Cover V11, I07

Figure 1


Versatile Fault Management with Perl

Tim Shouldice

When I started working with "enterprise" fault management consoles, I was surprised by how limited they were in many areas. One of the biggest shortcomings is the difficulty of programming them to manage events based on the service hours of the device creating the fault. In the organizations in which I've worked, we had many 24x7 devices, such as public Web servers and routers. However, we also had many servers, such as internal database and file servers, with service hours of only 8am to 5pm, Monday to Friday. Our support staff continually dealt with alerts from these non-critical servers at night and on weekends.

Another limitation I found was that many of these consoles required a two-way network connection between the console and the various management systems in order to collect the fault events. This made it hard to implement the console for servers outside an internal network, such as public Web servers on a demilitarized zone (DMZ). In this article, I'll review fault management and its requirements, then I'll show how to build a complete solution using my favorite language -- Perl.

What Is a Fault Management System?

A vast array of monitoring tools is available for systems administrators. Some common ones include open source tools such as Scotty ( and Mon (, in-house monitoring scripts, and commercial products such as BMC Patrol, MKS Toolkit, and HP Openview. When a monitoring tool detects a fault, it usually sends an alert. Most of the tools can be configured or customized to send the alert to a fault management system. Many monitoring tools are capable of performing management activities on faults prior to issuing alerts, but the job of a dedicated fault management system is to manage alerts coming from either multiple monitoring tools or performing management actions that are not easily accomplished with the monitoring tool.

Fault management systems are usually centralized in such a way that all events from one monitoring system are sent to only one fault management system. However, many organizations have multiple fault management systems, each receiving events from different monitoring systems. This usually occurs where there is little benefit in integrating the separate fault management systems because the events managed by them are unlikely to ever need to be correlated (e.g., with one console managing an organization's mainframes and another managing the network and servers).

Commercial Fault Management Products

Vendors who sell multiple monitoring tools recognize the need for a dedicated fault management system. The need to automate monitoring and notification activities requires events from multiple sources to be properly managed and correlated. The big four are:

  • Tivoli Enterprise Console
  • BMC Enterprise Manager
  • CA Unicentre TNG
  • HP Openview

Although these products perform well, there will always be areas where they will not meet your organization's exact requirements. Additionally, they can be fairly expensive. However, there is an alternative.

A Perl Solution

One thing that makes these commercial products expensive is the user interface. The interface is used to display the events to operators and provide an interface for administrators to graphically create the processing rules. I think that a fault management system should have no interface of its own and that it should direct its output (such as notification or problem management systems) to other systems. I also find that no matter how flexible a graphical rule builder is meant to be, it is no substitute for the power of a real programming language. In the rest of this article, I will present a fault management system called fault_manager that is written in Perl (Listing 1). It performs all the essential functions of a robust fault management system.

Sending the Alerts

The first step in building the fault management system is to establish a standardized and reliable way to communicate the events from the various monitoring systems to the fault management system. I chose a direct and reliable route -- FTP. Each monitoring system is modified to call an external program when they have an event to communicate. This program then creates a text file and sends the text file to the fault management system using anonymous FTP.

This approach pushes the events from each monitoring system to the central fault management system, which provides a solution to moving events out of secured areas. I usually place the fault system on a dedicated server on a non-Internet routable portion of a DMZ. This allows the firewall to be configured to route the FTP events from all areas to the fault management server without any other risks to either the server or the managed hosts. Figure 1 illustrates this concept.

I usually use wu-ftpd ( as the anonymous FTP server. It has many security features over the standard FTP servers included with most versions of UNIX. The other benefit of using FTP as the communications mechanism is that wu-ftpd maintains detailed logs. If there is a question of whether an alert was sent or received by the fault management server, the xferlog can be consulted to verify transmissions.

