On Tue, 2002-12-31 at 15:11, Aaron Jackson wrote:
Ben Russo wrote:
There are a few ways to look at this problem...
1. The box sending the messages.. Do the 16,000,000 messages all have the same facility.priority? traditional syslog on solaris can only decide what to send based on facility and priority (and maybe the "tag" IIRC). So you may or may not be able to filter them at the sending side depending on whether the facility.priority of the messages is unique to what you want to filter.
They are actually 16 million copies of the same message. I would like one to be recorded, but not all 16 million. If I get one, I could trigger an alarm (actually, the network monitoring people could do something if that message appears). The sending machine is running syslog-ng, so I was hoping that I could stop it from writting all the messages to local disk and sending them across the network. I suppose I could use a match rule to trigger an alarm and to filter out the messages, but the noc people may not like that.
Then you could have syslog-ng filter out these messages based on a match(message text) Then have those go to a pipe destination on the local box to which a logsurfer process is running (search google for logsurfer) Then you could configure logsurfer to handle the flow of the messages based on the quantity and reinsert them to the syslog-ng on the local host using logger, but with a different message text (like maybe with the number of messages received per 5 seconds?) -Ben.