On Fri, 26 Apr 2013, Balamurugan Arumugam wrote:
----- Original Message -----
From: "David Lang" <[email protected]>
To: "rsyslog-users" <[email protected]>
Sent: Thursday, April 25, 2013 9:18:23 PM
Subject: Re: [rsyslog] keeping state information
On Thu, 25 Apr 2013, Balamurugan Arumugam wrote:
Hi list,
Our idea is to use rsyslog as logger for GlusterFS. My requirement is ;
1. keep track of each log from glusterfs processes.
2. each log is formatted as error code + message optionally extra message.
3. skip logging repeatedly based on the error code, if it occurs N times
within given M seconds.
4. based on the error codes and their occurrence, the system raises alerts
to sysadmin, supervisors and managers based on their severity
To archive this, I would like to get advice on
1. Does rsyslog system/plugin track logs stats like time/source/progname
etc?
2. does log skipper plugin available?
3. alerting front, I could archive this by doing with filter conditions.
correct me if I am wrong.
Rsyslog is not an alerting engine, it does not track state.
I would think of adding this as a message modifier plugin. Is there any better
place than message modifier where I do this?
take a look at the stats module, it may be a good starting place.
You can generate alerts based of filter matches, and for a particular output
you
can throttle it (no more than 1 message every 5 min type of thing)
If you share some sample rsyslog config on this, that will help.
I haven't done this, but take a look at the examples for the e-mail output. I
think I've seen mention of it there.
I'm not familiar with log skipper, pointer please?
I meant of discarding logs if its repeated N times.
There is an option to change N messages to one message followed by "message
repeated N-1 times", but that only works if there are no other messages in
between the repeats.
I believe that it's disabled by default nowdays. It's usually better for the
alerting engine to be able to see the messages an alert on them than to just
have a 'message repeated' message
David Lang
My go-to tool for any non-trivial alerting is Simple Event Correlator, (SEC)
http://simple-evcorr.sourceforge.net/
for lower volume setups I create a named pipe (mkfifo) and have SEC read from
it
and rsyslog write to it
for higher log volumes with more complex configs, I have multiple copies of
SEC
running, with rsyslog filtering logs so that a subset of logs go to each
instance of SEC (and the seperate instances of SEC generate log messages to
pass
interesting correlations to other copies).
for very high log volumes, this latter approach can be spread across multiple
machines.
Regards,
Bala
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
