	Enhanced Event Logging System
	The Enhanced Event Logging System Using EELS

Enhanced Event Logging System

The Enhanced Event Logging System (EELS) provides an infrastructure to centralize the logging, management and reporting of standard UNIX logging systems such as syslog and the auditing sub-system. It does this by channeling the various log sources through a driver and filtering mechanism into a Relational Database Management System (RDBMS). This is illustrated below.

EELS overview

The log sources that EELS channels to the RDBMS are customizable via the EELS configuration file /etc/default/eels. For more information see eels_config(4eels).

Each log source is channeled separately through its own RTLSP process and filtered according to the filtering rules specified in the EELS configuration file. Any log messages that successfully pass through the filter are passed on to the database abstraction layer that in turn writes the message to the database. The abstraction layer provides a translation layer that enables EELS to support more than a single type of RDBMS. If you want to use another RDBMS than ``mySQL'', you must write your own abstraction layer. The source for the ``mySQL'' abstraction layer is included in the EELS distribution (in /etc/eels/src/eelsdba) to help you do this.

The figure below shows the EELS components used to collect and filter the messages from the various log sources.

Main EELS components

As part of the EELS installation process, an EELS driver is inserted into your UNIX kernel (this is why the kernel always needs to be rebuilt after installation/de-installation). The driver is a STREAMS module that intercepts messages that pass through some predefined routes. These routes are the routes taken by messages from the following log sources:

auditing: messages are copied to an EELS RTLSP if present
EELS user level API: messages are routed via the RTLSP if present, otherwise the messages are discarded
EELS kernel level API: messages are routed via the RTLSP if present, otherwise the messages are discarded
XDAS API: messages are routed via the RTLSP if present, otherwise the messages are discarded
syslog and OSM (cmn_err): messages are passed directly from the EELS driver through a filter process onto the database abstraction layer for logging. Unlike other log sources, syslog and OSM do not pass through an RTLSP process.

Which RTLSPs are started is determined by the contents of the EELS configuration file. The configuration file is read by eelsd(1Meels), that starts the specified RTLSP and filter module processes. When incoming messages are detected, the relevant filter module applies filter rules to the contents of the messages from rules specified in the EELS configuration file. Any messages that pass the criteria of the filter rules are passed to the RTLSP processes that log those messages in the database via the database abstraction layer.

NOTE: The EELS daemon is also responsible for various other features, such as remote logging, dynamic log import and so on. These additional features are not described in this overview as they are not essential to understanding the basic EELS mechanism. All the features of the daemon are described in ``eelsd configuration file''.

EELS provides several tools that can be used to access the EELS database. Some of these commands require special user privileges, that are set up using the administrative command eels_db_admin(1Meels). The figure below shows each of the EELS commands and their primary input and outputs are.

EELS commands

The purpose and primary input and output of these commands is described below:

eels_db_admin: Use this command to administer various aspects of the EELS database and its environment. The command's primary functions are to update the EELS database with new configuration data, and to display database information on screen. For more information see eels_db_admin(1Meels) and ``EELS administration''.
eels_db_query: Use this command to query one or more EELS databases and display the results on screen. For more information see eels_db_query(1Meels) and ``Getting started with EELS''.
eels_log_archive: Use this command to archive specified records from an EELS database to a specified archive file name. For more information see eels_log_archive(1Meels), ``Archiving EELS databases'' and ``Archiving EELS database records''.
eels_log_import: Use this command to import data from third party log files into an EELS database. Before you can import any data into a database, it must first be formatted in the same way as described in ``Importing external log files''. For more information see eels_log_import(1Meels).
eels_log_restore: Use this command to restore data kept in an archive (created by eels_log_archive) back to a specified EELS database. For more information see eels_log_restore(1Meels) and ``Restoring EELS database records''.
eels_log_report: Use this command to generate a report from a specified EELS database. The output is sent to the screen, however the output is printer ready and as such can be directly piped through lp(1). For more information on this command see eels_log_report(1Meels).