Switches, Hubs, and Modems

PCM+ 3.2

Frequent Advisor

PCM+ 3.2


We have a new install of this software which is fully functional...

I would like to understand how the initial events appear in PCM and how to get them back after deletion!! ^_^

Basically we left it running and it picked up all our devices, and retrieved a load of historical information which had obviously been held on the switches...

We simply deleted this info from the events view of PCM... however the switches still seem to have the events in their event log.. is this correct? How does PCM get all the historical events (I understand real time traps va SNMP)...

And if so how can I get this back into PCM? I have attempted to delete and rediscover etc...

Also are things like alert counts etc... read from the device (And therefore lost on switch reboot?)...
Steve Britt
Respected Contributor

Re: PCM+ 3.2


PCM doesn't mine historical events, but it does generate events from incoming SNMP traps and it also scrapes syslog data from devices. What you see in terms of these tabs depends upon what context you've selected in the navigation tree on the left side of the PCM screen. If you select a specific device you will have a "Device Syslog" tab to view, plus an "Events" tab that shows only events attributed to the selected device. If you select a device group or the Devices node itself you will see an "Events" tab that contains all events associated with the devices under the selected node. Finally, selecting the "Network Management Home" node of the tree will show you the device events *and* events generated by PCM components too, such as policy firings. I mention this only so you can be sure you're mindful of the scope of events displayed at each node of the tree.

The other behavior you should be aware of is that PCM can keep only 500k events in its DB for scalability reasons. The others are archived to .zip files that you can view by selecting the "Archived Events" button on the "Events" tab; as far as I can tell the view that comes up is not tied to the selected node in the navigation tree. In the archived event view, you can see the events that have "phased out" of the 500k slots in the DB. Hopefully you will find your missing events here.

You can control how events are retained in the DB versus which are archived using the menu choice "Tools"->"Preferences" and clicking on the "Events" node. Here you can control the mix of event severities that are retained in the DB, can control the types of events that are archived (SNMP vs. PCM events), how many days old they can be until they're archived, and how large to let the archive store grow on disk.

If you have NIM running you may want to "tune" it a bit as it may be generating a lot of security events. You can add exemptions to its whitelist so that it doesn't flag suspicious traffic patterns to/from expected nodes like network management stations, DNS servers, printers, etc. A little time invested here can go a long way in terms of reducing "false positive" events that will run through your 500k DB slots pretty quickly.