I've modified all sorts of monitoring systems to FTP alerts using all types of languages. I first modify the alerting mechanism of the monitoring tool to create a text file that looks like this (examples are included in the source code):

Fault_Manager 1.0
Thu Feb  7 15:25:45 2002
Batch job #12 on server1 failed.
Each fault management system uses some type of standard format for their events. The format used by fault_manager and shown in the file above is as follows:

Fault_Manager 1.0 -- A check string to prevent erroneous files FTP'd into the directory from being processed

Thu Feb 7 15:25:45 2002 -- The date/time the event occurred

Alert_Class -- A high-level class given to the event (i.e., BATCH_JOB)

Alert_Instance -- A middle-level class given to an instance of the class (i.e., JOB#12)

Alert_Parameter -- The parameter of the instance (i.e., Job_Status)

Server1 -- The host/device on where the event occurred

Batch job #12 on server1 failed. -- A free-text description of the event

WARNING -- The severity of the event

Next, the script sends the file and looks like this:


use Net::FTP;

# Set initial variables

$FILENAME="/tmp/alert_file ";
$ftp=Net::FTP->new("$FTP_HOST") or warn "Couldn't connect to $FTP_HOST\n";
$ftp->login("$FTP_USER","$FTP_PASSWD") or warn "Couldn't login\n";
$ftp->put($FILENAME, $OUTFILE) or die "Couldn't put file\n";
$ftp->quit() or warn "Couldn't quit\n";
I use the Trap Demon provided in the NET-SNMP toolkit ( to transmit an SNMP trap. I install the demon on the server where the traps are being sent, and then use the configuration file to specify trap handlers to hand off the trap to a shell script similar to the examples above. This will create and send an appropriate alert file from the trap.

I have written Patrol PSL code that works in conjunction with an external Perl program to transmit a BMC Patrol alert. The code can be found in the source code files. There is also an example of transmitting an event from a shell script in the source code files.

How fault_manager Works

The main routine of fault_manager is a loop that looks like this:

until($time_to_die) {
      opendir(DIR, $dir) or warn "Cannot open $dir\n";
      while (length($event) > 0) {
             if (($event ne ".") and ($event ne "..")) {
      sleep 10;
The key to how the program works is that after applying the rules to the event, it puts the event into a queue of open events. Then, it loops through this queue to perform any required notifications. The reasons for the queue are threefold:

1. After processing, each event is pushed onto the event queue. Each time the program runs through the queue, it checks the time and compares it against the service hours of the device to see whether the device is in its service-hour time period. If it is and it has not already been notified, then it gets notified. If it isn't, it remains on the queue and is rechecked each time through until the time reaches the start of the service-hour time period, at which point the event is notified. For example, an event from an 8-to-5 device could arrive on Friday night and sit on the queue until Monday morning at 9am, when it would enter the service-hour time period and get notified.

2. The queue is used by correlation rules. The correlation rules loop through the contents of the open event queue looking for correlating events. Because event correlation always occurs within a certain time window, the script is set to drop notified events from the queue after 30 minutes so that new events do not get correlated with old, unrelated events. Additionally, events cannot be kept on the queue indefinitely as the queue would continually grow in size. Another approach is to add time logic to the correlation rules and keep the events on the queue either for a longer period of time or keep a fixed number of events on the queue and drop each one off as a new one is put on. A queue of the last 100 events is adequate for most correlation rules.

3. Some monitoring systems send an event twice -- once when the parameter goes into alarm and then again when the parameter goes out of alarm. I call these types of events "normal" events. If a normal event arrives, the event queue is searched; and if the initial alarm event is found, then it is removed. This allows events to come in during non-service hours. Then, if a normal event comes in, the original event gets deleted and support staff will never receive an alert.

Be aware of some potential problems with this approach. If an event such as a filesystem alert goes away in the middle of the night, there is little support staff can do when the alert comes in at 9am in the morning. By removing the alert, staff is not bothered by nuisance events. However, it is very important to set appropriate warning thresholds so that when there is a problem, the event remains open.

On the other hand, some events may come and go, yet still be critically important. One example is a server that seems to be unavailable and then available again. If the problem was a network service outage, then it is appropriate that the normal event removes the down event. However, if the server was unavailable because it rebooted itself, this could be indicative of intermittent hardware failure and be something that support staff should know about. To solve this for one client, I implemented the Mon reboot alert (which has no corresponding "normal" event). So, if a server reboots in the middle of the night, the availability alerts cancel themselves out but the reboot alert remains open. For cases where servers are rebooted for maintenance and no alerts are desired, this is handled by stopping and restarting monitoring (which is covered in a later section).

