<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="generator" content="Osso Notes">
<title></title></head>
<body>
<p>hi,
<br>
<br>what about introducing a template function that expands to the number of elements in the context?
<br>
<br>that way the condition could use that together with numeric comparisons that are already available.
<br>
<br>----- Original message -----
<br>> <a href="mailto:balint.kovacs@balabit.com">balint.kovacs@balabit.com</a> writes:
<br>>
<br>> > It was quite unintuitive to determine if a previous message exists in
<br>> > the correlation context as the basis of the decision whether an action
<br>> > should be run or not. This patch adds support for the min-messages and
<br>> > max-messages attributes of the action XML node, the action is run only,
<br>> > of the correlation context contains more or equal messages as the
<br>> > min-messages attribute and less or equal messages as the max-messages
<br>> > attribute.
<br>> >
<br>> > This way it is easy to determine if a context contains sufficient
<br>> > amount of messages for the event to be complete and run a different
<br>> > action if it is not, e.g. if 2 messages are needed for an event,
<br>> > this should emit an event message if there are enough messages and
<br>> > an error message if not.
<br>>
<br>> Now this was confusing at first (and even after in-person explanation,
<br>> it is still a bit hard to wrap my head around it based on this
<br>> description). The naming is bad, sorry!
<br>>
<br>> Just to clarify it to myself, what happens here, is that the patch
<br>> introduces two new attributes for the action tag. Since I can't explain
<br>> what they accomplish too well yet, I'd like to use an example:
<br>>
<br>> Lets suppose we have an event we want to corellate from at least five
<br>> messages:
<br>>
<br>> program: session=f00; login; username="user"
<br>> program: session=f00; task="something"
<br>> program: session=f00; status="ok"
<br>> program: session=f00; task="noop"
<br>> program: session=f00; logout
<br>>
<br>> We want to make sure that whenever a corellation action fires, we have
<br>> all five messages (and we'll assume that the five messages we have are
<br>> the correct ones): for that, there's the new min-messages
<br>> attribute. When set to 5, it will only emit a message when there are
<br>> five or more messages in the context. Add this action to the closing
<br>> pattern, and missin accomplished.
<br>>
<br>> It is most useful for closing patterns, but there's probably use case
<br>> for using it elsewhere too.
<br>>
<br>> And to detect errors, we need a way to emit a message when we receive a
<br>> closing pattern, but don't have enough messages: that's what
<br>> max-messages does.
<br>>
<br>> Lets say that the noop task did not happen, so when the logout message
<br>> arrives, we only have four messages in the context. If max-messages is
<br>> set to 4, then the action will trigger.
<br>>
<br>> I find the naming unintuitive, though, it's kind of backwards...
<br>>
<br>> How about if-msg-count-ge (min-messages) and if-msg-count-le
<br>> (max-messages)? I think that would make it slightly easier to understand
<br>> what they're used for.
<br>>
<br>> Transforming your example, this:
<br>>
<br>> > <actions>
<br>> > <action min-messages='2'>
<br>> > <message>
<br>> > <values>
<br>> > <value name="PROGRAM">event</value>
<br>> > <value name="MESSAGE">Hello event!</value>
<br>> > </values>
<br>> > </message>
<br>> > </action>
<br>> > <action max-messages='1'>
<br>> > <message>
<br>> > <values>
<br>> > <value name="PROGRAM">error</value>
<br>> > <value name="MESSAGE">Hello error!</value>
<br>> > </values>
<br>> > </message>
<br>> > </action>
<br>> > </actions>
<br>>
<br>> ...would turn into:
<br>>
<br>>  <actions>
<br>>  <action if-msg-count-ge='2'>
<br>>  <message>
<br>>  <values>
<br>>  <value name="PROGRAM">event</value>
<br>>  <value name="MESSAGE">Hello event!</value>
<br>>  </values>
<br>>  </message>
<br>>  </action>
<br>>  <action if-msg-count-le='1'>
<br>>  <message>
<br>>  <values>
<br>>  <value name="PROGRAM">error</value>
<br>>  <value name="MESSAGE">Hello error!</value>
<br>>  </values>
<br>>  </message>
<br>>  </action>
<br>>  </actions>
<br>>
<br>> I for one, would understand what this latter does without further
<br>> explanation. Provided I understood the intent, that is. :)
<br>>
<br>> Perhaps we could even drop the if- prefix too, I'm not sure.
<br>>
<br>> Any ideas or opinions?
<br>>
<br>> --
<br>> |8]
<br>>
<br>> ______________________________________________________________________________
<br>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
<br>> Documentation:
<br>> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a> FAQ:
<br>> <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
<br>>
<br><br></p>
</body>
</html>