----- Original Message ----- > From: "David Lang" <[email protected]> > To: "rsyslog-users" <[email protected]> > Sent: Thursday, April 25, 2013 9:18:23 PM > Subject: Re: [rsyslog] keeping state information > > On Thu, 25 Apr 2013, Balamurugan Arumugam wrote: > > > Hi list, > > > > Our idea is to use rsyslog as logger for GlusterFS. My requirement is ; > > > > 1. keep track of each log from glusterfs processes. > > 2. each log is formatted as error code + message optionally extra message. > > 3. skip logging repeatedly based on the error code, if it occurs N times > > within given M seconds. > > 4. based on the error codes and their occurrence, the system raises alerts > > to sysadmin, supervisors and managers based on their severity > > > > > > To archive this, I would like to get advice on > > 1. Does rsyslog system/plugin track logs stats like time/source/progname > > etc? > > 2. does log skipper plugin available? > > 3. alerting front, I could archive this by doing with filter conditions. > > correct me if I am wrong. > > Rsyslog is not an alerting engine, it does not track state. >
I would think of adding this as a message modifier plugin. Is there any better place than message modifier where I do this? > You can generate alerts based of filter matches, and for a particular output > you > can throttle it (no more than 1 message every 5 min type of thing) > If you share some sample rsyslog config on this, that will help. > I'm not familiar with log skipper, pointer please? > I meant of discarding logs if its repeated N times. > My go-to tool for any non-trivial alerting is Simple Event Correlator, (SEC) > http://simple-evcorr.sourceforge.net/ > > for lower volume setups I create a named pipe (mkfifo) and have SEC read from > it > and rsyslog write to it > > for higher log volumes with more complex configs, I have multiple copies of > SEC > running, with rsyslog filtering logs so that a subset of logs go to each > instance of SEC (and the seperate instances of SEC generate log messages to > pass > interesting correlations to other copies). > > for very high log volumes, this latter approach can be spread across multiple > machines. > Regards, Bala _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
