[syslog-ng] [PATCH 2/2] [dbparser] min and max message count condition in correlation actions
Gergely Nagy
algernon at balabit.hu
Sat Nov 10 16:36:50 CET 2012
balint.kovacs at balabit.com writes:
> It was quite unintuitive to determine if a previous message exists in
> the correlation context as the basis of the decision whether an action
> should be run or not. This patch adds support for the min-messages and
> max-messages attributes of the action XML node, the action is run only,
> of the correlation context contains more or equal messages as the
> min-messages attribute and less or equal messages as the max-messages
> attribute.
>
> This way it is easy to determine if a context contains sufficient
> amount of messages for the event to be complete and run a different
> action if it is not, e.g. if 2 messages are needed for an event,
> this should emit an event message if there are enough messages and
> an error message if not.
Now this was confusing at first (and even after in-person explanation,
it is still a bit hard to wrap my head around it based on this
description). The naming is bad, sorry!
Just to clarify it to myself, what happens here, is that the patch
introduces two new attributes for the action tag. Since I can't explain
what they accomplish too well yet, I'd like to use an example:
Lets suppose we have an event we want to corellate from at least five
messages:
program: session=f00; login; username="user"
program: session=f00; task="something"
program: session=f00; status="ok"
program: session=f00; task="noop"
program: session=f00; logout
We want to make sure that whenever a corellation action fires, we have
all five messages (and we'll assume that the five messages we have are
the correct ones): for that, there's the new min-messages
attribute. When set to 5, it will only emit a message when there are
five or more messages in the context. Add this action to the closing
pattern, and missin accomplished.
It is most useful for closing patterns, but there's probably use case
for using it elsewhere too.
And to detect errors, we need a way to emit a message when we receive a
closing pattern, but don't have enough messages: that's what
max-messages does.
Lets say that the noop task did not happen, so when the logout message
arrives, we only have four messages in the context. If max-messages is
set to 4, then the action will trigger.
I find the naming unintuitive, though, it's kind of backwards...
How about if-msg-count-ge (min-messages) and if-msg-count-le
(max-messages)? I think that would make it slightly easier to understand
what they're used for.
Transforming your example, this:
> <actions>
> <action min-messages='2'>
> <message>
> <values>
> <value name="PROGRAM">event</value>
> <value name="MESSAGE">Hello event!</value>
> </values>
> </message>
> </action>
> <action max-messages='1'>
> <message>
> <values>
> <value name="PROGRAM">error</value>
> <value name="MESSAGE">Hello error!</value>
> </values>
> </message>
> </action>
> </actions>
...would turn into:
<actions>
<action if-msg-count-ge='2'>
<message>
<values>
<value name="PROGRAM">event</value>
<value name="MESSAGE">Hello event!</value>
</values>
</message>
</action>
<action if-msg-count-le='1'>
<message>
<values>
<value name="PROGRAM">error</value>
<value name="MESSAGE">Hello error!</value>
</values>
</message>
</action>
</actions>
I for one, would understand what this latter does without further
explanation. Provided I understood the intent, that is. :)
Perhaps we could even drop the if- prefix too, I'm not sure.
Any ideas or opinions?
--
|8]
More information about the syslog-ng
mailing list