source: branches/samba-3.3.x/docs/manpages/eventlogadm.8@ 368

'\" t
.\"     Title: eventlogadm
.\"    Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/>
.\"      Date: 01/14/2010
.\"    Manual: System Administration tools
.\"    Source: Samba 3.3
.\"  Language: English
.\"
.TH "EVENTLOGADM" "8" "01/14/2010" "Samba 3\&.3" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
eventlogadm \- push records into the Samba event log store
.SH "SYNOPSIS"
.HP \w'\ 'u
eventlogadm [\fB\-d\fR] [\fB\-h\fR] \fB\-o\fR\ addsource\ \fIEVENTLOG\fR\ \fISOURCENAME\fR\ \fIMSGFILE\fR
.HP \w'\ 'u
eventlogadm [\fB\-d\fR] [\fB\-h\fR] \fB\-o\fR\ write\ \fIEVENTLOG\fR
.SH "DESCRIPTION"
.PP
This tool is part of the
\fBsamba\fR(1)
suite\&.
.PP
eventlogadm
is a filter that accepts formatted event log records on standard input and writes them to the Samba event log store\&. Windows client can then manipulate these record using the usual administration tools\&.
.SH "OPTIONS"
.PP
\fB\-d\fR
.RS 4
The
\-d
option causes
eventlogadm
to emit debugging information\&.
.RE
.PP
\fB\-o\fR addsource \fIEVENTLOG\fR \fISOURCENAME\fR \fIMSGFILE\fR
.RS 4
The
\-o addsource
option creates a new event log source\&.
.RE
.PP
\fB\-o\fR write \fIEVENTLOG\fR
.RS 4
The
\-o write
reads event log records from standard input and writes them to the Samba event log store named by EVENTLOG\&.
.RE
.PP
\fB\-h\fR
.RS 4
Print usage information\&.
.RE
.SH "EVENTLOG RECORD FORMAT"
.PP
For the write operation,
eventlogadm
expects to be able to read structured records from standard input\&. These records are a sequence of lines, with the record key and data separated by a colon character\&. Records are separated by at least one or more blank line\&.
.PP
The event log record field are:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

LEN
\- This field should be 0, since
eventlogadm
will calculate this value\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

RS1
\- This must be the value 1699505740\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

RCN
\- This field should be 0\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

TMG
\- The time the eventlog record was generated; format is the number of seconds since 00:00:00 January 1, 1970, UTC\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

TMW
\- The time the eventlog record was written; format is the number of seconds since 00:00:00 January 1, 1970, UTC\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

EID
\- The eventlog ID\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

ETP
\- The event type \-\- one of "INFO", "ERROR", "WARNING", "AUDIT SUCCESS" or "AUDIT FAILURE"\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

ECT
\- The event category; this depends on the message file\&. It is primarily used as a means of filtering in the eventlog viewer\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

RS2
\- This field should be 0\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

CRN
\- This field should be 0\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

USL
\- This field should be 0\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

SRC
\- This field contains the source name associated with the event log\&. If a message file is used with an event log, there will be a registry entry for associating this source name with a message file DLL\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

SRN
\- The name of the machine on which the eventlog was generated\&. This is typically the host name\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

STR
\- The text associated with the eventlog\&. There may be more than one string in a record\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}

DAT
\- This field should be left unset\&.
.SH "EXAMPLES"
.PP
An example of the record format accepted by
eventlogadm:
.sp
.if n \{\
.RS 4
.\}
.nf
        LEN: 0
        RS1: 1699505740
        RCN: 0
        TMG: 1128631322
        TMW: 1128631322
        EID: 1000
        ETP: INFO
        ECT: 0
        RS2: 0
        CRN: 0
        USL: 0
        SRC: cron
        SRN: dmlinux
        STR: (root) CMD ( rm \-f /var/spool/cron/lastrun/cron\&.hourly)
        DAT:
        
.fi
.if n \{\
.RE
.\}
.PP
Set up an eventlog source, specifying a message file DLL:
.sp
.if n \{\
.RS 4
.\}
.nf
        eventlogadm \-o addsource Application MyApplication | \e\e
                %SystemRoot%/system32/MyApplication\&.dll
        
.fi
.if n \{\
.RE
.\}
.PP
Filter messages from the system log into an event log:
.sp
.if n \{\
.RS 4
.\}
.nf
        tail \-f /var/log/messages | \e\e
                my_program_to_parse_into_eventlog_records | \e\e
                eventlogadm SystemLogEvents
        
.fi
.if n \{\
.RE
.\}
.SH "VERSION"
.PP
This man page is correct for version 3\&.0\&.25 of the Samba suite\&.
.SH "AUTHOR"
.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.