Overview

A critical part of UNIX system administrator’s job is to monitor the state of the system, and to be ready to take action when certain unusual conditions occur. Examples of such conditions are when a disk fill is full or a processor reports hardware errors. It is also important to verify that certain routine tasks run successfully each day, and to review certain system configuration values. Such conditions or task completions are known as system events.

The Event Manager is a comprehensive event management system. Event Manager includes a full set of command line utilities that enable you to filter, sort, and format events as needed.

Features

Event Manager supports the following features:

Facilitates users and applications to post and monitor events
Supports event channels, including evmlog
Offers support for encapsulating custom event channels
Enables users to choose summary or detailed event data
Provides a full set of command-line utilities that enable you to filter, sort, and format events as per your requirements.
Offers a configurable event logger that enables you to control logging of events, and the storage space used by identical events
Supports configurable event forwarding that enables you to automatically notify other system entities of selected events
Supports log file management that automatically archives and purges log files daily
Supports the application programming interface (API) library
Offers centralized access to event information
Supports configurable authorization for posting and accessing events

How Event Manager Works

This section describes how the different components of Event Manager interact with each other. It also describes the system files used to run Event Manager and any files that are created by Event Manager during normal operations. Figure 1-1 “Event Manager Component Model” illustrates the Event Manager component model.

Figure 1-1 Event Manager Component Model

In Figure 1-1 “Event Manager Component Model”, client components involved in posting events are at the left, system components are in the center, and client components involved in subscribing to and retrieving of events are at the right. Passive event channels do not post events and must be polled for information. These channels are depicted by the log files handled by the monitor scripts.

The primary component of the Event Manager is the evmd daemon, which is initialized when the system is booted to run level 2. For event management to function during system startup, the initialization of the daemon and its child processes is synchronized as follows:

When you boot the system, some kernel components post events as part of their initialization sequences. These events are queued in the kernel memory until the daemon is ready to accept them, because the daemon is not yet running.
The daemon starts early in the run level 2 initialization sequence of system startup. When the daemon starts, it performs the following actions:
- Starts the logger
- Starts the channel manager
- Listens for connection requests from clients
After the logger establishes its listening connection and is ready to log events, the daemon begins accepting posted events from the kernel and user-level posters.

The Event Manager logger, evmlogger, is an essential system component and must never be deconfigured, because some system components rely on its operation.

The logger program, evmlogger, runs as a resident process. It is configured to subscribe to a selected set of events, and to store them in managed log files for later retrieval. By default, the logger is configured to do the following:

Write high-priority events to the system console
Send mail to the system administrator when high-priority events occur

The resident channel manager process, evmchmgr, is configured to run periodic channel-monitoring scripts, which post events when they detect noteworthy activity in the channel. The channel manager also runs the daily log cleanup functions.

The get server process, evmget_srv, is a transient (demand) process that executes event retrieval scripts for the various event channels. The evmd daemon runs an instance of evmget_srv whenever a user runs the evmget command.

Entities on the left side of the model create posting connections to the daemon to post events. After it receives events from the posters, the daemon merges them with corresponding event templates from its template database, and distributes them to its subscribing clients.

The following components are on the right side of the model:

The evmwatch and other application programs that need to receive event information as it happens create subscribing connections to the daemon and pass filter strings to it to specify their event subscriptions.
The evmget command, which a user can run to retrieve historical event information from log files, creates a service connection and passes a filter string to specify the set of events to be retrieved. The daemon then runs an instance of the get server to handle the request.
The e-mail and pager actions are examples of forwarding commands, which the logger may execute in response to the occurrence of certain events.

Event Manager Command Line Utilities

Event Manager provides a number of command-line utilities both for administering the system itself and for use in posting or obtaining events. Table 1-1 “Event Manager Command-Line Utilities” describes the general user commands. For more information about the commands to monitor and review event activity, see Chapter 2 “Using Event Manager”.

Table 1-1 Event Manager Command-Line Utilities

Command	Description
evmget	Retrieves stored events from a configured set of log files and event channels, using channel-specific retrieval functions
evmpost	Accepts a file or stream of text event sources and posts them to the daemon for distribution
evmshow	Accepts one or more events and outputs them in the specified format
evmsort	Reads a stream of events and sorts them according to the supplied criteria
evmwatch	Subscribes to events specified and outputs them as they arrive

Table 1-2 “Event Manager Administrative Utilities” lists the administrative commands, which are usually invoked during system initialization. The individual command reference pages discuss other conditions under which the command is used.