In the fault_manager script, each event is put into a standard Perl array, and each element of the array is an attribute of the event. This is handled by the GetEvent() subroutine. After the event rules are processed by the ApplyRules() subroutine, the event gets pushed on the event queue by the PushOntoQueue() subroutine. The event queue is a two-dimensional array.

When the fault event first arrives, it is logged. After all the rules are applied and some events dropped, the event is logged again when it is notified. Reports on numbers of faults received vs. number of problems alerted can be of interest. In some cases, management may also want to see reports broken down by applications, instances, hosts, or some combination. If this is the case, the information should be logged in a database. The choice of database, along with the choice of reporting tool, depends on your organization's standards. If the logs are not going to be reported on, then the information is best logged into a simple text file. The code in fault_manager uses the Perl DBI interface to log to an ASCII text file, but it could be changed to use any of the databases supported by the DBI.

The event processing rules are each written as a subroutine in the main processing loop. Each rule has some standards. First, a previous rule may have indicated that the event should be dropped, which is done by setting the global variable $CONTINUE to "false". At the start of each subroutine, the rule should check for status of the $CONTINUE variable and process only if it is true. Second, each rule should log the results of its decision into a separate log called the Rule_Trace_Log, which is a text file containing the decisions of each rule acting on an event. This information is important when trying to determine why an event was processed in a certain way.

The process of rule tracing can write a large amount of information to the Rule_Trace_Log, so two flag variables are set up to govern whether the logging occurs. First, there is a global variable, $GLOBAL_RULE_TRACE, which will turn on rule trace logging within all rules. This variable is turned off by default. Second, each rule should have a local flag variable, $LOCAL_RULE_TRACE, which is turned on by default. After the rule is fully tested and debugged, this local trace flag could be turned off. If the event rule determines the event should be dropped, it sets the $CONTINUE flag to be false. When the section of code executes (which would push the event onto the notification queue), it will drop the event if the $CONTINUE flag is false. This flag is reset when the next event is read into the program.

Here is a sample rule that filters events based on their application. If the application is not in the configuration file, then the alert is dropped. This works as a preventive measure in case administrators accidentally turn on new alert types:

sub Check_Application() {
      my $LOCAL_RULE_TRACE=1;
      my $FOUND_FLAG=0;
      # Event filtering based on event class listed in a text configuration file
      # Check that the class is supposed to be alerted

      # Note there is no rule logging if the event is not dropped 
      # as this test is applied to all events and logging a 
      # negative result would not be informative
      if($CONTINUE) {
            open(CONF, "< $application_list_file") or warn \
                       "Cannot open $application_list_file: $!\n";
            foreach $line (@lines) {
                  if ($line eq $fault[$_fault_application]) {
            if (not $FOUND_FLAG) {
                  if(($GLOBAL_RULE_TRACE) or ($LOCAL_RULE_TRACE)) {
                        Log_Rule_Trace("Application $fault[$_fault_application] 
                                       is not in the list of applications, dropping alert.");
Event Notification and Problem Management Integration

Events can be notified in several ways. The three most common are paging, email, and integration with a problem management system. It is my belief that the fault management system should not provide a visual console where events are viewed by support staff. Once an event has been processed by a fault management system, then the result is a problem, and problems should be managed by a dedicated problem management system. These systems excel at things like logging activities as work on the problem progresses, allowing transfer of the problem to different groups, and escalating the problem if it is not quickly solved. These systems also have extensive reporting mechanisms. Most large IT support organizations revolve their operations around the problem management system. For small organizations without a problem management system, paging and emailing, along with reports from the logs, may be sufficient -- until management starts asking more questions.

Communicating the event to the problem system in some manner is necessary in order to integrate with a problem management system. Some problem systems can accept problem tickets via an SMTP interface, which works well even if the server is on a DMZ (see Figure 1). However, if the problem management integration requires a direct network connection, then the location of the event server could pose a problem. One way to solve the problem is to have the event notification write the problem information into another file in a separate directory on the event server. Then, you could have a Perl program running on the problem management server that connects to the event server via anonymous FTP every 15 or 30 seconds that gets these problem record files. This program would then initiate the connection to the problem management system to create the problem tickets. I've done this, and it works quite well.

