On Tue, 26 Feb 2013, Sean Conner wrote:
It was thus said that the Great Rainer Gerhards once stated:
On Tue, 2013-02-26 at 11:02 +0000, C. L. Martinez wrote:
Hi all,
Is it possible to do log correlation with rsyslog like syslog-ng
does?? Example:
http://lwn.net/Articles/424492/
I guess the short answer is "no". I need to look at a bit more detail,
but this beast seems to need to carry over a lot of state. I always
wanted to avoid this.
Can you tell me some samples of what you would like to do? Getting a use
case in plain words is probably more useful than in XML ;)
Okay, here's something I'm doing. Postfix logs five lines per email. I
collect each line in turn, the log a one-line summary to be forwarded to a
remote logging host. I first check to make sure the program is 'postfix', the
facility is 'mail' and level is 'info', then I check for the five specific
lines in question, saving critical information from each line. Once I get
all five (and they always occure in order and given that I'm reading from
'/dev/log' there's no issue of out of order or missing entries), a one-line
summary is prepared and then returned as the message to be logged.
The code to do this is in Lua, and can be read here:
https://github.com/spc476/syslogintr/blob/master/modules/postfix-mailsummary.lua
-spc (At least it's not in XML 8-)
actually, if you have batch processing enabled, there are some corner cases that
can cause the logs to get to you out of order (mostly in cases where the logs
are going to multiple destinations and some destination has a temporary problem,
causing the batch of logs to 'fail' and be put back on the queue and
re-processed)
My go-to tool for event correlation is Simple Event Correlator (SEC
http://simple-evcorr.sourceforge.net/ ) I create a named pipe and have rsyslog
output to that named pipe and SEC read from it.
good event correlation is a rather complex task, I personally would not want to
have that tied in to my log transport/delivery program
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
