Hi,
Context can be any expression, usually it is some field set earlier, such
as a $username or probably your log type in this case.
If you download the source tarball, there is a testcase that deals with
the context. You can take a look at this under
nxlog-ce/test/modules/processor/evcorr/
Files are:
evcorr-context.conf
testinput_context.txt
testoutput_context.txt
Regards,
Botond
On Fri, 20 Sep 2013 16:30:07 +0530
Suraj Sharma <suraj.sha...@webyog.com> wrote:
> So i guess the whole game changer is making the use of CONTEXT. Can you
> give me some possible values for context option which you have used so far.
>
> And thank you so much Botond for responding so quickly.
>
> If all the doubts gets fixed by end of the day then i can make it work by
> Monday which is the ultimate requirement. Have already spent lots of time
> testing other opensource tools, but none suited so far, only nxlog has
> helped this far that too with less memory, CPU and IO :)
>
>
> On Fri, Sep 20, 2013 at 4:19 PM, Botond Botyanszki <b...@nxlog.org> wrote:
>
> > Hi,
> >
> > > Can you please provide me some more clarification over this:-
> > >
> > > According to my understanding, using pm_evcorr 's suppress module;
> > > a) We are supposed to give a CONDITION to bring it in affect,
> > > (i don't have any such condition as the message body is not fixed it
> > can
> > > change, writing a regex here will also not help)
> > 'Condition TRUE' will make it always evaluate the rule for all events.
> >
> > > b) [Imp] It says that the rule will ignore any further log messages for
> > the
> > > time specified in the interval. (now what exactly does it means, will it
> > > ignore the messages matching that condition or will it ignore every log
> > > messages (which will again be a disaster).? )
> > pm_evcorr only executes the Exec statement, log messages are not touched
> > unless that's waht you put in Exec. 'Ignore' refers to this, it will not
> > evaluate the Exec directive. You would put the mailer command into the
> > Exec directive.
> >
> > > c) Context: i am not even able to get how can we make use of it (or what
> > > exactly that is),. (is it a regex or some conditions, or should i write
> > > $message_body here, don't know.)
> > Context would be your log type I guess. You will get one alert per
> > context.
> >
> > > Can you provide me with some explanation and a good practical example (if
> > > possible from my scenario and event logs) of how to use this module along
> > > with context option.
> > A simple example is there in the reference manual. There are a lot of
> > practical examples and tutorials about sec.pl which may help understand
> > the concept.
> >
> > Regards,
> > Botond
> >
> >
> > >
> > >
> > > On Fri, Sep 20, 2013 at 3:45 PM, Botond Botyanszki <b...@nxlog.org>
> > wrote:
> > >
> > > > Hi,
> > > >
> > > > You may want to look at pm_evcorr's Suppress rule, using a
> > > > context. This would send one mail per context during the specified
> > > > interval.
> > > >
> > > > Regards,
> > > > Botond
> > > >
> > > >
> > > > On Fri, 20 Sep 2013 15:25:21 +0530
> > > > Suraj Sharma <suraj.sha...@webyog.com> wrote:
> > > >
> > > > > 1. Typically, my events are multi-line and looks like this:-
> > > > > a) Say *event A* be:
> > > > > WY_LOG_TYPE_ERROR <<**
> > > > > ================================
> > > > > 2013-08-30 22:08:55
> > > > > ================================
> > > > > File: /var/www/.../Dblink.php
> > > > > Line: 70
> > > > >
> > > > > Unknown MySQL server host '127.0.0.1' (0)
> > > > >
> > > > > **>>
> > > > >
> > > > > b) Say *event B* be:
> > > > > WY_LOG_TYPE_ERROR <<**
> > > > > ================================
> > > > > 2013-08-30 22:08:55
> > > > > ================================
> > > > > File: /var/www/.../app.php
> > > > > Line: 70
> > > > >
> > > > > The application connectivity failure...(and some stack trace...)
