The Enhanced Event Logging System

Log sources

EELS can accept log messages from multiple sources. Each such source is called a ``log source''. EELS supports the following log sources:

syslog: messages originating from syslogd(1M) and cmn_err(D3)
audit: messages originating from the audit subsystem. By default the audit log source is disabled. Before you can enable this log source you must first ensure that the auditing subsystem is installed. For more information on the audit subsystem, see auditon(1M)
EELSUser: messages originating from eels_log_import(1Meels) and the EELS generic logging APIs; for more information on EELS generic logging APIs, see Intro(3eels)
EELSKernel: messages originating from the EELS kernel logging APIs; for more information on EELS kernel logging APIs, see Intro(D3eels)
XDAS: messages originating from the XDAS generic and kernel logging APIs; for more information on these APIs, see Intro(3xdas) and Intro(D3xdas)

By default, all log sources except audit are enabled with their characteristics being defined by real-time-import parameter blocks in /etc/default/eels. An example of a such a parameter block is shown below:

   real-time-import syslog {
      syslog   default;
      filter   syslog_filter;
   }

This block specifies that messages must be filtered using the filter rules contained in the filter parameter block called ``syslog_filter''. Any messages that meet the filter criteria are logged to the database and table specified in the log-destination parameter block called ``default''.

For more information on log-destination blocks see ``Customizing log destinations''. For more information on filter parameter blocks, see ``Filtering''.