----- Original Message ----- > From: "David Lang" <[email protected]> > To: "rsyslog-users" <[email protected]> > Sent: Friday, April 26, 2013 1:10:16 PM > Subject: Re: [rsyslog] keeping state information > > On Fri, 26 Apr 2013, Balamurugan Arumugam wrote: > > >>>> I'm not familiar with log skipper, pointer please? > >>>> > >>> > >>> I meant of discarding logs if its repeated N times. > >> > >> There is an option to change N messages to one message followed by > >> "message > >> repeated N-1 times", but that only works if there are no other messages in > >> between the repeats. > >> > >> I believe that it's disabled by default nowdays. It's usually better for > >> the > >> alerting engine to be able to see the messages an alert on them than to > >> just > >> have a 'message repeated' message > >> > > > > Is the behavior configurable like for specific priority, progname, message > > regex etc? > > As far as I know, it applies to the message as a whole, you may be able to > rig > something up with rsyslog filtering the message into a new input to itself > and > apply the detection on that new input, but at that point you really are using > the wrong tool for the job. >
Ok. I will note this up and how this can be avoided. Regards, Bala > David Lang > > >> > >>> > >>>> My go-to tool for any non-trivial alerting is Simple Event Correlator, > >>>> (SEC) > >>>> http://simple-evcorr.sourceforge.net/ > >>>> > >>>> for lower volume setups I create a named pipe (mkfifo) and have SEC read > >>>> from > >>>> it > >>>> and rsyslog write to it > >>>> > >>>> for higher log volumes with more complex configs, I have multiple copies > >>>> of > >>>> SEC > >>>> running, with rsyslog filtering logs so that a subset of logs go to each > >>>> instance of SEC (and the seperate instances of SEC generate log messages > >>>> to > >>>> pass > >>>> interesting correlations to other copies). > >>>> > >>>> for very high log volumes, this latter approach can be spread across > >>>> multiple > >>>> machines. > >>>> > >>> > >> > > > > Thanks, > > > > Bala > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
