~zulcss/samba/server-dailies-3.4

is a filter that accepts formatted event log records on standard input and writes them to the Samba event log store\&. Windows client can then manipulate these record using the usual administration tools\&.

192

.SH "OPTIONS"

193

.PP

194

\fB\-d\fR

195

.RS 4

196

The

197

\FC\-d\F[]

198

option causes

199

\FCeventlogadm\F[]

200

to emit debugging information\&.

201

.RE

202

.PP

203

\fB\-o\fR \FCaddsource\F[] \fIEVENTLOG\fR \fISOURCENAME\fR \fIMSGFILE\fR

204

.RS 4

205

The

206

\FC\-o addsource\F[]

207

option creates a new event log source\&.

208

.RE

209

.PP

210

\fB\-o\fR \FCwrite\F[] \fIEVENTLOG\fR

211

.RS 4

212

The

213

\FC\-o write\F[]

214

reads event log records from standard input and writes them to the Samba event log store named by EVENTLOG\&.

215

.RE

216

.PP

217

\fB\-o\fR \FCdump\F[] \fIEVENTLOG\fR \fIRECORD_NUMBER\fR

218

.RS 4

219

The

220

\FC\-o dump\F[]

221

reads event log records from a EVENTLOG tdb and dumps them to standard output on screen\&.

222

.RE

223

.PP

224

\fB\-h\fR

225

.RS 4

226

Print usage information\&.

227

.RE

228

.SH "EVENTLOG RECORD FORMAT"

229

.PP

230

For the write operation,

231

\FCeventlogadm\F[]

232

expects to be able to read structured records from standard input\&. These records are a sequence of lines, with the record key and data separated by a colon character\&. Records are separated by at least one or more blank line\&.

233

.PP

234

The event log record field are:

235

.sp

236

.RS 4

237

.ie n \{\

238

\h'-04'\(bu\h'+03'\c

239

.\}

240

.el \{\

241

.sp -1

242

.IP \(bu 2.3

243

.\}

244

245

\FCLEN\F[]

246

\- This field should be 0, since

247

\FCeventlogadm\F[]

248

will calculate this value\&.

249

.RE

250

.sp

251

.RS 4

252

.ie n \{\

253

\h'-04'\(bu\h'+03'\c

254

.\}

255

.el \{\

256

.sp -1

257

.IP \(bu 2.3

258

.\}

259

260

\FCRS1\F[]

261

\- This must be the value 1699505740\&.

262

.RE

263

.sp

264

.RS 4

265

.ie n \{\

266

\h'-04'\(bu\h'+03'\c

267

.\}

268

.el \{\

269

.sp -1

270

.IP \(bu 2.3

271

.\}

272

273

\FCRCN\F[]

274

\- This field should be 0\&.

275

.RE

276

.sp

277

.RS 4

278

.ie n \{\

279

\h'-04'\(bu\h'+03'\c

280

.\}

281

.el \{\

282

.sp -1

283

.IP \(bu 2.3

284

.\}

285

286

\FCTMG\F[]

287

\- The time the eventlog record was generated; format is the number of seconds since 00:00:00 January 1, 1970, UTC\&.

288

.RE

289

.sp

290

.RS 4

291

.ie n \{\

292

\h'-04'\(bu\h'+03'\c

293

.\}

294

.el \{\

295

.sp -1

296

.IP \(bu 2.3

297

.\}

298

299

\FCTMW\F[]

300

\- The time the eventlog record was written; format is the number of seconds since 00:00:00 January 1, 1970, UTC\&.

301

.RE

302

.sp

303

.RS 4

304

.ie n \{\

305

\h'-04'\(bu\h'+03'\c

306

.\}

307

.el \{\

308

.sp -1

309

.IP \(bu 2.3

310

.\}

311

312

\FCEID\F[]

313

\- The eventlog ID\&.

314

.RE

315

.sp

316

.RS 4

317

.ie n \{\

318

\h'-04'\(bu\h'+03'\c

319

.\}

320

.el \{\

321

.sp -1

322

.IP \(bu 2.3

323

.\}

324

325

\FCETP\F[]

326

\- The event type \-\- one of "INFO", "ERROR", "WARNING", "AUDIT SUCCESS" or "AUDIT FAILURE"\&.

327

.RE

328

.sp

329

.RS 4

330

.ie n \{\

331

\h'-04'\(bu\h'+03'\c

332

.\}

333

.el \{\

334

.sp -1

335

.IP \(bu 2.3

336

.\}

337

338

\FCECT\F[]

339

\- The event category; this depends on the message file\&. It is primarily used as a means of filtering in the eventlog viewer\&.

340

.RE

341

.sp

342

.RS 4

343

.ie n \{\

344

\h'-04'\(bu\h'+03'\c

345

.\}

346

.el \{\

347

.sp -1

348

.IP \(bu 2.3

349

.\}

350

351

\FCRS2\F[]

352

\- This field should be 0\&.

