[syslog-ng] min and max message count condition in correlation actions
Evan Rempel
erempel at uvic.ca
Mon Apr 15 18:35:16 CEST 2013
Well, what you are asking isn't achievable with syslog-ng itself. We do this at our site, but we have built an inftrastructure around syslog-ng that passes classified events (at first it is a syslog message) to programs which create other events that get passes via syslog-ng to other programs that finally create e-mail, tickets, jabber, SMS, twitter and IP phone alerts.
What you want to do is a great idea, you just need more than syslog-ng to accomplish it.
Evan
Anton Koldaev <koldaevav at gmail.com> wrote:
Could you please give an example of using 'context-length' condition?
I wonder if I can use it for sending an alert to monitoring system when there are more than 'N' exceptions per 'T' second are sent by my app hosts.
On Sun, Apr 14, 2013 at 5:30 AM, Evan Rempel <erempel at uvic.ca<mailto:erempel at uvic.ca>> wrote:
As of 2 days ago a new syslog-ng guide was published that now documents this :-)
Slightly different syntax
<action condition='"$(context-length)" >= "$max"'>
Works like a charm.
Also, it isn't specified that <tag>xxx</tag> can be in the <message> part of an action.
syslog-ng never stops amazing me.
Evan.
________________________________________
From: syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu> [syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>] on behalf of Gergely Nagy [algernon at balabit.hu<mailto:algernon at balabit.hu>]
Sent: Saturday, April 13, 2013 5:32 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] min and max message count condition in correlation actions
Evan Rempel <erempel at uvic.ca<mailto:erempel at uvic.ca>> writes:
> so the syntax would be
>
> <action condition="$(context-length) == $num">
>
> wher $num is some macro from the pattern used to match a line.
>
> Is that correct?
$num can be pretty much anything: a number, a macro, another template
function - it is entirely up to you. It does not need to be extracted
from the pattern, but that should work too.
--
|8]
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
--
Best regards,
Koldaev Anton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130415/ff90ff96/attachment.htm
More information about the syslog-ng
mailing list