evlremote(1)
NAME
Configuration and setup of Remote Event Forwarding
DESCRIPTION
The 2 main components of remote event forwarding/logging
are:
- The Event Consolidation Host
- The event consolidation host is a collecter for
events logged by multiple hosts in the network. It
accepts events transmitted via UDP or TCP, but
will only log events from a particular host if its
hostname is stored in the /etc/evlog.d/evlhosts file. - Event Forwarding Plug-ins
- Plug-ins register with the evlogd daemon to read
events from the evlogd "event stream" and provide
alternative methods of processing and logging
events. 2 plug-ins are availiable for forwarding
events: udp_rmtlog_be, which transmits using UDP, and tcp_rmtlog_be, which trasmits using TCP.
SETTING-UP THE EVENT CONSOLIDATOR
The evlogrmtd daemon is installed when the main event log
ging software is installed in user space. evlogrmtd
starts during bootup, opens the /etc/evlog.d/evlhosts
file, and if there are hosts listed, attempts to resolve
each of the hostnames to an IP address. If it is unable
to resolve any of the hosts, evlogrmtd exits; otherwise,
it continues to run waiting for remote hosts to send
events (UDP) or request a connection and send events
(TCP).
Follow these steps to configure the evlogrmtd...
(1) Log in as root
(2) Edit /etc/evlog.d/evlhosts to add an entry for each
host that you want the evlogrmtd to accept events from.
Each entry must specify host name, either simple name or
fqdn, and also a unique identifier for each host. This
identifier can be up to 2 bytes, but cannot be equal to 0
(it will be ignored).
- The following are all valid entries:
- (identifier) (hostname)
1 mylinuxbox - 120.115 mylinuxbox2.foo.bar.com
0xabcd yourlinuxbox - Note that identifier is always specified first, followed
by one or more spaces, followed by the hostname. - (3) Copy /etc/evlog.d/evlogrmtd.conf.sample to
/etc/evlog.d/evlogrmtd and edit it. By default, it con
tains the following:
Password=password
TCPPort=12000
UDPPort=34000- "Password" is used only by TCP clients to authenticate
remote hosts when attempting to connect. If all remote
hosts are using UDP, then Password is ignored. - "TCPPort" must match the TCP port used by remote hosts for
sending events to the event consolidator. - "UDPPort" must match the UDP port used by remote hosts for
sending events to the event consolidator. - Note that the evlogrmtd is capable of accepting events
simultaneously from different hosts using both UDP and
TCP. All of the hosts must be the same architecture. - (4) Restart the evlog subsystem
/etc/init.d/evlog restart- Note that evlogrmtd is only started if there is an evlo
grmt.conf file. - If evlogrmtd cannot resolve any of the hosts listed in
evlhosts, or there are no entries in /etc/evlog.d/evl
hosts, then the evlogmrtd will exit.
SETTING-UP THE PLUG-INs
The udp_rmtlog_be and tcp_remlog_be plugins are included
in the evlog package.
Follow these steps to configure and start the plug-in...
(1) Login as root.
(2) cd to /etc/evlog.d
(3) If you are using UDP, then edit udp_rmtlog_be.conf to
specify...
* IP address, or hostname, for the event consolidator
* Port number - should match the port number used by the
event consolidator
* Disable=no to send events using UDP
If you are using TCP, then edit tcp_rmtlog_be.conf to
specify...
* IP address, or hostname, for the event consolidator
* Port number - should match the port number used by the
event consolidator
* Disable=no to send events using TCP
* Password - must match password expected by the event
consolidator when the TCP connection is attempted.
- (4) Restart the evlogd daemon to load the plugin...
- /etc/init.d/evlog restart
- If you do not want events to be logged to the local log
files, /var/evlog/eventlog and /var/evlog/privatelog, then
do the following... - * Edit /etc/init.d/evlog...
under "start(), add "-u" after /sbin/evlogd- * /etc/init.d/evlog restart
- You may also want to delete start-up scripts under rc.d
for evlnotify, evlaction, and evlogrmt since they are only
useful if you are logging locally. Also, you may want to
delete /etc/cron.d/evlogmgr.cron. - (5) If this is the first host you've configured to trans
mit events, it will be necessary tor restart the evlog
subsystem as follows:
/etc/init.d/evlog start
FILES
- /etc/evlog.d/evlhosts
- evlogrmtd accepts events from these hosts
- /etc/evlog.d/evlogrmtd.conf
- evlogrmtd configuration file
- /etc/evlog.d/udp_rmtlog_be.conf
- UDP plug-in configuration file
- /etc/evlog.d/tcp_rmtlog_be.conf
- TCP plug-in configuration file