Event Logging or evlog is a set of tools that implements an enterprise-level event logging facility, according the POSIX draft standard. evlog stores event records in binary and uses two daemons: evlogd and evlogrmtd. The evlogd daemon is used to log the events, and evlogrmtd is for clients to send remote logs for the evlog server. The evlog installable RPM is located inside the first CD1 in the directory suse/RPMS/ppc/. -
Install the evlog-1.5.3-36.rpm: # rpm -i evlog-1.5.3-36.rpm -
Create an empty file inside /var/log/evlog/ called eventlog: # touch /var/log/evlog/eventlog -
Start evlog services: # /etc/init.d/evlog start To enable forward kernel and system logs to the evlog: # /sbin/slog_fwd The evlog command stores the files in the directory /var/log/evlog. Table 4-3 lists some of the commands you can use the query, modify or update evlog services and logs. Table 4-3. The evlog commands evlview | Utility to view logs example: evlview -m | evlconfig | Utility to configure logging daemon | evlfacility | Utility to manage facility registry | elvsend | Utility for Event Generation, useful for testing and application; for example: # elvsend -f user -t 1 -m "testing" | elvnotify | Utility for Event Notification | Tip If Linux is behaving strangely after enabling the forwarding of system log using the command /sbin/slog_fwd , you can disable it by using /sbin/slog_fwd -r or you can remove the file libevlsyslog.so.1 from /etc/ld.so.preload and run /sbin/ldconfig . This will remove the system logging forwarding service to evlog. 4.3.1 evlog in a centralized environment The remote event consolidator , or evlogrmtd, is the daemon that evlog runs to accept incoming events from other hosts in the network. All the incoming events will be consolidated and stored into a single file for easy retrieval and searching. You optionally set filters to check for certain more alarming words like "crit", "emerg", "error" and others. First, you need to configure the server to listen for incoming logs and to allow specific clients for access. Server side On the server side, perform these steps: -
Login as root and create a new evlogrmtd.conf file from the template available from /etc/evlog.d/evlogrmtd.conf.sample. Example 4-9 shows what should be inside the evlogrmt.conf file. Example 4-9. Sample of /etc/evlog.d/evlogrmt.conf file # evlogrmtd.conf file syntax Password=<cleartextpassword> TCPPort=12000 UDPPort=34000 -
Update /etc/evlog.d/evlhosts similar to what is shown in Example 4-10 for each client that you want evlog to receive events from. Each entry must have a resolvable hostname and also a unique identifier for each host. If you leave the identifier blank, it will be ignored by evlog. Example 4-10. Sample of /etc/evlog.d/evlhosts file #evlhosts file syntax # # hostid hostname # ---------------- # 1 mylinuxbox # 10.128 mylinuxbox2 100.79 lpar3 Change the permissions to read and write only for root. # chmod 700 /etc/evlog.d/evlhosts -
Restart the evlog daemon and check that the evlogrmtd daemon is running. # /etc/init.d/evlog restart # ps -ef grep evlogrmtd In the client side, you will need to configure it to send logs in the corresponding port that the server is listening on. Client side On the client side, perform these steps: -
Login in as root and go into the /etc/evlog.d/ directory. -
If you plan to use UDP, edit udp_rmtlog_be.conf to specify the IP address of the server and Port number; see Example 4-11. Example 4-11. udp_rmtlog_be.conf configuration file # udp_rmtlog_be.conf file syntax Remote Host=192.168.100.84 Port=34000 Disable=no If you plan to use TCP, edit tcp_rmtlog_be.conf to specify the IP address of the server, Port number, Password and BufferLenInKbytes, as shown in Example 4-12. Example 4-12. tcp_rmtlog_be.conf # tcp_rmtlog_be.conf file syntax Remote Host=192.168.100.84 Password=<clear_textpassword_from_management_server> Port=12000 BufferLenInKbytes=128 Disable=no -
Finally, test whether your management host can receive the logging message from the newly added client. # evlsend -f user -t 1 -m testing from lpar3 You should see the following at the evlog management server: # evlview -m Oct 22 15:41:14 lpar8 tcp_rmtlog_be: plugin is disabled. Oct 22 15:41:14 lpar8 tcp_rmtlog_be: plugin unloaded. Oct 22 15:41:14 lpar8 udp_rmtlog_be: plugin is disabled. Oct 22 15:41:14 lpar8 udp_rmtlog_be: plugin unloaded. Oct 22 17:12:59 lpar8 evlogrmtd: This 192.168.100.79 host is successfully authenticated. Oct 22 17:13:06 lpar3 testing from lpar3 |