[syslog-ng] min and max message count condition in correlation actions
Anton Koldaev
koldaevav at gmail.com
Tue Apr 16 11:15:50 CEST 2013
Hmm... It feels like syslog-ng should to be able to do it on it's own:
*> rate*: Specifies maximum how many messages should be generated in the
specified time period in the following format: *
<number-of-messages>/<period-in-seconds>*.
> ... then maximum one message is generated per minute for every host that
sends a log message matching the rule. Excess messages are dropped.
Balabit guys: any way to force it not to drop messages by rate, but execute
an action instead? (For example: execute log() if rate >= 10/60s)
On Mon, Apr 15, 2013 at 8:35 PM, Evan Rempel <erempel at uvic.ca> wrote:
> Well, what you are asking isn't achievable with syslog-ng itself. We do this at our site, but we have built an inftrastructure around syslog-ng that passes classified events (at first it is a syslog message) to programs which create other events that get passes via syslog-ng to other programs that finally create e-mail, tickets, jabber, SMS, twitter and IP phone alerts.
>
> What you want to do is a great idea, you just need more than syslog-ng to accomplish it.
>
>
> Evan
>
> Anton Koldaev <koldaevav at gmail.com> wrote:
>
>
> Could you please give an example of using 'context-length' condition?
> I wonder if I can use it for sending an alert to monitoring system when
> there are more than 'N' exceptions per 'T' second are sent by my app hosts.
>
>
> On Sun, Apr 14, 2013 at 5:30 AM, Evan Rempel <erempel at uvic.ca> wrote:
>
>> As of 2 days ago a new syslog-ng guide was published that now documents
>> this :-)
>>
>> Slightly different syntax
>>
>> <action condition='"$(context-length)" >= "$max"'>
>>
>> Works like a charm.
>>
>> Also, it isn't specified that <tag>xxx</tag> can be in the <message> part
>> of an action.
>>
>> syslog-ng never stops amazing me.
>>
>> Evan.
>> ________________________________________
>> From: syslog-ng-bounces at lists.balabit.hu [
>> syslog-ng-bounces at lists.balabit.hu] on behalf of Gergely Nagy [
>> algernon at balabit.hu]
>> Sent: Saturday, April 13, 2013 5:32 AM
>> To: Syslog-ng users' and developers' mailing list
>> Subject: Re: [syslog-ng] min and max message count condition in
>> correlation actions
>>
>> Evan Rempel <erempel at uvic.ca> writes:
>>
>> > so the syntax would be
>> >
>> > <action condition="$(context-length) == $num">
>> >
>> > wher $num is some macro from the pattern used to match a line.
>> >
>> > Is that correct?
>>
>> $num can be pretty much anything: a number, a macro, another template
>> function - it is entirely up to you. It does not need to be extracted
>> from the pattern, but that should work too.
>>
>> --
>> |8]
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>
>
> --
> Best regards,
> Koldaev Anton
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
--
Best regards,
Koldaev Anton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130416/60daa101/attachment.htm
More information about the syslog-ng
mailing list