On Tue, Feb 26, 2013 at 7:10 PM, David Lang <[email protected]> wrote: > On Tue, 26 Feb 2013, Sean Conner wrote: > >> It was thus said that the Great Rainer Gerhards once stated: >>> >>> On Tue, 2013-02-26 at 11:02 +0000, C. L. Martinez wrote: >>>> >>>> Hi all, >>>> >>>> Is it possible to do log correlation with rsyslog like syslog-ng >>>> does?? Example: >>>> >>>> http://lwn.net/Articles/424492/ >>>> >>> >>> I guess the short answer is "no". I need to look at a bit more detail, >>> but this beast seems to need to carry over a lot of state. I always >>> wanted to avoid this. >>> >>> Can you tell me some samples of what you would like to do? Getting a use >>> case in plain words is probably more useful than in XML ;) >> >> >> Okay, here's something I'm doing. Postfix logs five lines per email. I >> collect each line in turn, the log a one-line summary to be forwarded to a >> remote logging host. I first check to make sure the program is 'postfix', >> the >> facility is 'mail' and level is 'info', then I check for the five specific >> lines in question, saving critical information from each line. Once I get >> all five (and they always occure in order and given that I'm reading from >> '/dev/log' there's no issue of out of order or missing entries), a >> one-line >> summary is prepared and then returned as the message to be logged. >> >> The code to do this is in Lua, and can be read here: >> >> >> https://github.com/spc476/syslogintr/blob/master/modules/postfix-mailsummary.lua >> >> -spc (At least it's not in XML 8-) >> > > actually, if you have batch processing enabled, there are some corner cases > that can cause the logs to get to you out of order (mostly in cases where > the logs are going to multiple destinations and some destination has a > temporary problem, causing the batch of logs to 'fail' and be put back on > the queue and re-processed) > > My go-to tool for event correlation is Simple Event Correlator (SEC > http://simple-evcorr.sourceforge.net/ ) I create a named pipe and have > rsyslog output to that named pipe and SEC read from it. > > good event correlation is a rather complex task, I personally would not want > to have that tied in to my log transport/delivery program > > David Lang >
Possibly you are right David. But the solution proposed by Sean is what I'm looking for days. With SEC, I don't see how can I accomplish this. I need to correlate an antispam/antivirus appliance. For every email that comes to this appliance, sometimes can generate three log entries, or 20, or 10, or ... I don't see how SEC can correlate this. With Sean sample is really possible. Another thing is performance ... Any sample about how to do this with SEC?? _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
