[syslog-ng] [PATCH 2/2] [dbparser] min and max message count condition in correlation actions
Gergely Nagy
algernon at balabit.hu
Sat Nov 10 19:12:43 CET 2012
Evan Rempel <erempel at uvic.ca> writes:
> There is only an allowance for the two cases <=1 and >-2
>
> It might be nice to allow for multiple if-msg actions such that I could do something at 3 messages and then another at 15 messages etc.
> What I see in our logs are warnings that are correlated and repeat, and they never get to an "error" according to the application, but
> if there are more the 10 such warning, there is a problem state. Some construct that would allow
>
> <action if_msg_count='$count ge 2">...
> <action if_msg_count='($count % 10) eq 0'>...
>
> so that I can put an expression into the value and do actions on all
> kinds of things.
On my way home, I was thinking about something similar, encoding the
relation into the attribute name sounded wrong. I was thinking about:
<action msg_count=">= 2">, and implementing all the <, <=, ==, !=, >=, >
relations.
That's not as flexible as yours, but much easier to implement.
> All of this assumes that there is some way to keep a correlation open
> and activate multiple triggers to evaluate these actions, which may
> not be possible.
As far as I understand, in the current implementation, multiple actions
will trigger: all of those that match the pattern. But only those that
have an appropriate message count will emit a message.
(dbparser/patterndb things are still a bit fuzzy for me, I'm afraid)
--
|8]
More information about the syslog-ng
mailing list