[syslog-ng] [PATCH 2/2] [dbparser] min and max message count condition in correlation actions
balint.kovacs at balabit.com
balint.kovacs at balabit.com
Fri Nov 9 15:28:21 CET 2012
From: Balint Kovacs <blint at blint.hu>
It was quite unintuitive to determine if a previous message exists in
the correlation context as the basis of the decision whether an action
should be run or not. This patch adds support for the min-messages and
max-messages attributes of the action XML node, the action is run only,
of the correlation context contains more or equal messages as the
min-messages attribute and less or equal messages as the max-messages
attribute.
This way it is easy to determine if a context contains sufficient
amount of messages for the event to be complete and run a different
action if it is not, e.g. if 2 messages are needed for an event,
this should emit an event message if there are enough messages and
an error message if not.
<actions>
<action min-messages='2'>
<message>
<values>
<value name="PROGRAM">event</value>
<value name="MESSAGE">Hello event!</value>
</values>
</message>
</action>
<action max-messages='1'>
<message>
<values>
<value name="PROGRAM">error</value>
<value name="MESSAGE">Hello error!</value>
</values>
</message>
</action>
</actions>
Signed-off-by: Balint Kovacs <blint at blint.hu>
---
modules/dbparser/patterndb-int.h | 2 ++
modules/dbparser/patterndb.c | 10 +++++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/modules/dbparser/patterndb-int.h b/modules/dbparser/patterndb-int.h
index 154b686..9c1385e 100644
--- a/modules/dbparser/patterndb-int.h
+++ b/modules/dbparser/patterndb-int.h
@@ -122,6 +122,8 @@ enum
typedef struct _PDBAction
{
FilterExprNode *condition;
+ guint32 min_messages;
+ guint32 max_messages;
guint8 trigger;
guint8 content_type;
guint16 rate;
diff --git a/modules/dbparser/patterndb.c b/modules/dbparser/patterndb.c
index 168a24c..715fb4a 100644
--- a/modules/dbparser/patterndb.c
+++ b/modules/dbparser/patterndb.c
@@ -410,6 +410,8 @@ pdb_action_new(gint id)
self->content_type = RAC_NONE;
self->id = id;
self->inherit_nvpairs = FALSE;
+ self->min_messages = 0;
+ self->max_messages = 0;
return self;
}
@@ -557,7 +559,9 @@ pdb_rule_run_actions(PDBRule *self, gint trigger, PatternDB *db, PDBContext *con
if ((!action->condition ||
(!context || filter_expr_eval_with_context(action->condition, (LogMessage **) context->messages->pdata, context->messages->len))) &&
- pdb_rule_check_rate_limit(self, db, action, msg, buffer))
+ (action->min_messages == 0 || action->min_messages <= context->messages->len) &&
+ (action->max_messages == 0 || action->max_messages >= context->messages->len) &&
+ pdb_rule_check_rate_limit(self, db, action, msg, buffer))
{
switch (action->content_type)
{
@@ -958,6 +962,10 @@ pdb_loader_start_element(GMarkupParseContext *context, const gchar *element_name
pdb_action_set_condition(state->current_action, state->cfg, attribute_values[i], error);
else if (strcmp(attribute_names[i], "rate") == 0)
pdb_action_set_rate(state->current_action, attribute_values[i]);
+ else if (strcmp(attribute_names[i], "min-messages") == 0)
+ state->current_action->min_messages = atoi(attribute_values[i]);
+ else if (strcmp(attribute_names[i], "max-messages") == 0)
+ state->current_action->max_messages = atoi(attribute_values[i]);
}
state->in_action = TRUE;
}
--
1.7.9.5
More information about the syslog-ng
mailing list