On 2013-04-16, Gergely Nagy wrote:
Anton Koldaev <koldaevav@gmail.com> writes:
Balabit guys: any way to force it not to drop messages by rate, but execute an action instead? (For example: execute log() if rate >= 10/60s)
I'd love to teach syslog-ng to do that, but that needs quite a bit of work, and isn't likely to happen anytime soon, I'm afraid. (Unless I'm missing something, but I find that unlikely.)
In the meantime - this is trivial to do with SEC[1] (Simple Event Correlator). The man page[2] is quite a good source of documentation, but I highly recommend reading this great two[3] part[4] article "Working with SEC", where you'll see examples of how to make SEC do exactly what OP wantts. Namely: type=SingleWithThreshold ptype=RegExp pattern=foo bar baz=(\S+) desc=$0 action=shellcmd /bin/echo -e "foo baz=$1 above 3/10s" | mail admin@example window=10 thresh=3 or, if you want "high" and "low" thresholds: type=SingleWith2Thresholds ptype=RegExp pattern=foo bar baz=(\S+) desc=$0 high action=shellcmd /bin/echo -e "foo baz=$1 above 3/10s" | mail admin@example window=10 thresh=3 desc2=$0 low action2=shellcmd /bin/echo -e "foo baz=$1 stopped" | mail admin@example window2=120 thresh2=0 Hope this helps. Cheers, Jakub. [1] http://simple-evcorr.sourceforge.net/ [2] http://simple-evcorr.sourceforge.net/man.html [3] http://simple-evcorr.sourceforge.net/SEC-tutorial/article.html [4] http://simple-evcorr.sourceforge.net/SEC-tutorial/article-part2.html -- Jakub Jankowski|shasta@toxcorp.com|http://toxcorp.com/ GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D