On Sun, 8 Nov 2009, Phil Reilly wrote: > > [email protected] wrote: >> On Sun, 8 Nov 2009, Phil Reilly wrote: >> >> >>> I attempting to allow for flexible rule matches on Syslogs from a web >>> front end (rather than entires into the rsyslog config files) >>> >>> I want to get regexp filters from a db to alert upon messages. Not sure >>> the best way to achieve this. I've so far though of. >>> >>> * Outputting to a pipe and runing it via an alerting script. >>> * Having file watch the messages. >>> * Recieving the messages then passing them to rsyslog (yuck) >>> >>> Can the rule engine allow for match rules outside of the config? is >>> there an elegant way of doing this? >>> >> >> rsyslog doesn't give you this ability, but it's not really the best >> approach to use for alerting anyway. >> >> what are you trying to achieve by having the alert definitions in a >> database? there are several tools out there to do alerting (SEC, Simple >> Event Correlator) is one of the leading ones, but I'm not aware of any of >> them that use a database for their rulesets. >> >> I'm also scratching my head trying to figure out what the advantage of >> doing so would be. >> >> David Lang >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com >> > Thanks David, > > We have a networked environment. We also have a web page that allows you > to configure regexp to match certain syslog messages. These patterns are > compiled and kept in a table. The current syslog process we use listens > for udp. When it gets a syslog message, we examine the patterns (which > are re-read upon addition or change) and pass them to an alertering > process before writing the logs to disk. The existing system works well, > but we now want to scale it over a few machines and I'm examining what > syslog products out there cater for alerting. > > So a database will make configuring alerts far more dynamic than > statically entering them into a config file. It will also allow for > grouped views so different groups have the ability to have custom alerts > based upon their own interpretation of syslog messages.
I don't know anything that will read a database like you are lookng for. I think you would be better off having your web gui create SEC rules or something like that (you can still store the basic info in a database) David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
