I'm running syslog-ng 1.4.14. I'm running Netbackup and I'm having certain messages paged out to certain people. Is there a way to have a filter use conditional logic? ie: Here are the messages I'm interested in: Jan 15 12:47:25 linen/linen tldd[25799]: [ID 992021 daemon.notice] TLD(0) MountTape CVG121 on drive 5, from slot 20 5 Jan 15 12:47:45 linen/linen tldd[26280]: [ID 302958 daemon.notice] TLD(0) open failed in io_open, I/O error What I would like to do is have the Mount Tape matched and if it fails page someone. If it passes, just continue on. Any ideas? Jesse Keefe Analyst Convergys Corp -- NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use of the named individual or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that the sender's address records can be corrected.
jesse.keefe@convergys.com on Tue, Jan 15, 2002 at 01:55:26PM -0500: Hi Jesse,
What I would like to do is have the Mount Tape matched and if it fails page someone. If it passes, just continue on. Any ideas?
Yes, simply combine two conditions in one filter statement. Such as: filter f_tload { match("MountTape") and match("failed"); }; Then use this filter for the log-statement sending to your program destination that does the paging for you. Regards, -- ____ ____ / _/| - > Gregor Binder <gb@(rootnexus.net|sysfive.com)> | / || _\ \ \__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B
You know, I almost submitted the same solution, but looking at his sample log entries, it appears the failed message is a second or subsequent message without the MountTape portion. Some conditional type logic could be very beneficial though. Like, I am currently logging some PIX firewalls. I would eventually like to setup the filters so it emails or pages based on certain messages, but not necessarily every message of the same matching expression. Like DENY messages for instance. It would be great to get paged when the same host repeated gets a DENY to the same resource. One or two attempts at the same resource could very easily be accidental in one way or another, but repeated attempts at the same resource from the same host might deserve a little more attention. David Monk CCNA, MCSE david@purplebear.net ----- Original Message ----- From: "Gregor Binder" <gb@rootnexus.net> To: <syslog-ng@lists.balabit.hu> Sent: Tuesday, January 15, 2002 1:11 PM Subject: Re: [syslog-ng]Conditional logic
jesse.keefe@convergys.com on Tue, Jan 15, 2002 at 01:55:26PM -0500:
Hi Jesse,
What I would like to do is have the Mount Tape matched and if it fails page someone. If it passes, just continue on. Any ideas?
Yes, simply combine two conditions in one filter statement. Such as:
filter f_tload { match("MountTape") and match("failed"); };
Then use this filter for the log-statement sending to your program destination that does the paging for you.
Regards,
-- ____ ____ / _/| - > Gregor Binder <gb@(rootnexus.net|sysfive.com)> | / || _\ \ \__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng
David Monk on Tue, Jan 15, 2002 at 01:25:11PM -0600: Hi David,
It would be great to get paged when the same host repeated gets a DENY to the same resource. One or two attempts at the same resource could very easily be accidental in one way or another, but repeated attempts at the same resource from the same host might deserve a little more attention.
I think you will always have to implement this sort of logic with log analysis tools. I don't think syslog-ng is headed to become one, and I appreciate this, too. Doing one job very well. syslog-ng is my favorite log "sink" ... any analysis to be done with the resulting files is done with appropriate other tools. Try swatch, log- surfer et al. Regards, -- ____ ____ / _/| - > Gregor Binder <gb@(rootnexus.net|sysfive.com)> | / || _\ \ \__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B
participants (3)
-
David Monk
-
Gregor Binder
-
jesse.keefeï¼ convergys.com