[syslog-ng] [Bug 243] New: patterndb rule should allow action upon context timeout

bugzilla at bugzilla.balabit.com bugzilla at bugzilla.balabit.com
Thu Aug 8 16:31:30 CEST 2013 

https://bugzilla.balabit.com/show_bug.cgi?id=243

           Summary: patterndb rule should allow action upon context timeout
           Product: syslog-ng
           Version: 3.3.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: unspecified
         Component: syslog-ng
        AssignedTo: bazsi at balabit.hu
        ReportedBy: bugzilla.balabit at faxm0dem.org
Type of the Report: enhancement
   Estimated Hours: 0.0


Currently in an event correlation configuration, when a certain context times out, the whole rule is thrown away.
It would be very useful to be able to trigger an action when a rule's context-timeout is reached.
Of course the ability to add a timeout_action for every rule would further enhance the idea.
Example:

<ruleset name='dummy_ruleset' id='03eb0142-4b0c-4226-ac98-6bcb03e59e00'>
  <pattern>dummy_program</pattern>
  <rules>
    <rule provider="dummy_provider" id="0cc9a000-2a4e-41f2-b30b-09d67af68ddc"
          class='dummy_class'
          context-timeout="300"
          context-scope="program"
          context-id="dummy_context">
      <patterns>
        <pattern>First message has @ANYSTRING:dummy_string@</pattern>
      </patterns>
      <timeout_actions>
        <action>
          <message>
            <values>
              <value name="MESSAGE">Timeout: Failed to correlate ${dummy_string}@1 with anything</value>
            </values>
          </message>
        </action>
      </timeout_actions>
    </rule>
    <rule provider="dummy_provider" id="6fbefe59-3448-4b29-8c4f-7d9c1ab65a4c"
          class='dummy_class'
          context-scope="program"
          context-id="dummy_context">
      <patterns>
        <pattern>Second message has @ANYSTRING:dummy_string@</pattern>
      </patterns>
      <actions>
        <action>
          <message>
            <values>
              <value name="MESSAGE">Correlated ${dummy_string}@1 with ${dummy_string}@2</value>
            </values>
          </message>
        </action>
      </actions>
    </rule>
  </rules>
</ruleset>


-- 
Configure bugmail: https://bugzilla.balabit.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the syslog-ng mailing list