evlog(1)
NAME
Introduction to Event Logging
DESCRIPTION
Event logging implements the proposed POSIX Standard Event Logging [C Language]. In this implementation, event
records are stored in binary format. Binary records give
you the ability to capture sophisticated event records but
they require you to use specialized commands to create,
view and maintain event logs and event records. This man
page describes the set of specialized commands and ser
vices that support event logging.
By default, event logging creates two logs:
- /var/evlog/eventlog
- Eventlog is the primary system log. It contains all event records that are publically viewable.
- /var/evlog/privatelog
- Privatelog is a secondary system log that contains
records you generally don't want to be publically
viewable. By default, only event records with
facility of AUTHPRIV are written to this log. How ever, events from other facilities can also be
written to this log, as specified with the evlfa_
cility command. An example of private records are those associated with port connections for services
running on a system. - In addition to letting you create and maintain logs, event
logging provides you the ability to be notified when
events of interest to you occur and lets you specify what
actions you want to execute automatically in response to
those events.
COMMANDS
- evlview(1)
- Lets you display event records from a POSIX-stan
dard event log. evlview gives you many options for selecting what records you view and for designating
what format to use in displaying those records. - evlfacility(1)
- Lets you register and list facilities defined for a
system. Facilities are simply the components of a
system that issue event records. Facilities
include the kernel, device drivers, services, such
as mail, cron and ftp, and user applications.
Event log facilities include, but are not limited
to, facilities defined for syslog. evlfacility ensures that facilities you register are uniquely
identified across systems. - evlnotify(1)
- Lets you register a description of those events for
which you want to be automatically notified and
lets you specify an action you want to have exe
cuted on your behalf when such events occur. - evlconfig(1)
- Lets you change the configurable settings for event
logging. Configurable settings include the count
and time interval for removing duplicate records, a
severity level to indicate which (if any) events
you want displayed to the system console, and fil
ters for screening out events you don't want writ
ten to the system log. - evltc(1)
- Compiles formatting templates containing C-like
structures used for parsing and displaying event
data, for example by the evlview command. - evlogmgr(1)
- Lets you perform log management on the event log,
on the private log, or optionally, on a log file
that you specify. You specify which events are to
be deleted. The space freed by deleted events is
reused for undeleted events (a process referred to
as compaction) and the log file is truncated, thus
reducing its overall size. - evlsend(1)
- Lets you send event records from scripts or
directly from a command line.
QUERIES
The commands evlview, evlnotify, evlconfig, and evlogmgr
let you specify a query or filter to describe the kinds of
events in which you are interested. For details of how to
specify queries, see evlquery(1).
DAEMONS
- /sbin/evlogd
- The event log daemon reads event records from
facilities running in the kernel and in user space
and writes those records to the appropriate local
POSIX-standard log file. Additionally, plug-ins
can be provided that register with evlogd to
receive the event stream and provide alternative
methods of processing and logging the events. - 2 plug-ins are provided with the event logging
package: the udp_rmtlog_be plugin and tcp_rmt log_be plugin which forward events to a centralized event consolidation host, using UDP and TCP,
respectively. - /sbin/evlogrmtd
- The remote event daemon receives event records from
other hosts on the network that are transmitting
with the udp_rmtlog_be or tcp_rmtlog_be plugin, and if the source host is listed in the
/etc/evlog.d/evlhosts file, passes the event record to the evlogd. Otherwise, the event record is
rejected and discarded by the evlogrmtd. - /sbin/evlnotifyd
- The event notification daemon accepts notification
requests from client processes, reads event records
as they are logged and signals client processes
when registered events are logged. - /sbin/evlactiond
- The event action daemon processes requests for
action registered through the notification daemon
and executes those actions on behalf of the
requester.