[syslog-ng] patterndb action rate limiting

Evan Rempel erempel at uvic.ca
Mon Nov 28 19:44:30 CET 2011


The patterndb has a great feature for limiting the rate that actions are executed.
The rate limit needs to have a scope within which to count the action events that will
in turn determine when the limit has been reached and throttling is to occur.

The problem with the current patterndb format is that the context is defined in
the rule, which means that I can NOT have different rate contexts for multiple
actions for the same rule :-(

Am I misreading the patterndb specification?

Another not is that I have a case where I want to rate limit an action based
on the rule ID. In my case I don't care about which host or process, or process ID
the message came from.

I know that Balazs will ask for a use case to determine if I am "insane" or
if this context-scope of MESSAGE will be of general use.

What I am trying to do is determine which patterns are being matched.
I would like to generate an action for every match and feed that to a program
that will record the date/time that the matching pattern last matched a message.

If the pattern has not seen a match for a year, then I can (and probably should)
remove it from my pattern database.

I don't want my program to have to deal with a rule_id for *every* match.
I could safely throttle the matched information to 1 every 10 minutes, or perhaps every
hour. That would still let me know if a pattern is "active" and should be kept in
the pattern database.

Does this sound reasonable (or am I really insane :-) ?

Evan.


More information about the syslog-ng mailing list