Table 1-2 Event Manager Administrative Utilities

Command	Description
evmchmgr	The Event Manager daemon automatically starts the channel manager. It executes the periodic functions defined for any channel.
evmd	The daemon receives events from posting clients and distributes them to subscribing clients, that is, clients that have indicated they want to receive the events. The daemon is a critical system facility that starts automatically at system boot. You must not terminate the daemon. The Essential Services Monitor (ESM) daemon, `esmd`, maintains the availability of essential system daemons, including `evmd`, by automatically restarting them. For information about ESM daemon, see the esmd(1M) manpage.
evmlogger	The daemon automatically starts the logger. The logger receives events from the daemon and writes them to each of the logs whose filter string they match. The evmlogger also serves as an event forwarding agent that you can configure to take an action when required.
evmreload	This command posts control events, which instruct the components to reload their configuration files. When you modify a configuration file, you must use this command to load the new configuration.
evmstart	This command starts the daemon. It is used by the system startup scripts, but you can also use it to restart the daemon if it is terminated for any reason. Normally, the esmd daemon restarts the daemon automatically.
evmstop	This command stops the daemon, preventing entities from posting or subscribing for events. It is intended for use by the system shutdown scripts. You must not use this command under normal circumstances, because the daemon is required for many system functions to operate correctly. Normally, the esmd daemon restarts the daemon automatically.

Event Manager Application Programming Interface

The Event Manager API library, libevm.so, contains an extensive range of event management functions. This library enables programmers to design programs that interface with the Event Manager. The API functions enable programs to post events, send requests and notifications to the daemon, or receive responses and information from the daemon. For more information about the APIs, see the EVM(5) manpage.

Event Manager System Files

Event manager creates or uses the following system file types:

Executable Files

The Executable files for Event Manager administrative commands are located in the /usr/sbin directory.

General or user command executable files are located in the /usr/bin directory.

The initialization files are located in the /sbin/init.d directory.

Configuration Files

The following Base Event Manager configuration files are located in the /etc directory:

/etc/evmdaemon.conf: This file is a text file that contains commands used to configure and start the Event Manager. For more information about this file, see “Configuring Event Manager Channel” and evmdaemon.conf(4) .
/etc/evmchannel.conf: The event channel configuration file, which is read by the channel manager, evmchmgr, and the evmshow command. This file describes all the channels through which events can be posted and retrieved. For more information about this file, see “Configuring Event Manager Channel” and evmchannel.conf(4)
/etc/evmlogger.conf: The configuration file for the logger, evmlogger. It contains commands used to direct the display, forwarding, or storage of events. For more information about this file, see “Configuring Event Manager Logger” and evmlogger.conf(4).
/etc/evm.auth: This file is used to control access to events and event services. For more information about this file, see “Event Authorization” and evm.auth(4)

Log Files, Working Files, and Local Installation Files

The Log files, the working files, and the local installation files are located in the following subdirectories of /var/evm:

/var/evm/sockets

This directory contains a domain socket node, evmd, and a related lock file, evmd.lck. Local clients use this socket for connection.

/var/evm/evmlog

This directory contains the event logs created by the default logger configuration. Names of the log files in this directory are of the format evmlog.yyyymmdd[_nn],

Where:

yyyymmdd is the date of the log

_nn is a sequential generation number

A new log file is started automatically when it receives the first event after midnight, system time.

This directory also contains a lock file, evmlog.dated.lck, and a generation control file, evmlog.dated.gen. The generation control file contains information about the current generation number. For more information on managing log files, see “Managing Log Files”.

/var/evm/adm/logfiles

This directory contains output message logs created by the resident components of the following: the daemon, logger, and channel manager. New files are created each time the event manager starts. Old files are renamed by appending the suffix “.old” to their names, overwriting any previous old files.

/var/evm/adm/templates

This directory is provided for the installation of local and third-party event template subdirectories. This directory is connected to the system template directory by a symbolic link.

/var/evm/adm/channels

This directory is provided for the installation of local and third-party event channel scripts.

/var/evm/adm/config

This directory and its subdirectories contain secondary configuration files for various components. In this release, only the logger supports secondary configuration files. For more information about secondary configuration files, see evmlogger.conf(4).

/var/evm/adm/filters

This directory is provided for the installation of local and third-party event filter files.

/var/run/evmd.pid

This file contains the daemon process identifier (PID), which is saved by the evmd daemon for future actions, such as stopping.

/var/run/evmlogger.info

This file contains the logger's PID and information about the log files being managed. The evmlog channel retrieval and daily cleanup functions use this information.

System-supplied Definition Files

System-supplied definition files for templates, channels, and filters are located in the following subdirectories of the /usr/share/evm directory:

/usr/share/evm/channels: This directory contains a subdirectory for system-supplied event channel evmlog. Each subdirectory contains scripts that define the services available for that channel.
/usr/share/evm/filters: This directory contains system filter files.
/usr/share/evm/templates: This directory contains system event template files and subdirectories.




	NOTE: Do not modify the system supplied definition.