Determining which system will handle the other forms of notification (paging and emails) is done when fault_manager integrates with a problem management system. Some problem management systems excel at this, others do not perform it at all. In some cases, the notifications are split with one system notifying some people or groups, and the other notifying other people or groups. We must also define which system will determine the support group to which the problem will be assigned. Some problem management systems are configured to do this automatically based on the host/device and type of problem. Others need the support group defined when the problem ticket is raised.

The notification actions can either be written into the fault_manager application or put in a separate script. I have put the notifications into a separate script, which helps provide some logical separation between the functions. This is completely arbitrary, and it could be argued that it's not worth shelling out to a separate process to achieve this separation.

The notification script that I've included provides a highly flexible way to map events to support groups. The details are included in the comments section of the script. Once the notification script looks up the group to notify, it always raises a problem ticket. Then, it pages and emails if the event is a FATAL-level event, and sends only email if it's a WARNING-level event.


The paging is done by shelling out to the qpage ( snpp (simple network paging protocol) client. Snpp is the best way to manage paging. The client makes the request and a dedicated snpp server handles the work of managing the modems, queuing requests for the modem, and handling retries. I recommend installing the snpp server and modem on the same system as fault_manager because if there is a network problem, the snpp request may not make it to another server, and there will be no notification.

The qpage client then uses its configuration file to look up the necessary pager service provider and pager pin number information. The configuration file can also page multiple people within the group, or page different people based on service hours. There is another excellent snpp client/server package, Quickpage (, which is written in Perl. Its client program is written in Perl and could be completely written inside the notification script, thus eliminating the need to shell out the snpp client. Note that Quickpage needs the group's pager number and PIN number passed on the command line. This information must be maintained in the notify.conf file along with other group information and looked up before a page is issued:

sub page {
      my $Group_Name = $_[0];
      my $msg = "$Host: $Event_Class alert on $Event_Instance";
      $return=system("/opt/bin/qpage -p $Group_Name $msg");
The emailing is done through Sendmail. If the fault_manager script is modified to run on NT, the Blat Sendmail-like program can be used. Some of my clients use MS Exchange or Lotus Notes as their internal email systems. In these cases, I configured a Sendmail alias for each group and have Sendmail forward the email to their Exchange or Notes SMTP email address:

sub email {
      # Subroutine to email - make sure path to your sendmail is correct!
      my $Group_Name = $_[0];
      my $msg="\"$Msg\"";
      my $to="$Group_Name";
      my $subject="$Host: $Event_Class alert on $Event_Instance";
      open(SENDMAIL, "|/usr/lib/sendmail -oi -t")
            or warn "Cannot fork for sendmail: $!\n";
print SENDMAIL <<"EOF";
From: Fault_manager
To: $to
Subject: $subject
      close(SENDMAIL) or warn "Sendmail didn't close nicely";
The problem management integration portion is specific to each organization and problem management system. I have written integration to the Remedy ARS system using the ARSPerl modules (, to the Peregrine ServiceCenter using the ServiceCenter SDK, and even to the mainframe-based INFOMAN system using FTP and the client's INFOMAN's batch API.

Setting Up the System

To get fault_manager set up and running in your environment, it is necessary to do the following:

1. Perform an analysis of your organization's monitoring requirements and support structure.

2. Configure your existing or new monitoring system(s) to send events via FTP in the form expected by fault_manager.

3. Install the fault_manager script in the directory of your choice.

4. Set the paths within the fault_manager script.

5. Modify existing rules to suit your environment, remove rules that don't, and write new ones as required.

6. If required, install the database for event logging and modify the logging subroutine accordingly.

7. Configure the notification script.

8. Install and configure qpage.

9. Write startup scripts to automatically start fault_manager.

10. Generate test alerts and view results and rule trace logs to ensure that everything is working as planned.

11. Write and test problem management system integration.

12. When everything is working properly, move into production.

Helper Scripts

During evenings and weekends, staff members make changes to the system as part of planned maintenance activities. During these activities, it is necessary to stop alerts from being falsely generated. The easiest way to do this is to leave the monitoring systems alone (i.e., let them go into alert) and configure the fault management system to drop the alerts. I have included a simple script that is executed by staff to disable monitoring. Staff members can log in to the fault manager server and execute monitoring_stop hostname. The script then adds the hostname to a configuration file. A rule reads this configuration file for each incoming event and drops the event if the host is in the file.

