Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Tracing Event Policy Processing

 

Event policy tracing operations track all event policy operations and record them in a log file. The logged error descriptions provide detailed information to help you solve problems faster.

By default, no events are traced. If you include the traceoptions statement at the [edit event-options] hierarchy level, the default tracing behavior is the following:

  • Events are logged the /var/log/eventd file on the device.

  • When the file eventd reaches 128 kilobytes (KB), it is renamed and compressed to eventd.0.gz, then eventd.1.gz, and so on, until there are three trace files. Then the oldest trace file (eventd.2.gz) is overwritten. (For more information about how log files are created, see the System Log Explorer.)

  • Log files can be accessed only by the user who configures the tracing operation.

You cannot change the directory (/var/log) to which trace files are written. However, you can customize the other trace file settings by including the following statements at the [edit event-options traceoptions] hierarchy level:

These statements are described in the following sections:

Configuring the Event Policy Log Filename

By default, the name of the file that records trace output is eventd. You can specify a different name by including the file statement at the [edit event-options traceoptions] hierarchy level:

Configuring the Number and Size of Event Policy Log Files

By default, when the trace file reaches 128 kilobytes (KB) in size, it is renamed filename.0, then filename.1, and so on, until there are three trace files. Then the oldest trace file (filename.2) is overwritten.

You can configure the limits on the number and size of trace files by including the following statements at the [edit event-options traceoptions file <filename>] hierarchy level:

For example, set the maximum file size to 2 MB and the maximum number of files to 20. When the file that receives the output of the tracing operation (filename) reaches 2 MB, filename is renamed and compressed to filename.0.gz and a new file called filename is created.

When filename reaches 2 MB, filename.0.gz is renamed filename.1.gz and filename is renamed and compressed to filename.0.gz. This process repeats until there are 20 trace files. Then the oldest file (filename.19.gz) is overwritten.

The number of files can range from 2 through 1000 files. The file size can range from 10 KB through 1 gigabyte (GB).

Configuring Access to the Log File

By default, log files can be accessed only by the user who configures the tracing operation.

To specify that any user can read all log files, include the world-readable statement at the [edit event-options traceoptions file <filename>] hierarchy level:

To explicitly set the default behavior, include the no-world-readable statement at the [edit event-options traceoptions file <filename>] hierarchy level:

Configuring a Regular Expression for Lines to Be Logged

By default, the trace operation output includes all lines relevant to the logged events.

You can refine the output by including the match statement at the [edit event-options traceoptions file <filename>] hierarchy level and specifying a regular expression to be matched:

Configuring the Trace Operations

By default, no events are logged. You can configure the trace operations to be logged by including the following statements at the [edit event-options traceoptions] hierarchy level:

Table 1 describes the meaning of the event policy tracing flags.

Table 1: Event Policy Tracing Flags

Flag

Description

Default Setting

all

Trace all operations.

Off

configuration

Log reading of configuration at the [edit event-options] hierarchy level.

Off

events

Trace important events.

Off

database

Log events involving storage and retrieval in events database.

Off

policy

Log policy processing.

Off

server

Log communication with processes that are generating events.

Off

syslogd

Log syslog related traces

Off

timer-events

Log internally generated events.

Off

To display the end of the log, issue the show log eventd | last operational mode command: