11.24.2005

Tru64 LPD and EVM - can't shutup LPD

No matter what the EVM configuration files ( /etc/evmdaemon.conf and /etc/evmlogger.conf ) state, if you have the 'activity monitor' set up in evmdaemon.conf, any events that hit EVM will count against the threshold for the activity monitor.  Even if you configure EVM to ignore or otherwise not log certain events, EVM will still trigger this activity monitor.
 
I had a ton of print jobs being printed certain hours of the day.  I wanted to stop the LPD daemon from posting these events (stop it from being chatty), because they were just normal system functions/activity that I don't think should count against the activity monitor, escpecially since I know this server will be busy handling print jobs already.  No matter what I tried, LPD always posted 3 events to EVM for each print job.  It seems no matter what configuration changes you make, you can't tell LPD to shut the hell up.  Even changing /etc/syslog_evm.conf didn't help at all.  Surprise, surprise.  Looks like the LPD daemon is hardcoded to post to EVM ----- which really sucks, you Compaq/DEC/HP engineers!!!:
 
LPD daemon started - Status: 0  PID: 1081011
LPD job submit requested - Status 0  Printer myprintername
LPD job submit completed - Status 0  Printer mypritnername  Job number 0
 
 
When enough of these events happened I would receive the following email message from EVM:
 
SUBJECT: EVM ALERT [600]: EVM daemon: High event activity - exceeds 500 in 10 minutes
============================ EVM Log event ===========================
EVM event name: sys.unix.evm.daemon.event_activity
 
    This high priority event is posted by the Event Manager (EVM)
    daemon when it detects a high number of events occurring over
    several minutes.
 
    Action: Use the event viewer or the evmget(1) command to review the
    event log for the source of the activity.  If the log does not show
    high activity around the time at which this event was posted, it is
    likely that the events were low priority, and hence were not
    logged.  You can monitor low-priority events by running the
    evmwatch(1) command with an appropriate filter, or by temporarily
    reconfiguring the EVM logger to log low-priority events.
 
    Note: You can change the parameters which control the posting of
    this event by modifying the daemon configuration file,
    /etc/evmdaemon.conf.
 
======================================================================
 
Formatted Message:
    EVM daemon: High event activity - exceeds 500 in 10 minutes
 
Event Data Items:
    Event Name        : sys.unix.evm.daemon.event_activity
    Priority          : 600
    PID               : 1048856
    PPID              : 1048577
    Event Id          : 326425
    Member Id         : 2
    Timestamp         : 24-Nov-2005 15:08:06
    Host IP address   : 192.168.1.1
    Cluster IP address: 192.168.1.3
    Host Name         : host.domain.com
    Cluster Name      : cluster
    User Name         : root
    Format            : EVM daemon: High event activity - exceeds $count in
                        $period minutes
    Reference         : cat:evmexp.cat:100
 
Variable Items:
    count (INT32) = 500
    period (INT32) = 10
 
======================================================================
 
 
Script to generate/post EVM events:
num=0
 
while [ $num -lt 500 ]
do
 num=$(expr $num + 1)
 echo $num
 echo 'event { name sys.unix.print.lpd }' | evmpost
done

Script to capture all EVM posts, regardless if they are logged or not:
#!/usr/bin/ksh
file=/usr/users/davidbon/evmwatcher.log
evmwatch -A -f "[priority >= 0]" -t "@priority  @timestamp @@" >> $file
 

1 comment:

Anonymous said...

You can isolate which log file the LPD messages are going into - should be the evmlog file (not lpr.log or syslog.log....) by executing:

evmget -C evmlog | evmshow -t "@timestamp @@" | grep LPD

To suppress these LPD events, you can see what rule is being used in /usr/share/evm/templates/sys/*.evt - to modify and present the entry into the evmlog file. In this case sys.evt has the LPD entries you are probably after. Commenting out these stanzas has no suppressive affect as the event match just ends up being logged as a generic log message . Note the name syntax and use that to build an exclude filter in /etc/evmlogger.conf

i.e.

eventlog{
name evmlog
....
exclude "[name *.print.lpd]"
}

Then bounce the evm logger via:

evmreload -l

Re-examine the log files to see if you are now suppressing everything you are after. Cron jobs can also be chatty - would need to edit /usr/share/evm/channels/misclog/misclog_get for that.