EVLVIEW(1)

NAME

evlview - View log events

SYNOPSIS

evlview --help

 OR

evlview [ input] [ output ] [ -f | --filter filter ]
 [ -b |  --templates ] [ -B | --notemplates ]


input    (defaults    to    /var/evlog/eventlog,   or   to
/var/evlog/privatelog with -p | --private):
 [ -n | --new ][ -T | --timeout nsec ][ -R | --recid rid ]
  OR
 [ -l | --log srclogfile] [ -t | --tail nrec ]
 [ -r | --reverse ]

output (defaults to stdout):
 [ -o | --out destlogfile ]
  OR
 [ -S | --formatstr format-string ] [ format_opts ]
  OR
 [ -F | --formatfile format-file ] [ format_opts ]
  OR
 [  -c  |  --compact  ]  [  -s  | --separator sep ] [ -q
--nmeqval ] [format_opts]
  OR
 [ -m | --syslog ]

format_opts:
 [ -N | --newlines n ] [ -d | --datefmt date-format ]

DESCRIPTION

The evlview utility lets you view events from an event log, view events in real time, or read records from an
event log and write the records to another file.

OPTIONS

-n, --new

Display only new events as they are logged. By
default, events are read from the entire event log
until the end of the log is reached. This option is
not valid when --log specifies an inactive log
file.

-T, --timeout nsec

Specifies the interval in seconds that the viewer
should wait for the next event to be generated. If
this interval passes with no new events, the viewer
terminates. The interval restarts with each new
event. By default, with the --new option, the
viewer runs until it is killed. This option is
valid only when the --new option is used.

-R, --recid rid

Valid only with --new. Before displaying new
records, display the end of the existing log,
starting with the first record whose ID is greater
than or equal to rid.

-l, --log srclogfile

Specifies the name of an alternate log file as the
source of events -- for example, the private log
/var/evlog/privatelog. Events read from the private log file can be read only by users with the appro
priate read permission. If this option is not
specified, events are read from the active system
log, /var/evlog/eventlog.

-p, --private

Equivalent to --log /var/evlog/privatelog.

-t, --tail nrec

Specifies that evlview should read the last nrec records in the event log file. If a filter is spec
ified, then the last nrec records are read that
match the filter.

-r, --reverse

Read events in reverse order, starting with the
most recently written event. Default is to read
starting with the oldest event in the event log.

-o, --out destlogfile

Specifies that event records should be appended to
the specified destlogfile instead of being dis played to stdout. This option is not valid with the
--formatstr, --formatfile, --compact, --separator, --datefmt, --newlines, --neqval, or --syslog options.

-S, --formatstr format-string

Specifies an alternative format for events that are
displayed (see Example 3).

For the fixed portion of the event record, members
are referenced by the attribute names defined in
the POSIX standard: recid, size, format,
event_type, facility, severity, uid, gid, pgrp,
time, flags, thread, and processor.

An additional attribute is available, host, which
displays the name of the host that logged the
event.

For log_format of STRING, %data% displays the vari able-length data as the data string.

For log_format of NODATA, %data% displays a NULL string.

For log_format of BINARY, %data% displays the vari able length data according to the associated for
matting template, if any, or in hex dump format
otherwise.

If log_format is BINARY and a formatting template exists for the event record, optional attributes in
the variable-length portion can be referenced by
attribute name as defined in the formatting tem
plate. However, the formatting string (if any)
specified in format-string is used instead of the formatting specification from the template.

If this option is not specified, then default
formatting is used. This option is not valid if
specified along with --out, --formatfile, --com pact, --separator, --neqval, or --syslog.

-F, --formatfile format-file

Performs the same actions as --formatstr, but the alternative format is read from format-file. This option is not valid if specified along with --out,
--formatstr, --compact, --separator, --neqval, or --syslog.

-c, --compact

Specifies that contents of the event record are
displayed in a compact form. In compact form, the
attribute names for attributes in the fixed portion
of the event record are not displayed, only the
values. This option cannot be used with --format str, --formatfile, --syslog, or --out.

-s, --separator sep

Specifies that the character string sep be used as
the separator between attributes displayed by the
viewer. The default separator is ",". The separa
tor string cannot exceed 20 characters. This
option is not valid with --formatstr, --formatfile, --syslog, or --out.

-N, --newlines n

When displaying records, ensures that there are
exactly n newlines between records. For example,
-N 2 gets you exactly 1 blank line between records.
n must be greater than zero. If a record ends in
more than n newlines, then an appropriate number of
those newlines will be omitted from the display.
If this option is omitted, evlview ensures that there is at least one newline between records.
This option is not valid with --out or --syslog.

-d, --datefmt dateformat

Format the log_time attribute according to the dateformat string, which is passed to the strf_ time(3) function. The default format is "%c".
This option is not valid with --out or --syslog.

-m, --syslog

Approximate the output format of the syslogd(8) daemon: for each record displayed, print the times
tamp, host name, and message. For multi-line mes
sages, BINARY-format events, and events formatted
by formatting templates, the output may not look
much like syslogd output. This option is not valid with the --out, --formatstr, --formatfile, --nmeq val, --compact, --separator, --datefmt, or --new lines options.

-q, --nmeqval

For records that have associated templates, display
the non-standard attributes in name=value format, one attribute per line. This option is not valid
with the --notemplates, --out, --formatstr, --for matfile, or --syslog options.

-f, --filter filter

Specifies a filter (query) expression. Only events
matching the filter are displayed. See the evl_ query man page for more information.

-b, --templates

Forces non-standard attribute names to be accepted
in the filter expression supplied with the --filter
option, as well as the format specified with the
--formatstr or --formatfile option. A "non-stan
dard" attribute is one defined via a formatting
template rather than in the fixed portion of the
event record. For a particular event, if the named
attribute does not exist, it will format as a null
string, and references to it in the filter expres
sion will evaluate to false.

-B, --notemplates

Specifies that the evlview command should not
attempt to locate formatting templates. By
default, evlview will attempt to use formatting
templates when displaying records.

-h, --help

Displays the usage statement.

EXAMPLES

Example 1.

evlview --filter 'facility==USER && data contains

"interface reset"'

might produce the following output (if there are 2
matching events in the log):

recid=7214, size=31, format=STRING, event_type=0x3,

facility=USER,
severity=ERR, uid=bill, gid=appdev, pid=2753,

pgrp=44,
time=Mon Jun 18 19:32:31 2001, flags=0x0,

thread=0x0, processor=1,
host=linux_host_1.foo.bar.com
Eth/0 interface reset by user

recid=8612, size=31, format=STRING, event_type=0x3,

facility=USER,
severity=ERR, uid=bill, gid=appdev, pid=2753,

pgrp=44,
time=Wed Jun 20 14:32:31 2001, flags=0x0,

thread=0x0, processor=1,
host=linux_host_1.foo.bar.com
Eth/1 interface reset by user

Note that the date and time format shown in the
examples is based on the LANG environment variable
not being set (or being set to "C"). For other
settings, the format will differ. For example:

$export LANG=es_MX (Spanish, Mexico)

might result in a display of:

lun 04 feb 2002 11:52:18 PST

Also, see Example 6 for additional date formatting

options.

Example 2.

evlview -f 'facility==LOCAL1 && data contains
"Eth/0 interface"' --compact -s !

might produce the following:

7214!31!STRING!0x3!LOCAL1!ERR!bill!appdev!2753!44!
Tue Jun 19 19:32:31 2001!0x0!0x0!1!lin

ux_host_1.foo.bar.com
Eth/0 interface reset by user

Example 3.

evlview -b -f 'facility==LOCAL1 &&

event_type==0x3115 && lun=0x3'
-S "Logical unit number is 0x%lun:x%0or facility

%facility%
and event type of %event_type:d% decimal,

%event_type% hex0

might produce the following:

Logical unit number is 0x3
for facility LOCAL1 and event type of 12565 deci

mal, 0x3115 hex

Note that the -b option allows the non-standard
attribute "lun" to be included with the -f (--fil ter) option.

Also, note that due to the length of the formatting
string, use of the --formatfile option would be preferable in practice instead of the -S or format str option.

Example 4.

evlview -f 'age < "2h"'

would display all events logged during the past 2
hours.

Example 5.

lastrid=`cat /var/evlog/bootrecid`
nextrid=`expr $lastrid + 1`
evlview -n -R $nextrid -f 'flags & printk'

--syslog >> /var/log/printks

would run continuously, appending to
/var/log/printks all messages logged by the ker nel's printk() function, starting with the first message after the current boot. The message format
is that of the syslogd daemon.

Example 6.

evlview -b -S "%time% %host% %facility% %severity%

%event_type%" --datefmt "%A %B %d %l:%M:%S %p"

might display the following:

Tuesday June 04 1:29:26 PM elm3b99 KERN NOTICE

0x2ffe11ac
Tuesday June 04 1:29:26 PM elm3b99 KERN ALERT

0x5818f89e
Tuesday June 04 1:29:26 PM elm3b99 LOGMGMT INFO

0x28

and demonstrates the use of the --datefmt option.

FILES

/var/evlog/eventlog

Standard Event log

/var/evlog/privatelog

Private log

SEE ALSO

evlquery man page Filter expression syntax rules
strftime(3) man page

NOTES

When evlview is interrupted by a log-maintenance operation (e.g., when evlogmgr runs), evlview waits until the opera tion completes and then picks up where it had left off.
This is intended to work even if the portion of the file
where evlview was reading is deleted during log mainte nance. If a timeout interval is specified with --timeout, and the timeout expires while evlview is waiting for com pletion of the log-maintenance operation, evlview termi nates with an error message.

6 December 2002 EVLVIEW(1)