\ROOT\CIMV2 
query=SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA "Win32_NTLogEvent" AND TargetInstance.Logfile = "Security"
language=WQL
text=@TargetInstance.Message
severity=HARMLESS
variables=1
variable.1=Security

[system]
name=System
namespace=\\.\ROOT\CIMV2 
query=SELECT * FROM __InstanceCreationEvent WHERE TargetInstance ISA "Win32_NTLogEvent" AND TargetInstance.Logfile = "System"
language=WQL
text=@TargetInstance.Message
severity=HARMLESS
variables=1
variable.1=System