February 20, 2009

Policy tracking

Overview:
NetBackup has a Policy Management utility to track and report when a policy is deleted, or when a schedule or client are removed.  This feature does not track policy modifications or when items are added to a policy.  However, it will track and report when a policy is deleted or when a schedule or a client is removed if the policy was previously inventoried and tracked using this feature.

To enable this feature, use the following procedure:

1. Create the following touchfile \NetBackup\LOG_CLASS_QUERIES

2. Set the Inventory flag with the following command:
Windows: \netbackup\bin\admincmd\bppllist -inventory
Unix: /install_path/netbackup/bin/admincmd/bppllist -inventory

3. Enable Inventory Tracking by executing bppllist -inventory via a script or system schedule.

Examples:
a. Create an end notify script to execute after a job or a session:
b. Create a scheduled process (Windows Scheduled Task or UNIX cron) to execute bppllist -inventory:

For manual policy inventory tracking, simply execute bppllist -inventory via a command line or via batch file.

4. Monitor the bperror log, All Log Entries, or Problems report for deleted policies, schedules and clients.  Along with the bperror report, inventory tracking will produce an Application Event Log record on Windows when a policy is deleted.
Example entry: Policy inventory found deleted policy Test

5. Periodically truncate the PolicyQueries.log.  This resides in the logs directory.  The user is responsible for the administration of the log file (periodic truncation, etc.).


Recommended best practices:
- Automate Inventory Tracking via a Windows Schedule Task or Unix cron to execute bppllist -inventory at least once a day.
- Review the NetBackup Problems report daily via the bperror command or the All Log Entries report.  Records will appear here that indicate when policies, schedules or clients have been removed.


How it works:
After the touchfile is created and bppllist -inventory is executed, policy information is written into the classinv file.

Windows:
\netbackup\db\config\classinv

Unix:
/install_path/netbackup/db/config/classinv

Please note that the very first time that bppllist -inventory is executed, Inventory Tracking is not accomplished. Inventory Tracking takes place when bppllist -inventory is run a second time and thereafter.

As many as three new folders are created in NetBackup to facilitate this feature.  If they do not exist and are required, they may be created the first time that bplist -inventory is run.

Windows:
\netbackup\db\cltmp
\netbackup\db\cltmp_internal
\netbackup\db\cltmp_template

Unix:
/install_path/netbackup/db/cltmp
/install_path/netbackup/db/cltmp_internal
/install_path/netbackup/db/cltmp_template

The feature also creates a new debug log called PolicyQueries.log:

Windows:
\netbackup\logs\PolicyQueries.log

Unix:
/install_path/netbackup/logs/PolicyQueries.log

Inventory tracking will report the loss of a policy, schedule or client. The classinv file and PolicyQueries.log are generated after the inventory flag is set and policy tracking is enabled.  After the initial inventory and subsequent inventory tracking commands have completed, the changes will be recorded in the bperror log.

Note: The more often inventory tracking is accomplished and the bperror reports are reviewed, the less likely a deleted policy/schedule/client will go unnoticed for an extended period of time.   Please note that inventories that are run too frequently can have an adverse affect on performance, depending upon the NetBackup environment/configuration.


Output Examples:
Problems Report
10/16/2008 12:43:55   carpediem   carpediem   Error      0        General   Policy  inventory found deleted policy dummy
10/16/2008 12:51:58   carpediem   carpediem   Error      0        General   Policy  inventory found deleted client membrane for policy policy1234
10/16/2008 12:51:58   carpediem   carpediem   Error      0        General   Policy  inventory found deleted schedule full for policy policy1234


Troubleshooting:
Ensure that the dash is present when typing bppllist -inventory.  If the dash is not typed, an error will appear stating that the policy does not exist (Figure 1)

Figure 1
# ./bppllist inventory
the specified policy does not exist in the configuration database (230)