[syslog-ng] rate-limit

chris packham chris.packham at alliedtelesis.co.nz
Fri Jun 19 07:28:23 CEST 2009 

One simplistic approach would be to use the 'suppress' functionality.

e.g.:

  destination d_mail {
         program("perl /usr/local/bin/mail_log_mailsend.pl $MSG " suppress(60) );
  };

This only works if the messages were duplicates (same content from same host).
 
>>> Julien lecubin <julien.lecubin at imcce.fr> 6/19/2009 4:34 AM >>> 
hi list,

what's the best way with syslog-ng to control the number of syslog mail notifications coming from a machine  ?
I'm currently using perl script to send notification but sometime it just floods my mail (some 600 mails in 5 minutes for a single event)

I want to rate limit it to only 1 mail in 5 minute per host or message.

/etc/syslog-ng/syslog-ng.conf :
-----------------------------

[...]
destination d_mail {
       program("perl /usr/local/bin/mail_log_mailsend.pl $MSG ");
};

[...]
filter f_notify_by_mail {level(emerg,alert,crit); };

[...]
log { source(s_network); filter(f_notify_by_mail); destination(d_mail);};

mail_log_sendmail.pl
--------------------
use MIME::Lite;
while (<>)
{

# $_ contains the Log
my $body = "Mail from Syslog-ng  $_ ";
my $msg = MIME::Lite->new (
            From    =>'syslog-ng at my_domain.fr',
            To      =>'service.informatique at my_domain.fr',
            Subject =>'[SYSLOG-NG] Avertissement',
            Type    =>'multipart/related');

$msg -> attach (Type =>  'text/html',
               Data => qq {$body});

MIME::Lite->send('smtp','imap', Timeout=>60);
$msg -> send or die "Impossible to send mail!";

}

Is there's a notification_interval control (as i use in nagios) i can add in my syslog config file ? I didn't found anything in the man page (maybe i'm reading like a frog)
Anyone have any clues / examples to show ?

tks,

julien Lecubin
-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Julien LECUBIN
Institut de Mecanique Celeste et de Calcul des Ephemerides
CNRS UMR 8028 - Observatoire de Paris
77, avenue Denfert Rochereau
75014 PARIS
tel : 01.40.51.22.80
fax : 01.46.33.28.34julien.lecubin at imcce.fr | service.informatique at imcce.fr- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information about the syslog-ng mailing list