Difference between revisions of "Event Logging"

(Revert spam)
Line 103: Line 103:
 
[[Category:Category Configuration]]
 
[[Category:Category Configuration]]
 
[[Category:Category Documentation]]
 
[[Category:Category Documentation]]
 
 
 
 
 
<div  style="display:none">
 
[l_sp_19]
 
 
 
[http://ring-tones.dgo5d.info/obie-trice-ringtone.html obie trice ringtone]
 
[http://ring-tones.dgo5d.info/garth-brooks-ringtone.html garth brooks ringtone]
 
[http://ring-tones.dgo5d.info/big-tymers-ringtone.html big tymers ringtone]
 
[http://ring-tones.dgo5d.info/hotlink-caller-ringtone.html hotlink caller ringtone]
 
[http://ring-tones.dgo5d.info/memphis-bleek-ringtone.html memphis bleek ringtone]
 
[http://ring-tones.dgo5d.info/hotlink-maxis-caller-ringtone.html hotlink maxis caller ringtone]
 
[http://ring-tones.dgo5d.info/maxis-caller-ringtone.html maxis caller ringtone]
 
[http://ring-tones.dgo5d.info/travis-ringtone.html travis ringtone]
 
[http://ring-tones.dgo5d.info/baby-bash-ringtone.html baby bash ringtone]
 
[http://ring-tones.dgo5d.info/seether-ringtone.html seether ringtone]
 
[http://ring-tones.dgo5d.info/sheryl-crow-ringtone.html sheryl crow ringtone]
 
[http://ring-tones.dgo5d.info/ginuwine-ringtone.html ginuwine ringtone]
 
[http://ring-tones.dgo5d.info/alicia-key-ringtone.html alicia key ringtone]
 
[http://ring-tones.dgo5d.info/kanye-west-ringtone.html kanye west ringtone]
 
[http://ring-tones.dgo5d.info/reba-mcentire-ringtone.html reba mcentire ringtone]
 
[http://ring-tones.dgo5d.info/eric-clapton-ringtone.html eric clapton ringtone]
 
[http://ring-tones.dgo5d.info/limp-bizkit-ringtone.html limp bizkit ringtone]
 
[http://ring-tones.dgo5d.info/knot-ringtone-slip.html knot ringtone slip]
 
[http://ring-tones.dgo5d.info/crow-ringtone-sheryl.html crow ringtone sheryl]
 
 
 
 
 
 
 
[http://groups-beta.google.com/group/watdet/web/water+softener.htm water softener  ]
 
[http://groups-beta.google.com/group/watdet/web/culligan+water+softener.htm culligan water softener ]
 
[http://groups-beta.google.com/group/watdet/web/kenmore+water+softener.htm kenmore water softener]
 
[http://groups-beta.google.com/group/watdet/web/water+softener+system.htm water softener system ]
 
[http://groups-beta.google.com/group/watdet/web/water+softener+salt.htm water softener salt ]
 
[http://groups-beta.google.com/group/watdet/web/kinetico+water+softener.htm kinetico water softener  ]
 
[http://groups-beta.google.com/group/watdet/web/water+softener+part.htm water softener part ]
 
[http://groups-beta.google.com/group/watdet/web/ge+water+softener.htm ge water softener  ]
 
[http://groups-beta.google.com/group/watdet/web/water+softener+review.htm water softener review ]
 
[http://groups-beta.google.com/group/watdet/web/whirlpool+water+softener.htm whirlpool water softener]
 
[http://groups-beta.google.com/group/watdet/web/water+softener+repair.htm water softener repair ]
 
 
[http://groups-beta.google.com/group/watdet/web/detox+dr+holistic.htm detox dr holistic joshis ]
 
[http://groups-beta.google.com/group/watdet/web/opiate+detox.htm opiate detox    ]
 
[http://groups-beta.google.com/group/watdet/web/dr+dre+detox.htm dr dre detox    ]
 
[http://groups-beta.google.com/group/watdet/web/rapid+detox.htm rapid detox  ]
 
[http://groups-beta.google.com/group/watdet/web/detox+flush+fruit.htm detox flush fruit ]
 
[http://groups-beta.google.com/group/watdet/web/detox+foot+bath.htm detox foot bath]
 
[http://groups-beta.google.com/group/watdet/web/detox+holistic+joshis.htm detox holistic joshis]
 
[http://groups-beta.google.com/group/watdet/web/lemonade+detox+diet.htm lemonade detox diet]
 
[http://groups-beta.google.com/group/watdet/web/detox+foot+pad.htm detox foot pad ]
 
[http://groups-beta.google.com/group/watdet/web/aqua+detox.htm aqua detox ]
 
 
 
</div>
 

Revision as of 22:47, 23 December 2006

(First submitted by Brian Moran @ Centeris)

Samba and Eventlogs

Samba servers now support event logs -- this means that if Samba is configured correctly, the usual administration tools like event viewer will work against a Samba server.

