<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<pre style="word-wrap:break-word; font-size:10.0pt; font-family:Tahoma; color:black">Well, what you are asking isn't achievable with syslog-ng itself. We do this at our site, but we have built an inftrastructure around syslog-ng that passes classified events (at first it is a syslog message) to programs which create other events that get passes via syslog-ng to other programs that finally create e-mail, tickets, jabber, SMS, twitter and IP phone alerts.
What you want to do is a great idea, you just need more than syslog-ng to accomplish it.
Evan
Anton Koldaev <koldaevav@gmail.com> wrote:
</pre>
<div>
<div dir="ltr">Could you please give an example of using 'context-length' condition?
<div style="">I wonder if I can use it for sending an alert to monitoring system when there are more than 'N' exceptions per 'T' second are sent by my app hosts.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sun, Apr 14, 2013 at 5:30 AM, Evan Rempel <span dir="ltr">
<<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
As of 2 days ago a new syslog-ng guide was published that now documents this :-)<br>
<br>
Slightly different syntax<br>
<br>
<action condition='"$(context-length)" >= "$max"'><br>
<br>
Works like a charm.<br>
<br>
Also, it isn't specified that <tag>xxx</tag> can be in the <message> part of an action.<br>
<br>
syslog-ng never stops amazing me.<br>
<br>
Evan.<br>
________________________________________<br>
From: <a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a> [<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>] on behalf of Gergely Nagy [<a href="mailto:algernon@balabit.hu">algernon@balabit.hu</a>]<br>
Sent: Saturday, April 13, 2013 5:32 AM<br>
To: Syslog-ng users' and developers' mailing list<br>
Subject: Re: [syslog-ng] min and max message count condition in correlation actions<br>
<div class="HOEnZb">
<div class="h5"><br>
Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> writes:<br>
<br>
> so the syntax would be<br>
><br>
> <action condition="$(context-length) == $num"><br>
><br>
> wher $num is some macro from the pattern used to match a line.<br>
><br>
> Is that correct?<br>
<br>
$num can be pretty much anything: a number, a macro, another template<br>
function - it is entirely up to you. It does not need to be extracted<br>
from the pattern, but that should work too.<br>
<br>
--<br>
|8]<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Best regards,<br>
Koldaev Anton </div>
</div>
</body>
</html>