Using EELS

Configuring a filter

A filter block consists of one or more rules. These rules are applied to the input stream of messages in the order in which they appear in the block. Once a rule has been satisfied, no further rules are applied to the current message.

Filter rules have a fixed format that is fully described in eels_config(4eels). The rule syntax is: 

   include | exclude field_name operation value
   	[ bool_op field_name operation value ]
Where:

include
Include log messages that match the following criterion. To include all log messages use the reserved word ``all'' in place of a selective criterion.

exclude
Exclude log messages that match the following criterion. To exclude all log messages use the reserved word ``all'' in place of a selective criterion.

field_name
The name of the column within the log message to which the rule will be applied. The set of column names within the EELS database are described in ``Database table overview''.

operation
The relational operator to apply to field_name. Possible operations are:

==
Equals

!=
Not equals

~
Contains

value
The value to use with the operation in determining the rule.

bool_op
A boolean operator for joining together two or more sets of field_name operation value. Possible operators are:

&&
And

||
Or
For example, the following rule would exclude all messages that contain the word ``error'' in their EventSpecificInformation column:

exclude "EventSpecificInformation ~ 'error'"

If you wanted to filter out only messages that contain the word ``error'', you could use a filter block similar to this: 

   filter example_filter {
   	exclude  "EventSpecificInformation ~ 'error'"
   	include  "all";
   }
If a filter block contained the two rules:

  1. include "EventSpecificInformation == '*'"

  2. exclude "EventSpecificInformation ~ 'error'"
every message would be logged because the first rule is always satisfied. This highlights a feature of EELS filtering that you must always be aware of. To log every message to the EELS database except messages containing the word ``error'', you world reverse the order of these rules in the filter block:

  1. exclude "EventSpecificInformation ~ 'error'"

  2. include "EventSpecificInformation == '*'"

NOTE: Whenever you make a change to one or more filters, you must restart EELS before those changes take effect. For information on how to restart EELS, see ``Manually starting EELS''.

© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999