Event Logging or evlog is a set of tools that implements an enterprise-level event logging facility, according the POSIX draft standard. evlog stores event records in binary and uses two daemons: evlogd and evlogrmtd. The evlogd daemon is used to log the events, and evlogrmtd is for clients to send remote logs for the evlog server.
The evlog installable RPM is located inside the first CD1 in the directory suse/RPMS/ppc/.
Install the evlog-1.5.3-36.rpm:
# rpm -i evlog-1.5.3-36.rpm
Create an empty file inside /var/log/evlog/ called eventlog:
# touch /var/log/evlog/eventlog
Start evlog services:
# /etc/init.d/evlog start
To enable forward kernel and system logs to the evlog:
The evlog command stores the files in the directory /var/log/evlog. Table 4-3 lists some of the commands you can use the query, modify or update evlog services and logs.
Table 4-3. The evlog commands
Utility to view logs example: evlview -m
Utility to configure logging daemon
Utility to manage facility registry
Utility for Event Generation, useful for testing and application; for example: # elvsend -f user -t 1 -m "testing"
Utility for Event Notification
If Linux is behaving strangely after enabling the forwarding of system log using the command /sbin/slog_fwd , you can disable it by using /sbin/slog_fwd -r or you can remove the file libevlsyslog.so.1 from /etc/ld.so.preload and run /sbin/ldconfig . This will remove the system logging forwarding service to evlog.
4.3.1 evlog in a centralized environment
The remote event consolidator , or evlogrmtd, is the daemon that evlog runs to accept incoming events from other hosts in the network. All the incoming events will be consolidated and stored into a single file for easy retrieval and searching. You optionally set filters to check for certain more alarming words like "crit", "emerg", "error" and others.
First, you need to configure the server to listen for incoming logs and to allow specific clients for access.
On the server side, perform these steps:
Login as root and create a new evlogrmtd.conf file from the template available from /etc/evlog.d/evlogrmtd.conf.sample. Example 4-9 shows what should be inside the evlogrmt.conf file.
Example 4-9. Sample of /etc/evlog.d/evlogrmt.conf file
# evlogrmtd.conf file syntax Password=<cleartextpassword> TCPPort=12000 UDPPort=34000
Update /etc/evlog.d/evlhosts similar to what is shown in Example 4-10 for each client that you want evlog to receive events from. Each entry must have a resolvable hostname and also a unique identifier for each host. If you leave the identifier blank, it will be ignored by evlog.
Example 4-10. Sample of /etc/evlog.d/evlhosts file
#evlhosts file syntax # # hostid hostname # ---------------- # 1 mylinuxbox # 10.128 mylinuxbox2 100.79 lpar3
Change the permissions to read and write only for root.
# chmod 700 /etc/evlog.d/evlhosts
Restart the evlog daemon and check that the evlogrmtd daemon is running.
# /etc/init.d/evlog restart # ps -ef grep evlogrmtd
In the client side, you will need to configure it to send logs in the corresponding port that the server is listening on.
On the client side, perform these steps:
Login in as root and go into the /etc/evlog.d/ directory.
If you plan to use UDP, edit udp_rmtlog_be.conf to specify the IP address of the server and Port number; see Example 4-11.
Example 4-11. udp_rmtlog_be.conf configuration file
# udp_rmtlog_be.conf file syntax Remote Host=192.168.100.84 Port=34000 Disable=no
If you plan to use TCP, edit tcp_rmtlog_be.conf to specify the IP address of the server, Port number, Password and BufferLenInKbytes, as shown in Example 4-12.
Example 4-12. tcp_rmtlog_be.conf
# tcp_rmtlog_be.conf file syntax Remote Host=192.168.100.84 Password=<clear_textpassword_from_management_server> Port=12000 BufferLenInKbytes=128 Disable=no
Finally, test whether your management host can receive the logging message from the newly added client.
# evlsend -f user -t 1 -m testing from lpar3
You should see the following at the evlog management server:
# evlview -m Oct 22 15:41:14 lpar8 tcp_rmtlog_be: plugin is disabled. Oct 22 15:41:14 lpar8 tcp_rmtlog_be: plugin unloaded. Oct 22 15:41:14 lpar8 udp_rmtlog_be: plugin is disabled. Oct 22 15:41:14 lpar8 udp_rmtlog_be: plugin unloaded. Oct 22 17:12:59 lpar8 evlogrmtd: This 192.168.100.79 host is successfully authenticated. Oct 22 17:13:06 lpar3 testing from lpar3