Using EELS

A standard filter

EELS applies a default rule of not allowing messages unless otherwise instructed. To instruct EELS to allow messages, you must specify filter blocks in /etc/default/eels.

Each filter block you specify is attached to a log source via a filter directive in the real-time-import parameter block in /etc/default/eels, for example:

   real-time-import syslog {
      syslog  default;
      filter  syslog_filter;
   }

The example shows that all messages that originate from the log source syslog should be filtered through ``syslog_filter''. The default ``syslog_filter'' is shown below:

   filter   syslog_filter {
      include  "all";
   }

This filter's rules specify that all messages from syslog should be logged in the EELS database. For more information, see ``Configuring a filter''.

NOTE: For syslog you must always specify at least the minimum filtering shown above. Unlike all other log sources, if you do not specify a filter for syslog, no messages will be logged at all.

Filter blocks that are used to trigger the execution of scripts work in a similar way. However, instead of logging a message that meets the criteria of a filter block, they execute a specified script instead. Filters used in this way are referenced from execute-script blocks. These types of blocks are described in ``Executing scripts using filters''.