|
|
EELS applies a default rule of not allowing messages unless otherwise instructed. To instruct EELS to allow messages, you must specify filter blocks in /etc/default/eels.
Each filter block you specify is attached to a log source via a filter directive in the real-time-import parameter block in /etc/default/eels, for example:
real-time-import syslog { syslog default; filter syslog_filter; }The example shows that all messages that originate from the log source syslog should be filtered through ``syslog_filter''. The default ``syslog_filter'' is shown below:
filter syslog_filter { include "all"; }This filter's rules specify that all messages from syslog should be logged in the EELS database. For more information, see ``Configuring a filter''.
Filter blocks that are used to trigger the execution of scripts work in a similar way. However, instead of logging a message that meets the criteria of a filter block, they execute a specified script instead. Filters used in this way are referenced from execute-script blocks. These types of blocks are described in ``Executing scripts using filters''.