evmlogger.conf(4)evmlogger.conf(4)NAMEevmlogger.conf - EVM logger configuration file
SYNOPSISDESCRIPTION
The file is the Event Manager (EVM) logger configuration file. This
file is read when the logger program, starts, and when reloads the con‐
figuration file.
When reloads the configuration file, it reconfigures itself by reading
its configuration file, again and updates its settings.
The EVM daemon starts the Event Manager (EVM) logger automatically at
startup. The EVM logger reads its configuration file to find a set of
definitions of event logs and forwarders. By default, the EVM logger
reads its configuration from the file. The command can override the
default configuration file by specifying a different file. See evmlog‐
ger(1M). If the logger's configuration file is changed while the log‐
ger is running, use the command to instruct the logger to reconfigure
itself.
The logger also reconfigures itself upon receipt of a SIGHUP signal.
The file is a text file that contains values used to configure the
event logger. The values direct the display, forwarding, or storage of
events. Any portion of a line from an unquoted number sign to the end
of line is a comment. Blank lines are ignored.
Any number of event logs and forwarders can be defined in a configura‐
tion file. The following keywords are recognized:
Introduces a group of keyword/value pairs, which define an event log.
Events that match the log's log_filter_spec are selected for
handling by this log.
The name of the event log.
The type of the log.
Specify either or If the log_path specifies a ter‐
minal device, such as the type is automatically set
to and cannot be forced to If the log_path speci‐
fies a file, the default type is Events are written
to formatted logs as single lines of text, and to
binary logs as raw EVM events.
The template used to format lines of text for a formatted
log.
If no template is specified, the event timestamp
and message are written. See the evmshow(1) man‐
page for the template syntax.
Path name of the log file.
If a log is a disk file, the logger creates the
file if necessary.
If the log name ends in the characters the logger
replaces that suffix with the current date in the
form yyyymmdd. A new file is started when the
first event is written to the log each day.
Specifies an alternate path to be used in cases where the
primary log
cannot be used.
If the log file specified by becomes unusable, the
logger switches to the alternate log file.
If the logger is writing to the alternate log, and
the error condition which caused the logger to
switch has been cleared, you can revert to the pri‐
mary log file by using the command.
The maximum size, in kilobytes, that the log file may reach.
If adding an event to the file would cause this
size to be exceeded, the logger begins a new file.
The logger adds the suffix to the name of the new
file. The n is a sequentially generated number.
Specifies the event selection filter.
Events passing this filter are selected for logging
to this event log; all others are ignored. See the
EvmFilter(5) manpage for a description of filter
syntax.
Modifies the current
log_filter_spec. See the description of and key‐
words in the subsection.
Modifies the current
log_filter_spec. See the description of and key‐
words in the subsection.
If this keyword is not specified, or if it is specified and
bool_par has a value of or (zero), the event log
handles events posted through the local daemon.
Because EVM currently supports only local connec‐
tion, this argument should not be set to TRUE.
The suppression facility minimizes resource waste by limiting
the number
of identical events appearing in the log. A
description of the event suppression group follows.
Before being written to the log, each incoming
event is matched against the suppression group's
supp_filter_spec. An event that passes the filter
is then compared with other events that have been
posted during the last minutes, ignoring the time‐
stamp, last_timestamp, PID, PPID, event-id and
repeat-count data items. If a matching event is
found, and at least instances of the event have
been written to the log during the the logger does
not log the event. Instead, the logger inserts or
updates the and data items in the last-logged
instance of the event. The suppression is indi‐
cated by the string appearing in the message text
when the event is displayed, where n is the
When an individual event becomes eligible for sup‐
pression, the suppression is canceled automatically
after four hours or after supp_period, which ever
is the greater amount of time. The individual
event is reinstated when the suppression conditions
occur again. Suppression is canceled automatically
when a change of logfile occurs.
Suppression directives are ignored for formatted
logs.
The following keywords are recognized in a suppres‐
sion group:
Events selected by this filter are eligible for
suppression
consideration. See EvmFilter(5) for the
filter syntax.
Modifies the current
supp_filter_spec. See the description of
the and keywords in the subsection.
Modifies the current
supp_filter_spec. See the description of
the and keywords in the subsection.
The period, in minutes, over which events are
counted for suppression consideration.
The number of instances of an event that is logged
during
supp_period before suppression begins.
Events meeting the filter specifications are to be forwarded using the
command specified.
A name used to identify the forwarding definition.
Event forwarding filter specification.
Events passing this filter are selected for for‐
warding as specified by the command . See the Evm‐
Filter(5) manpage for the filter syntax.
Modifies the current
forward_filter_spec. See the description of the
and keywords in the subsection.
