Linux Event Logging for Enterprise-Class Systems

evlog-1.6.1 available for i386, ia64, s390, s390x, ppc, ppc64, and arm/xscale

New features

  1. Support ARM/XScale platform, thanks to Mark Mellon (limitted testing was done by Mark Mellon)
  2. Add ela driver templates to the user evlog source tree, tarball and rpms.

Bugs fixed

  1. Numeruos fixes and enhances to the notifycation/actions code.

evlog-1.6.0 available for i386, ia64, s390, s390x, ppc, and ppc64

New features

  1. Error Log Analyzer (ELA) infrastructure.
  2. Support Opteron (X86_64) platform.
  3. Added printf -p option for evlsend (see evlsend man page).

Bugs fixed

  1. Fixed bug 832595 - bugs in multi-arch code for templates
  2. Enhance: Re-wrote tcp_rmt_be plugin to use socket to communicate to the parent (evlogd) instead of using name pipe.
  3. Enhance: Changed the start up order for evlnotifyd, evlactiond and evlogd so that evlnotifyd would notify client on early boot events.

For user who interests in CIM Indication for ELA, you can down load the CIM Indication for ELA package here. A white paper about Event Log Analysis and CIM.

evlog-1.5.3 available for i386, ia64, s390, s390x, ppc, and ppc64

New features

  1. Remote event forwarding, mixed architectures.
  2. Autoconf/automake (old make style is still possible with make -f
  3. Enhanced duplicate discarding algorithm. See evlconfig man page for details.

Bugs fixed

  1. Fixed bug 617708 evlogmgr miscounts event records.

evlog-1.5.2 available for i386, ia64, s390, s390x, ppc, and ppc64

Note: None of the changes in this release should affect compatibility with different architectures, and RPMs are not being provided for each architecture (i386 only), but can be readily generated with the build-RPM scripts provided (see Release Notes/INSTALL procedures for more details).

New features

  1. evlsend now supports logging binary data. See man page for details on how to use.

Bugs fixed

  1. Fix evlogrmtd daemon security issue involving password authentiaction
  2. Fix bug 704012 posix_log_vprintf() crashes multithread applications.
  3. Fix bug 535525 multithread applications fail on SMP machine.
  4. Fix the problem caused by evlogd daemon and friends not closing or redirecting stdin/stdout/stderr when they are going to background mode (ssh hangs if one restarts evlog then logs out).
  5. Some minor fixes in the library

evlog-1.5.1 available for i386, ia64, s390, s390x, ppc, and ppc64

Note: None of the changes in this release should affect compatibility with different architectures, and RPMs are not being provided for each architecture (i386 only), but can be readily generated with the build-RPM scripts provided (see Release Notes/INSTALL procedures for more details).

New features and enhancements:

  1. Addresses logged in POSIX_LOG_STRING format event records as "[]", where aaaaaa is an address, are now replaced by evlogd with "[symbolname+offset/size]". This information is located in the /boot/ file, or alternative location specified with the "evlogd -k" option. Address resolution can be disabled with "evlogd -x". Additional evlogd options are described in the Release Notes/INSTALL procedures.
  2. An event buffer has been added to the TCP-based plug-in, so that during periods of temporary loss-of-connection, events are not dropped by the sender. Default buffer size is 128K, but is configurable.
  3. "make clean" in top level directory now cleans everything it generated.
  4. Evlog daemons (evlogd, evlnotifyd, etc.) can be started multiple times with scripts in /etc/rc.d/init.d/evl*.
  5. Duplicate time adjustment in evlogd deamon for kernel events renders incorrect timestamp in event records.
  6. evlogrmtd will seg fault when it is built and run on IA64 platform.
  7. Several errors and omissions in INSTALL procedures. Also added to the INSTALL procedures are several "gotchas", and how to deal with them.

evlog-1.5.0 available for i386, ia64, s390, s390x, ppc, and ppc64

Note: None of the changes in this release should affect compatibility with different architectures, and RPMs are not being provided for each architecture (i386 only), but can be readily generated with the build-RPM scripts provided (see Release Notes for more details).

