I am attempting to use the evcorr module. But when I restart the nxlog
service I see this
WARNING not starting unused module evcorr
INFO nxlog-ce-2.8.1248 started
in nxlog.log
I have this in my nxlog.conf. But the correlation does not work. Any idea
why the module evorr does not start?
<Input in1>
Module im_udp
Host 1.1.1.1
Port 514
exec if $raw_event =~ /test alert/ \
{ \
$alertIP = $MessageSourceIP; \
$Action = 'alert' ; \
}
Exec parse_syslog_bsd();
</Input>
<Processor evcorr>
Module pm_evcorr
<Thresholded>
Condition defined $Action and $Action == 'alert'
Context $alertIP
Threshold 3
Interval 10
exec log_info("***ALERT for IP: " + $alertIP);
</Thresholded>
</Processor>
<Output fileout1>
Module om_file
Exec $Hostname = $MessageSourceAddress;
Exec $outfile = "/var/log/nxlog/logTEMP.txt";
File $outfile
Exec to_syslog_bsd();
</Output>
<Route 1>
Path in1 => fileout1
</Route>
Thanks,
Troy
------------------------------------------------------------------------------
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
