[syslog-ng]Over zealous syslog-ng problem

[Ben Russo]

On Tue, 2002-12-31 at 15:11, Aaron Jackson wrote:
> Ben Russo wrote:
> 
> >There are a few ways to look at this problem...
> >
> >1. The box sending the messages..
> >	Do the 16,000,000 messages all have the same facility.priority?
> >	traditional syslog on solaris can only decide what to send based
> >	on facility and priority (and maybe the "tag" IIRC).
> >	So you may or may not be able to filter them at the sending side
> >	depending on whether the facility.priority of the messages is 
> >	unique to what you want to filter.
> >  
> >
> 
> They are actually 16 million copies of the same message.  I would like 
> one to be recorded, but not all 16 million.  If I get one, I could 
> trigger an alarm (actually, the network monitoring people could do 
> something if that message appears).  The sending machine is running 
> syslog-ng, so I was hoping that I could stop it from writting all the 
> messages to local disk and sending them across the network.  I suppose I 
> could use a match rule to trigger an alarm and to filter out the 
> messages, but the noc people may not like that.

Then you could have syslog-ng filter out these messages based on a 
match(message text)
Then have those go to a pipe destination on the local box to which
a logsurfer process is running (search google for logsurfer)
Then you could configure logsurfer to handle the flow of the messages
based on the quantity and reinsert them to the syslog-ng on the local
host using logger, but with a different message text (like maybe with the 
number of messages received per 5 seconds?)

-Ben.