> > > > >
> > > > > **>>
> > > > >
> > > > > 2. The important *nxlog module configs* :
> > > > >
> > > > > a) Multiline
> > > > > <Extension *multi*>
> > > > > Module xm_multiline
> > > > > HeaderLine /^WY_LOG_TYPE_(ERROR|INFO)/
> > > > > EndLine /^\*\*>>/
> > > > > </Extension>
> > > > > b) The input config:
> > > > > <Input *in_app_desktop_my_log*>
> > > > > Module im_file
> > > > > File "/vagrant/my.log"
> > > > > SavePos TRUE
> > > > > ReadFromLast TRUE
> > > > > InputType multi
> > > > > PollInterval 20
> > > > > </Input>
> > > > > c) *The pattern module: ( used to extract body of error message ie
> > > > > everything after "File:" till "**>>" as the timestamp of error can
> > > > change)*
> > > > > ** *This modules capture the error body message and put it in
> > variable
> > > > > named message_body*
> > > > > <Processor *extract_body_of_error*>
> > > > > Module pm_pattern
> > > > > PatternFile /vagrant/patterndb.xml
> > > > > </Processor>
> > > > >
> > > > > d) The final norepeat module working on this *message body variable.*
> > > > > <Processor *no_repeat*>
> > > > > Module pm_norepeat
> > > > > CheckFields message_body
> > > > > </Processor>
> > > > >
> > > > > e) Output config (does all the mail sending work)
> > > > > <Output *out_app_desktop_my_log*>
> > > > > Module om_null
> > > > > Exec { exec_async("/bin/sh", "-c", 'echo -e "From:
> > > > > suraj.shar...@webyog.com\nTo:
> > > > > suraj.sha...@webyog.com\nContent-Type:text/html;\nSubject: Error in
> > Log
> > > > > \n\n<pre>' + $raw_event + '<//pre>"|/usr/sbin/sendmail -t' ); }
> > > > > </Output>
> > > > > f) The ROUTE config
> > > > > <Route *1*>
> > > > > *Path in_app_desktop_my_log => extract_body_of_error =>
> > > > no_repeat
> > > > > => out_app_desktop_my_log*
> > > > > </Route>
> > > > > 3. The whole series of events happens like ABABABABABAB... every
> > seconds.
> > > > > IN 20 seconds we get approx 50 such series and the ultimate
> > requirement
> > > > is
> > > > > to send just 2 mails (not 100 of them) containing event A and event B
> > > > after
> > > > > 20 seconds.
> > > > > 4. *My question is how can pm_evcorr or xm_perl help me...?*
> > > > > 5. Some thoughts from you answer are like in xm_perl we can make
> > an
> > > > > array storing up last 10 events (or precisely storing the
> > message_body)
> > > > and
> > > > > checking based on that, whether the current event has been repeated
> > in
> > > > last
> > > > > 10 occurrences... if repeated it should be dropped.
> > > > >
> > > > >
> > > > > --
> > > > > Warm Regards,
> > > > >
> > > > > Suraj Sharma
> > > > > Software Engineer
> > > > > Webyog Softworks Pvt Ltd
> > > >
> > > >
> > > >
> > ------------------------------------------------------------------------------
> > > > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > > > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> > > > SharePoint
> > > > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> > > > includes
> > > > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> > > >
> > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> > > > _______________________________________________
> > > > nxlog-ce-users mailing list
> > > > nxlog-ce-users@lists.sourceforge.net
> > > > https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
> > > >
> > >
> > >
> > >
> > > --
> > >
> > > Warm Regards,
> > > *Suraj Sharma*
> > > *Software Engineer*
> > > *Webyog Softworks Pvt Ltd*
> > > *
> > > *
> >
>
>
>
> --
>
> Warm Regards,
> *Suraj Sharma*
> *Software Engineer*
> *Webyog Softworks Pvt Ltd*
> *
> *
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