New Features:

  1. A "plug-in" capability has been added so that customized "event handlers" can register with evlogd to receive the event stream and provide alternative processing and handling of event records in addition to, or instead of, the standard logging/notification mechanism.
  2. 2 plug-ins are provided for forwarding events from multiple hosts to a centralized "event consolidation" host: Logging of events to the local log files continues when one of these plug-ins is used, unless local logging is disabled.
    A new evlogrmtd daemon runs on the "event consolidation host", accepts events only from hosts in its evlhosts file, and passes them to evlogd for logging to the event consolidator's local log file. The evlogrmtd simultaneously handles events sent both via UDP and TCP.
    evlog-1.5.0 does not provide data encryption, and all of the hosts must be the same architecture. Future releases will provide encryption and support mixed-architecture environments.
  3. The evlview command now displays the hostname (local, or if event originated in another host, its hostname). Also "host" is a "pseudo attribute" than can be used in filter expressions.
  4. Added a new user-space logging macro, syslogat(), which will write a message to syslog, and based on how the format string is written, write additional named-attributes to the event log as a POSIX_LOG_PRINTF log_format event record. POSIX_LOG_PRINTF event records are new in this release, and this log_format keeps the format string separated from the varargs, thus providing many more formatting possibilities during post-processing. A new utility, evlgentmpls, is provided which generates formatting templates from the .log section in .o files using syslogat(). A kernel equivalent of syslogat() for prink will be released in early 2003.
  5. Added -q, --nmeqval option to evlview, which for records that have associated formatting templates, displays the non-standard attributes in name=value format, one attribute per line.
  6. Added -F, --force to evlfacility command to not report an error if a facility is already in the facility registry with the correct facility code.
  1. Several formatting template changes/additions:
  2. A HOW TO section has been added to the website. Instructions are provided for:

Version 1.4.2 available for i386, ia64, s390, s390x, ppc, and ppc64

Note: Since none of the changes in this release affect compatibility with different architectures, RPMs are not being provided for each architecture, but can be readily generated with the build-RPM script (see Release Notes for more details).

  1. Moved config files to /etc/evlog.d:
  2. Fixed all potential buffer overruns caused by sprintf. (now use snprintf)
  3. Prevent malicious users from using all of evlogd's socket descriptors (denial-of-service attack).
  4. posix_log_write() keeps the socket descriptor around for subsequent calls until client app exits (performance improvement).
  5. Fixed maxsd computation routine when clients disconnect from evlogd and evlnotifyd.
  6. posix_log_notify_* functions are now thread safe.
  7. evlnotifyd no longer dies (SIGSEGV) when evlogd stops and a client attempts to register a notification request.
  8. packWString() adds terminating NULL correctly.
  9. "enhanced printk" feature no longer requires a second patch
  10. Moved man pages to /usr/share/man directory.

NOTE: Due to a problem that was reported on Aug.27, 2002, the "enhanced printk" feature has been withdrawn, and new kernel patches have been posted for the evlog-1.4.2 release with this feature removed. Sorry for any inconvenience this has caused.
--The event logging team.

Version 1.4.0 available for i386, ia64, s390, s390x, ppc, and ppc64

RPMs have now been posted for i386, ia64, s390, s390x, ppc, and ppc64 (64-bit kernel, 32-bit user-space). Kernel patches have also been applied and tested on these platforms. A summary of features in version 1.4.0:

  1. Log Management -- The evlogmgr command provides the ability to delete events from log file(s) that match user-specified criteria, compact and truncate log file(s), and manage the overall disk space required for log file(s). The use of logrotate is no longer required.
  2. Enhanced printk (available only for kernel version 2.4.18):
    These new capabilities offer several possibilities for utilizing Event Logging's features with existing printk() messages, while having no impact on the normal operation of syslog, unless you choose to more tightly integrate syslog with event logging. See Enhanced Printk for more details.
  3. Events with severity of EMER, CRIT and ALERT, and events with log_facility of AUTHPRIV, are fdatasync-ed (committed to physical disk) before event notification is sent.
  4. Added fflush(stdout) when "evlview -n > file" option is used. Previously, buffered events were not committed to the file if the user does ctrl-c. Also, a change was made for "evlview -n" so that it would not terminate when the new evlogmgr command was executed.
  5. Two new log_flags values in the event record:
  6. Changes / additions to the evlview command:

Version 1.3.0 RPMs available for i386, ia64, ppc, s390, s390x

Here is the latest status for v1.3.0 kernel patches on these platforms:
i386 - Kernel patch tested good
s390 - Kernel patch tested good
s390x - Kernel patch tested good
ia64 - Kernel patch applied to standard 2.4.17 kernel plus ia64 patches found at, but system hangs immediately after reboot if printk forwarding is enabled. Update -- A fix for this problem will be in the evlog-1.4.0 release.
ppc - Kernel patches have not been tested due to lack of equipment availability
An updated tarball and source RPM have also been posted.