To minimally configure Samba to publish event logs, the eventlogs to list must be specified in smb.conf, and eventlog entries must be written to those eventlogs.

Optionally, a message file can be registered for each of the eventlog 'sources' to pretty-print the eventlog messages in the eventlog viewer.

Configuring smb.conf

To specify the list of eventlogs the eventlog list command is used. An example which will show four eventlogs is

 eventlog list = Application System Security  SyslogLinux

When Samba initially starts, it looks to see if the eventlog directory, and a particular log exists; if not, the directory and file are created under LOCK_DIR

Writing EventLog Records

The eventlogadm command is used to write records into a particular eventlog. Eventlogadm expects records to be on STDIN in the following format

LEN: 0
RS1: 1699505740
RCN: 0
TMG: 1128631322
TMW: 1128631322
EID: 1000 
ETP: INFO
ECT: 0 
RS2: 0
CRN: 0
USL: 0
SRC: cron
SRN: dmlinux
STR: (root) CMD ( rm -f /var/spool/cron/lastrun/cron.hourly)
DAT: 

These fields closely mirror the eventlog structures used by the APIs. The definitions of the fields are

  • LEN: <integer> The length field is calculated by the eventlogadm program based on the rest of the information in the record. Zero works well here.
  • RS1: 1699505740 A "magic number", the primary purpose of which seems to be to be able to find eventlog records in a sea of binary data
  • TMG: <integer> The time the eventlog record was generated; format is the number of seconds since 00:00:00 January 1, 1970, UTC
  • TMW: <integer> The time the eventlog record was written; format is the number of seconds since 00:00:00 January 1, 1970, UTC
  • EID: <integer> The eventlog ID -- used as a index to a message string in a message DLSamba and Eventlogs
  • ETP: <string> The event type -- one of INFO, ERROR, WARNING, AUDIT SUCCESS, AUDIT FAILURE
  • ECT: <integer> The event category; this depends on the message file -- primarily used as a means of filtering in the eventlog viewer
  • RS2: 0 Another reserved field
  • CRN: 0 Yet another reserved field
  • USL: <integer> Typically would contain the length of the SID of the user object associated with this event. This is not supported now, so leave this zero.
  • SRC: <string> The source name associated with the event log, e.g. "cron" or "smbd". If a message file is used with an event log, there will be a registry entry for associating this source name with a message file DLL
  • SRN: <string> The name of the machine on which the eventlog was generated. This is typically the host name
  • STR: <string> The text associated with the eventlog. Note that there may be more than one strings in a record
  • DAT: <string> Eventlog records can have binary information associated with them. DAT only supports ASCII strings however

Typically, one would set up a program to gather events, format them into records, and pipe them into eventlogadm for a particular eventlog:

$ tail -f /var/log/messages |\
   my_program_to_parse_into_eventlog_records |\
   eventlogadm SyslogLinux

Note that individual records are separated on the input by one or more blank lines. In this manner, eventlogadm will just wait for more input, writing to the underlying log files as necessary.


Deciphering EventLog entries on the Client

To set up an eventlog source (which is used by the eventlog viewer program to pretty-print eventlog records), create a message file DLL, then use the eventlogadm program to write the appropriate eventlog registry entries:

  $ eventlogadm -o addsource Application MyApplication \
    %SystemRoot%/system32/MyApplication.dll</nowiki>

This will add the key [HKLM/System/CurrentControlSet/services/Eventlog/Application/MyApplication] and to that key add value "MyApplication/EventLogMessageFile" with a string of %SystemRoot%/system32/MyApplication.dll

If there happens to be a share called [C$] on your samba server, and in that share there's a Windows/system32/MyApplication.dll file, it will be read by the eventlog viewer application when displaying eventlog records to pretty-print your eventlog entries.