Modifies the current
forward_filter_spec. See the description of the
and keywords in the subsection.
When an incoming event is selected for handling by this for‐
warder, and
the event is not eligible for suppression, the log‐
ger executes this command, piping the event into
the command's stream.
This keyword limits the number of events that can be queued
by a
forwarder while a previous event is being handled
by If the maximum number of events is already
queued when a new event arrives, the event is
ignored by this forwarder. If not specified, this
keyword has a default value of 100. If a value
greater than 1000 is specified, the logger automat‐
ically limits it to 1000.
See evmlogger(1M) for details of event queuing.
If this keyword is not specified, or if it is specified and
bool_par has a value of or (zero), the forwarder
handles events posted through the local daemon.
Because EVM currently supports only local connec‐
tion, this argument should not be set to TRUE.
Event suppression as applied to forwarding is similar to
event log
suppression. The difference is that event suppres‐
sion for forwarding limits the number of identical
events that are forwarded over the suppression
period. In this case, events which are eligible
for suppression are simply ignored by the for‐
warder. This feature reduces the chance of a large
volume of mail being sent during a period of high
event activity.
This keyword specifies the path of a directory tree that holds zero or
more secondary configuration files. The directory tree is
searched when the logger is started and each time its config‐
uration is reloaded.
Configuration file names must end with and must not begin
with a dot Files must be owned by or and their file permis‐
sions must restrict writing to owner or group. Symbolic
links and subdirectory hierarchies can be used to reference
configuration files that physically are located elsewhere.
After installing, removing or modifying a secondary configu‐
ration file, you must run the command to notify the logger of
the change and to request a configuration reload.
Any number of entries may be specified in the primary config‐
uration file, but is not a valid keyword in a secondary con‐
figuration file.
The include and exclude Keywords
The and keywords can appear multiple times in an or specification,
allowing you to build and maintain a filter in simple single-line
increments. Each filter_element must be a valid filter string, con‐
forming to the syntax described in the EvmFilter(5) reference page.
The logger assembles a complete filter string by surrounding the ini‐
tial filter with parentheses and appending the filter_elements to it,
separating each with a logical (for or (for operator. For example:
The previous filter lines are equivalent to this more complex single
filter line:
The first line selects all events with a priority of 200 or greater,
the next modifies this by selecting all events from regardless of their
priorities, and the last line excludes all events regardless of their
priorities.
If you prefer, you can omit the command, and build the complete filter
string from and lines.
If no filter, include or exclude lines are supplied for an event log or
forwarder, it does not handle any events.
Keywords
Keywords may be entered in a case-insensitive manner. The allowable
strings and the minimum number of characters is shown in the following
table. A minimum of zero indicates that all characters are required.
Keyword Minimum
──────────────────────────
alternate 3
command 4
configdir 7
eventlog 0
exclude 3
explicit_target 4
filter 4
forward 4
include 3
logfile 3
maxqueue 4
maxsize 3
name 0
period 0
show_template 4
suppress 4
threshold 0
type 0
Notes
1. The logger only allows a single instance of each forwarding com‐
mand to execute at one time and queues any events that arrive
while an instance is already running. The forwarder ignores
events that arrive while the queue is full. To minimize the
chances of queuing or missing events, avoid using the forwarding
facility to run commands that may take significant time to exe‐
cute.
2. If you specify a forwarding command that may itself cause events
to be posted (for instance, mail commands may post syslog events
that are routed to EVM), the forwarding filter explicitly should
exclude those events. Otherwise, it is possible that an infinite
event loop will occur.
3. To allow your file to be used on or ported to other systems that
support EVM in the future, use the built-in macro instead of the
first two components of the name of any system event.
Using the built-in macro makes it unnecessary to change the file
if the other system uses a different event name prefix.
EXAMPLES
This example initiates the command with the following configuration:
Binary events are written to a file in the directory named where xxx is
the current year, month, and day. For example,
An alternate log path is specified in case of write failures to the
primary log path.
A new generation of the log is started automatically if the size
exceeds 256 KB.
All events with a priority of at least 200 are selected for logging.
Duplicate events are suppressed.
Events with a priority of at least 600 are displayed on the system con‐
sole as formatted events, showing the timestamp, the priority and the
event's message.
Events with a priority of at least 600 are also mailed to root.
A maximum of 20 events is queued for forwarding to root when an
instance of the forwarding command is already running.
FILES
Location of the EVM logger configuration file.
Default location of the secondary EVM logger configuration files.
SEE ALSO
Commands
evmget(1), evmshow(1), evmd(1M), evmlogger(1M), evmreload(1M).
Event Management
EVM(5).
EVM Events
EvmEvent(5).
Event Filter
EvmFilter(5).
evmlogger.conf(4)