[syslog-ng] classify/assign events to tenants/customers

Evan Rempel erempel at uvic.ca
Thu Sep 18 17:46:47 CEST 2014 

Well, that isn't exactly true. We do what the OP is asking for.

We have a database where we specify who is responsible for a host, and then for each
program on that host, who is responsible.

Then we make a pattern database from the responsibility database that has entries that look
like

          <rule id="{hostname}-{program}" class="business" provider="UVic">
             <patterns>
                <pattern>{hostname}:{program}:</pattern>
             </patterns>
             <tags>
		<tag>group_development</tag>
             </tags>
             <values>
                <value name="group">development</value>
             </values>
          </rule>

So there is an entry for EVERY host:program combination, and as piece of metadata is assigned via
the tag value pair for group=group_name. Don't worry about the size of this database. Ours is 162017 lines long today.

This pattern database is accessed via the syslog-ng configuration below. Note that we also have the ability
to change the responsibility group based on weekday name and hour of day, but that may not be needed in your environment.


template t_business { template("$HOST:$PROGRAM:$S_WEEK_ABBREV:$HOUR"); template_escape(no); };
parser p_business {
         db_parser(
                 file("/opt/flare/etc/business.xml")
                 inject_mode(internal)
                 template(t_business)
         );
};

filter f_development { tags("group_development"); }'
filter f_developments { match('^development$' value("group") type(pcre) ); };


log {	sourc(your_source);
	parser(p_business);
	log {
		filter(f_development);
		destination(d_development_file);
		flags(final);
	};
	log {
		filter(f_production);
		destination(d_production_file);
		flags(final);
	};
};


Hope that gives you the building blocks you need.

Evan.


On 09/18/2014 06:25 AM, Fabien Wernli wrote:
> Hi Sascha,
>
> On Thu, Sep 18, 2014 at 06:53:04AM +0000, Lucas, Sascha wrote:
>> * classification: pattern is per program and limited to the message
>
> patterndb's "primary keys" are indeed (currently) limited to PROGRAM
> (rulesets) and MESSAGE (patterns), although you can easily bypass that
> limitation.
>
>> * correlation: context is limited to one host not many
>
> You *can* correlate messages from different hosts by using 'context-scope =
> global' in the rule
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>


-- 
Evan Rempel                                      erempel at uvic.ca
Senior Systems Administrator                        250.721.7691
Data Centre Services, University Systems, University of Victoria

More information about the syslog-ng mailing list