I think having staff members use this script is more effective than asking them to edit the configuration file itself. I ensure the script is in their path, so they don't need to know where either it or the configuration file is located. I also have the script send out an email to an administrator indicating that monitoring has been turned off. When the maintenance is done, staff members need to log in again and execute another script, monitoring_start hostname, to re-enable alerting.

If a staff member forgets to restart monitoring, then important events can get missed. To prevent this, I added a warning to the monitoring_stop script. I also wrote a small script run by cron each morning that emails out a list of hosts that have monitoring disabled. This helps catch anything missed:

# Get the host from the command line

$start=index($user, "(");
$end=index($user, ")");
$user=substr($user, $start+1, $end-$start-1);
if ($user eq 'root') {
      print "You cannot run this as root, su to yourself and try again...\n";
# Read in the existing file of stopped hosts
$host_list_file = '/opt/bin/alert/hosts.conf';
open(CONF, "< $host_list_file") or warn "Cannot open $host_list_file:$!\n";

# Check if the host is already stopped
foreach $line (@lines) {
      if ($line eq $host) {
            print "Monitoring already stopped for $host.\n";

# Add host to list and rewrite file
if (not $FOUND_FLAG) {
      push @lines, $host;
      open(CONF, "> $host_list_file") or warn "Cannot open $host_list_file for writing:!\n";
      foreach $line (@lines) {
            print CONF "$line\n";

      # Send email to notify that monitoring was stopped
      open(SENDMAIL, "|/usr/lib/sendmail -oi -t") or warn "Cant fork for sendmail: $!\n";
      print SENDMAIL <<"EOF";
From: Fault_manager
To: root
Subject: Monitoring stopped for $host
Monitoring has been stopped for $host by $user.
close(SENDMAIL) or warn "Sendmail didn't close nicely";
print "Mnitoring has now been stopped for $host, please remember \
       to restart monitoring when you are finished.\n";
I've also had cron run these scripts for those clients who say, "it's a 24x7 system, except for the 10-minute window each night between 3:40 and 3:50 when we reboot the system." To handle this, I use cron to turn monitoring off then back on immediately before and after the reboot.

Redundant and Fault-Tolerant System

In a large organization, a fault management system is a very important component of the infrastructure. Such as system should have some level of fault-tolerance and redundancy. From a fault-tolerance perspective, the system should be set up on fault-tolerant hardware. From a redundancy perspective, it is possible to set up a completely separate server running all the same programs (ideally located on a different part of the network). To make this work, the monitoring system's FTP script that sends the alerts to the fault management server needs to be modified. The script needs to detect the failure to make an FTP connection. When this happens, the script could attempt an FTP connection to the secondary server. The secondary server would then receive and process the event.

When the secondary system starts processing events, the event and rule trace logs will be spread across two systems. These will need to be later re-joined for comprehensive reporting. It is also important for both systems to contain exactly the same versions of the scripts and the configuration files. It is rare that the secondary server would be used, but a fully redundant system is quite simple to set up and administer.


The programs outlined in this article are in production for real clients, managing their environments 24 hours a day. For one client, I duplicated the functionality of their expensive name-brand system, and over a weekend replaced it with this system. At first, nobody noticed. Soon, management and support staff noticed when previously impossible things became possible and the number of nuisance events dropped. Later, the accountants noticed when they had a significantly lower software maintenance contract to sign.

In most large IT organizations, change seems to be the only constant thing. The fault management system is subject to ongoing changes as the support environment changes -- new procedures are added, support duties get split, new monitoring systems are implemented, and management makes new requests. It is good to know that your Perl solution is ready to handle any such future request.

Tim Shouldice is a computer consultant living in Ottawa, Canada. He specializes in designing and implementing monitoring, fault management, and performance management systems. He can be reached by email at: