4.3 Event logging - enterprise event log

 < Day Day Up > 

Event Logging or evlog is a set of tools that implements an enterprise-level event logging facility, according the POSIX draft standard. evlog stores event records in binary and uses two daemons: evlogd and evlogrmtd. The evlogd daemon is used to log the events, and evlogrmtd is for clients to send remote logs for the evlog server.

The evlog installable RPM is located inside the first CD1 in the directory suse/RPMS/ppc/.

  1. Install the evlog-1.5.3-36.rpm:

     #  rpm -i evlog-1.5.3-36.rpm  
  2. Create an empty file inside /var/log/evlog/ called eventlog:

     #  touch /var/log/evlog/eventlog  
  3. Start evlog services:

     #  /etc/init.d/evlog start  

    To enable forward kernel and system logs to the evlog:

     #  /sbin/slog_fwd  

The evlog command stores the files in the directory /var/log/evlog. Table 4-3 lists some of the commands you can use the query, modify or update evlog services and logs.

Table 4-3. The evlog commands


Utility to view logs example: evlview -m


Utility to configure logging daemon


Utility to manage facility registry


Utility for Event Generation, useful for testing and application; for example: # elvsend -f user -t 1 -m "testing"


Utility for Event Notification


If Linux is behaving strangely after enabling the forwarding of system log using the command /sbin/slog_fwd , you can disable it by using /sbin/slog_fwd -r or you can remove the file libevlsyslog.so.1 from /etc/ld.so.preload and run /sbin/ldconfig . This will remove the system logging forwarding service to evlog.

4.3.1 evlog in a centralized environment

The remote event consolidator , or evlogrmtd, is the daemon that evlog runs to accept incoming events from other hosts in the network. All the incoming events will be consolidated and stored into a single file for easy retrieval and searching. You optionally set filters to check for certain more alarming words like "crit", "emerg", "error" and others.

First, you need to configure the server to listen for incoming logs and to allow specific clients for access.

Server side

On the server side, perform these steps:

  1. Login as root and create a new evlogrmtd.conf file from the template available from /etc/evlog.d/evlogrmtd.conf.sample. Example 4-9 shows what should be inside the evlogrmt.conf file.

    Example 4-9. Sample of /etc/evlog.d/evlogrmt.conf file
     # evlogrmtd.conf file syntax Password=<cleartextpassword> TCPPort=12000 UDPPort=34000 
  2. Update /etc/evlog.d/evlhosts similar to what is shown in Example 4-10 for each client that you want evlog to receive events from. Each entry must have a resolvable hostname and also a unique identifier for each host. If you leave the identifier blank, it will be ignored by evlog.

    Example 4-10. Sample of /etc/evlog.d/evlhosts file
     #evlhosts file syntax    #    # hostid hostname    # ----------------    # 1   mylinuxbox    # 10.128 mylinuxbox2 100.79 lpar3 

    Change the permissions to read and write only for root.

     #  chmod 700 /etc/evlog.d/evlhosts  
  3. Restart the evlog daemon and check that the evlogrmtd daemon is running.

     #  /etc/init.d/evlog restart  #  ps -ef  grep evlogrmtd  

In the client side, you will need to configure it to send logs in the corresponding port that the server is listening on.

Client side

On the client side, perform these steps:

  1. Login in as root and go into the /etc/evlog.d/ directory.

  2. If you plan to use UDP, edit udp_rmtlog_be.conf to specify the IP address of the server and Port number; see Example 4-11.

    Example 4-11. udp_rmtlog_be.conf configuration file
     # udp_rmtlog_be.conf file syntax Remote Host= Port=34000 Disable=no 

    If you plan to use TCP, edit tcp_rmtlog_be.conf to specify the IP address of the server, Port number, Password and BufferLenInKbytes, as shown in Example 4-12.

    Example 4-12. tcp_rmtlog_be.conf
     # tcp_rmtlog_be.conf file syntax Remote Host= Password=<clear_textpassword_from_management_server> Port=12000 BufferLenInKbytes=128 Disable=no 
  3. Finally, test whether your management host can receive the logging message from the newly added client.

     #  evlsend -f user -t 1 -m testing from lpar3  

    You should see the following at the evlog management server:

     #  evlview -m  Oct 22 15:41:14 lpar8 tcp_rmtlog_be: plugin is disabled. Oct 22 15:41:14 lpar8 tcp_rmtlog_be: plugin unloaded. Oct 22 15:41:14 lpar8 udp_rmtlog_be: plugin is disabled. Oct 22 15:41:14 lpar8 udp_rmtlog_be: plugin unloaded. Oct 22 17:12:59 lpar8 evlogrmtd: This host is successfully authenticated. Oct 22 17:13:06 lpar3 testing from lpar3 
 < Day Day Up > 

Quintero - Deploying Linux on IBM E-Server Pseries Clusters
Quintero - Deploying Linux on IBM E-Server Pseries Clusters
Year: 2003
Pages: 108

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net