[syslog-ng] min and max message count condition in correlation actions
Jakub Jankowski
shasta at toxcorp.com
Tue Apr 16 21:24:58 CEST 2013
On 2013-04-16, Gergely Nagy wrote:
> Anton Koldaev <koldaevav at gmail.com> writes:
>
>> Balabit guys: any way to force it not to drop messages by rate, but execute
>> an action instead? (For example: execute log() if rate >= 10/60s)
>
> I'd love to teach syslog-ng to do that, but that needs quite a bit of
> work, and isn't likely to happen anytime soon, I'm afraid. (Unless I'm
> missing something, but I find that unlikely.)
In the meantime - this is trivial to do with SEC[1] (Simple Event
Correlator). The man page[2] is quite a good source of documentation, but
I highly recommend reading this great two[3] part[4] article "Working with
SEC", where you'll see examples of how to make SEC do exactly what OP
wantts. Namely:
type=SingleWithThreshold
ptype=RegExp
pattern=foo bar baz=(\S+)
desc=$0
action=shellcmd /bin/echo -e "foo baz=$1 above 3/10s" | mail admin at example
window=10
thresh=3
or, if you want "high" and "low" thresholds:
type=SingleWith2Thresholds
ptype=RegExp
pattern=foo bar baz=(\S+)
desc=$0 high
action=shellcmd /bin/echo -e "foo baz=$1 above 3/10s" | mail admin at example
window=10
thresh=3
desc2=$0 low
action2=shellcmd /bin/echo -e "foo baz=$1 stopped" | mail admin at example
window2=120
thresh2=0
Hope this helps.
Cheers,
Jakub.
[1] http://simple-evcorr.sourceforge.net/
[2] http://simple-evcorr.sourceforge.net/man.html
[3] http://simple-evcorr.sourceforge.net/SEC-tutorial/article.html
[4] http://simple-evcorr.sourceforge.net/SEC-tutorial/article-part2.html
--
Jakub Jankowski|shasta at toxcorp.com|http://toxcorp.com/
GPG: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D
More information about the syslog-ng
mailing list