So what you are actually looking for is a system that can work with dynamically changable alert definitions? As David said, there is no such thing currently, but the best road to approach is is to write a custom output plugin, that you pass each message to. That plugin can even decide if messages should be discarded and not further processed. I envisioned such a plugin, but had not yet time to write, for a similar use case.
If you intend to write one AND contribute it to the project, I can help you get started with the interface, would even be willing to create you a custom skeleton that you can fill in your logic ;) HTH Rainer > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Phil Reilly > Sent: Sunday, November 08, 2009 9:30 AM > To: rsyslog-users > Subject: Re: [rsyslog] Alerting rules via a database > > [email protected] wrote: > > On Sun, 8 Nov 2009, Phil Reilly wrote: > > > > > >> I attempting to allow for flexible rule matches on Syslogs > from a web > >> front end (rather than entires into the rsyslog config files) > >> > >> I want to get regexp filters from a db to alert upon > messages. Not sure > >> the best way to achieve this. I've so far though of. > >> > >> * Outputting to a pipe and runing it via an alerting script. > >> * Having file watch the messages. > >> * Recieving the messages then passing them to rsyslog (yuck) > >> > >> Can the rule engine allow for match rules outside of the config? is > >> there an elegant way of doing this? > >> > > > > rsyslog doesn't give you this ability, but it's not really the best > > approach to use for alerting anyway. > > > > what are you trying to achieve by having the alert definitions in a > > database? there are several tools out there to do alerting > (SEC, Simple > > Event Correlator) is one of the leading ones, but I'm not > aware of any of > > them that use a database for their rulesets. > > > > I'm also scratching my head trying to figure out what the > advantage of > > doing so would be. > > > > David Lang > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com > > > Thanks David, > > We have a networked environment. We also have a web page that > allows you > to configure regexp to match certain syslog messages. These > patterns are > compiled and kept in a table. The current syslog process we > use listens > for udp. When it gets a syslog message, we examine the > patterns (which > are re-read upon addition or change) and pass them to an alertering > process before writing the logs to disk. The existing system > works well, > but we now want to scale it over a few machines and I'm > examining what > syslog products out there cater for alerting. > > So a database will make configuring alerts far more dynamic than > statically entering them into a config file. It will also allow for > grouped views so different groups have the ability to have > custom alerts > based upon their own interpretation of syslog messages. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
