[syslog-ng] [PATCH 2/2] [dbparser] min and max message count condition in correlation actions

Sun Nov 11 07:50:53 CET 2012

hi,

what about introducing a template function that expands to the number of elements in the context?

that way the condition could use that together with numeric comparisons that are already available.

----- Original message -----
> balint.kovacs at balabit.com writes:
>
> > It was quite unintuitive to determine if a previous message exists in
> > the correlation context as the basis of the decision whether an action
> > should be run or not. This patch adds support for the min-messages and
> > max-messages attributes of the action XML node, the action is run only,
> > of the correlation context contains more or equal messages as the
> > min-messages attribute and less or equal messages as the max-messages
> > attribute.
> >
> > This way it is easy to determine if a context contains sufficient
> > amount of messages for the event to be complete and run a different
> > action if it is not, e.g. if 2 messages are needed for an event,
> > this should emit an event message if there are enough messages and
> > an error message if not.
>
> Now this was confusing at first (and even after in-person explanation,
> it is still a bit hard to wrap my head around it based on this
> description). The naming is bad, sorry!
>
> Just to clarify it to myself, what happens here, is that the patch
> introduces two new attributes for the action tag. Since I can't explain
> what they accomplish too well yet, I'd like to use an example:
>
> Lets suppose we have an event we want to corellate from at least five
> messages:
>
> program: session=f00; login; username="user"
> program: session=f00; task="something"
> program: session=f00; status="ok"
> program: session=f00; task="noop"
> program: session=f00; logout
>
> We want to make sure that whenever a corellation action fires, we have
> all five messages (and we'll assume that the five messages we have are
> the correct ones): for that, there's the new min-messages
> attribute. When set to 5, it will only emit a message when there are
> five or more messages in the context. Add this action to the closing
> pattern, and missin accomplished.
>
> It is most useful for closing patterns, but there's probably use case
> for using it elsewhere too.
>
> And to detect errors, we need a way to emit a message when we receive a
> closing pattern, but don't have enough messages: that's what
> max-messages does.
>
> Lets say that the noop task did not happen, so when the logout message
> arrives, we only have four messages in the context. If max-messages is
> set to 4, then the action will trigger.
>
> I find the naming unintuitive, though, it's kind of backwards...
>
> How about if-msg-count-ge (min-messages) and if-msg-count-le
> (max-messages)? I think that would make it slightly easier to understand
> what they're used for.
>
> Transforming your example, this:
>
> > <actions>
> > <action min-messages='2'>
> > <message>
> > <values>
> > <value name="PROGRAM">event</value>
> > <value name="MESSAGE">Hello event!</value>
> > </values>
> > </message>
> > </action>
> > <action max-messages='1'>
> > <message>
> > <values>
> > <value name="PROGRAM">error</value>
> > <value name="MESSAGE">Hello error!</value>
> > </values>
> > </message>
> > </action>
> > </actions>
>
> ...would turn into:
>
>           <actions>
>               <action if-msg-count-ge='2'>
>                   <message>
>                       <values>
>                           <value name="PROGRAM">event</value>
>                           <value name="MESSAGE">Hello event!</value>
>                       </values>
>                   </message>
>               </action>
>               <action if-msg-count-le='1'>
>                   <message>
>                       <values>
>                           <value name="PROGRAM">error</value>
>                           <value name="MESSAGE">Hello error!</value>
>                       </values>
>                   </message>
>               </action>
>           </actions>
>
> I for one, would understand what this latter does without further
> explanation. Provided I understood the intent, that is. :)
>
> Perhaps we could even drop the if- prefix too, I'm not sure.
>
> Any ideas or opinions?
>
> --
> |8]
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
> http://www.balabit.com/wiki/syslog-ng-faq
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121111/f87db788/attachment.htm 