Version 1.3.0 available for i386 and s390

NOTE: Bug 530006 has been opened against this release, and only affects forwarding of syslog messages to event logging.

  1. Improved Facility code generation and registration:
  2. Several enhancements related to formatting templates:
  3. Eliminated the use of get_cmos_time() for obtaining log_time for the initial bootup events. Instead, evlogd now sets log_time in the initial events to system startup time. This approach provides a reasonable approximation and is portable across all platforms.
  4. Fixes for the following bugs:

Version 1.2.0 available for i386

  1. Events logged in user-space are now passed directly to the evlogd daemon, instead of being written to the kernel event buffer.
  2. The libevl event logging library no longer depends on the event logging kernel patch, meaning that event logging in user-space does not require changes in the kernel. The kernel patch is still required for using the event logging APIs in the kernel and for forwarding of printk() messages to Enterprise Event Logging.
  3. All formatting template features described in the Enterprise Event Logging Specification are now available.
  4. Date and Time formatting in the evlview command is now based on the setting of the LANG environment variable.
  5. The --value option has been removed from the evlfacility command, in preparation for future enhancements to the way log_facility integer values are generated from Facility names (text strings).
  6. Kernel patches covering all 2.4 Linux kernels from 2.4.2 to 2.4.17 are now provided.
  7. Fixes for the following bugs:

Version 1.1.1 available for s390 (32-bit), s390x (64-bit) and i386

Binary RPMs for s390, s390x, and i386 are posted here.
A source RPM and tarball that supports all 3 platforms has also been posted with a "-3" suffix.

Bug fixes in v1.1.1

  1. Fix for Bug # 485676) Code added in v1.1.0 for displaying events on the system console is incompatible with the re-write of code for displaying of messages from printk() first appearing in kernel v2.4.10. This causes the kernel to hang or PANIC under certain conditions. This only affects the patches for kernel versions 2.4.10 through 2.4.14.
  2. Added check in the kernel version of posix_log_write() for null-terminated string (when log_format is POSIX_LOG_STRING). Returns EBADMSG if string is not NULL-terminated. A few other changes to make this function consistent between kernel and user space.
  3. Fixed bug causing programs linked with to fail at link time.
  4. Added missing function call in so that syslog messages actually get logged in event log.
  5. Fixed several bugs causing problems on s390 and/or 64-bit machines:
  6. Updated all header files for C++ compatability.

evlog v1.1.0

New features and enhancements in:

  1. Kernel patches for kernel versions 2.4.2 through 2.4.14 will now be posted on the website.
  2. A new library that "wraps" around GNU C Lib and provides forwarding of syslog messages to the POSIX event log without having to patch and rebuild glibc.
  3. Formatting Template support and evltc command (for compiling formattingtemplate).
    Some features are not yet available. See for a detailed list.
  4. Displaying of events logged in the kernel (with the new log write functions) on the system console. The --output option was added to the evlconfig command to turn console logging on/off, or set the severity level for displaying to the console.
  5. Forwarding of printk() messages to the kernel event buffer must now be explicitly enabled when configuring the kernel (forwarding is disabled by default).
  6. evlfacility command for managing the facility registry.
  7. Restricted Logging support.
  8. Added "address" as a data type for formatting templates.
  9. Added 2 new purpose arguments for posix_log_query_create() as extensions to the draft POSIX standard: EVL_PRPS_TEMPLATE and EVL_PRPS_RESTRICTED.
  10. Added EVL_KERNEL_EVENT flag for log_flags member in posix_log_entry.
  11. Added varargs versions of log write functions in kernel and user-space.
  12. Added support for --new and --timeout options in evlview command.
  13. Added --templates and --notemplates options to evlview command.
  14. Added unlink(PidFile) function in evlogd.c, evlnotifyd.c, evlactiond.c.
  15. Moved evlogd, evlnotifyd, and evlactiond pid files from /var/evlog to /var/run.

Bug Fixes:

  1. Removed evlog *.pid files on graceful shutdown or on startup if previous shutdown was non-graceful to fix evlogd daemon startup failure.
  2. In event notification, fixed a bug where error returns from rt_sigqueueinfo() were causing the notification to be erroneously disabled.
  3. In do_syslog(), now use options 20 and 21 for read/write to kernel event buffer, instead of 9 and 10, to avoid conflict with other newly added options in do_syslog().
  4. posix_log_notify_add() is now signal-safe.