353

.RE

354

.sp

355

.RS 4

356

.ie n \{\

357

\h'-04'\(bu\h'+03'\c

358

.\}

359

.el \{\

360

.sp -1

361

.IP \(bu 2.3

362

.\}

363

364

\FCCRN\F[]

365

\- This field should be 0\&.

366

.RE

367

.sp

368

.RS 4

369

.ie n \{\

370

\h'-04'\(bu\h'+03'\c

371

.\}

372

.el \{\

373

.sp -1

374

.IP \(bu 2.3

375

.\}

376

377

\FCUSL\F[]

378

\- This field should be 0\&.

379

.RE

380

.sp

381

.RS 4

382

.ie n \{\

383

\h'-04'\(bu\h'+03'\c

384

.\}

385

.el \{\

386

.sp -1

387

.IP \(bu 2.3

388

.\}

389

390

\FCSRC\F[]

391

\- This field contains the source name associated with the event log\&. If a message file is used with an event log, there will be a registry entry for associating this source name with a message file DLL\&.

392

.RE

393

.sp

394

.RS 4

395

.ie n \{\

396

\h'-04'\(bu\h'+03'\c

397

.\}

398

.el \{\

399

.sp -1

400

.IP \(bu 2.3

401

.\}

402

403

\FCSRN\F[]

404

\- The name of the machine on which the eventlog was generated\&. This is typically the host name\&.

405

.RE

406

.sp

407

.RS 4

408

.ie n \{\

409

\h'-04'\(bu\h'+03'\c

410

.\}

411

.el \{\

412

.sp -1

413

.IP \(bu 2.3

414

.\}

415

416

\FCSTR\F[]

417

\- The text associated with the eventlog\&. There may be more than one string in a record\&.

418

.RE

419

.sp

420

.RS 4

421

.ie n \{\

422

\h'-04'\(bu\h'+03'\c

423

.\}

424

.el \{\

425

.sp -1

426

.IP \(bu 2.3

427

.\}

428

429

\FCDAT\F[]

430

\- This field should be left unset\&.

431

.SH "EXAMPLES"

432

.PP

433

An example of the record format accepted by

434

\FCeventlogadm\F[]:

435

.sp

436

.if n \{\

437

.RS 4

438

.\}

439

.fam C

440

.ps -1

441

.nf

442

.if t \{\

443

.sp -1

444

.\}

445

.BB lightgray adjust-for-leading-newline

446

.sp -1

447

448

LEN: 0

449

RS1: 1699505740

450

RCN: 0

451

TMG: 1128631322

452

TMW: 1128631322

453

EID: 1000

454

ETP: INFO

455

ECT: 0

456

RS2: 0

457

CRN: 0

458

USL: 0

459

SRC: cron

460

SRN: dmlinux

461

STR: (root) CMD ( rm \-f /var/spool/cron/lastrun/cron\&.hourly)

462

DAT:

463

464

.EB lightgray adjust-for-leading-newline

465

.if t \{\

466

.sp 1

467

.\}

468

.fi

469

.fam

470

.ps +1

471

.if n \{\

472

.RE

473

.\}

474

.PP

475

Set up an eventlog source, specifying a message file DLL:

476

.sp

477

.if n \{\

478

.RS 4

479

.\}

480

.fam C

481

.ps -1

482

.nf

483

.if t \{\

484

.sp -1

485

.\}

486

.BB lightgray adjust-for-leading-newline

487

.sp -1

488

489

eventlogadm \-o addsource Application MyApplication | \e\e

490

%SystemRoot%/system32/MyApplication\&.dll

491

492

.EB lightgray adjust-for-leading-newline

493

.if t \{\

494

.sp 1

495

.\}

496

.fi

497

.fam

498

.ps +1

499

.if n \{\

500

.RE

501

.\}

502

.PP

503

Filter messages from the system log into an event log:

504

.sp

505

.if n \{\

506

.RS 4

507

.\}

508

.fam C

509

.ps -1

510

.nf

511

.if t \{\

512

.sp -1

513

.\}

514

.BB lightgray adjust-for-leading-newline

515

.sp -1

516

517

tail \-f /var/log/messages | \e\e

518

my_program_to_parse_into_eventlog_records | \e\e

519

eventlogadm SystemLogEvents

520

521

.EB lightgray adjust-for-leading-newline

522

.if t \{\

523

.sp 1

524

.\}

525

.fi

526

.fam

527

.ps +1

528

.if n \{\

529

.RE

530

.\}

531

.SH "VERSION"

532

.PP

533

This man page is correct for version 3\&.0\&.25 of the Samba suite\&.

534

.SH "AUTHOR"

535

.PP

536

The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.