----- Original Message ----- > From: "David Lang" <[email protected]> > To: "rsyslog-users" <[email protected]> > Sent: Friday, April 26, 2013 11:40:03 AM > Subject: Re: [rsyslog] keeping state information > > On Fri, 26 Apr 2013, Balamurugan Arumugam wrote: > > > ----- Original Message ----- > >> From: "David Lang" <[email protected]> > >> To: "rsyslog-users" <[email protected]> > >> Sent: Thursday, April 25, 2013 9:18:23 PM > >> Subject: Re: [rsyslog] keeping state information > >> > >> On Thu, 25 Apr 2013, Balamurugan Arumugam wrote: > >> > >>> Hi list, > >>> > >>> Our idea is to use rsyslog as logger for GlusterFS. My requirement is ; > >>> > >>> 1. keep track of each log from glusterfs processes. > >>> 2. each log is formatted as error code + message optionally extra > >>> message. > >>> 3. skip logging repeatedly based on the error code, if it occurs N times > >>> within given M seconds. > >>> 4. based on the error codes and their occurrence, the system raises > >>> alerts > >>> to sysadmin, supervisors and managers based on their severity > >>> > >>> > >>> To archive this, I would like to get advice on > >>> 1. Does rsyslog system/plugin track logs stats like time/source/progname > >>> etc? > >>> 2. does log skipper plugin available? > >>> 3. alerting front, I could archive this by doing with filter conditions. > >>> correct me if I am wrong. > >> > >> Rsyslog is not an alerting engine, it does not track state. > >> > > > > I would think of adding this as a message modifier plugin. Is there any > > better place than message modifier where I do this? > > take a look at the stats module, it may be a good starting place. > > >> You can generate alerts based of filter matches, and for a particular > >> output > >> you > >> can throttle it (no more than 1 message every 5 min type of thing) > >> > > > > If you share some sample rsyslog config on this, that will help. > > I haven't done this, but take a look at the examples for the e-mail output. I > think I've seen mention of it there. >
Thanks for these pointers. I will look into that. > >> I'm not familiar with log skipper, pointer please? > >> > > > > I meant of discarding logs if its repeated N times. > > There is an option to change N messages to one message followed by "message > repeated N-1 times", but that only works if there are no other messages in > between the repeats. > > I believe that it's disabled by default nowdays. It's usually better for the > alerting engine to be able to see the messages an alert on them than to just > have a 'message repeated' message > Is the behavior configurable like for specific priority, progname, message regex etc? > > > > >> My go-to tool for any non-trivial alerting is Simple Event Correlator, > >> (SEC) > >> http://simple-evcorr.sourceforge.net/ > >> > >> for lower volume setups I create a named pipe (mkfifo) and have SEC read > >> from > >> it > >> and rsyslog write to it > >> > >> for higher log volumes with more complex configs, I have multiple copies > >> of > >> SEC > >> running, with rsyslog filtering logs so that a subset of logs go to each > >> instance of SEC (and the seperate instances of SEC generate log messages > >> to > >> pass > >> interesting correlations to other copies). > >> > >> for very high log volumes, this latter approach can be spread across > >> multiple > >> machines. > >> > > > Thanks, Bala _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
