On Thu, 26 Feb 2015, Ehua KASSI wrote:
Hello ,
I would like to tune the ommail triggering function. I actually use
action.execOnlyOnceEveryInterval="250" option but this one result in loss of
information. In the use case where two distinct (or more) Critical log comes in the 5
minutes , mail were triggered only once.
I would like to be able to keep action.execOnlyOnceEveryInterval="250" only
if the log that arrive in this interval are the same. This option would not apply
if logs are slightly different.
the execOnlyOnceEveryInterval applies to the entire action, it cannot take other
things into affect. Doing this would require keeping the old logs that have
triggered this around to compare with.
For what you are trying to do, you really need an event correlation engine,
Simple Event Correlator (SEC) is a really good tool for this sort of thing. It
also gives you the ability to define what part of the message being the same
would surpress alerts. In your case you are saying you want to consider the
entire message (outside of the timestamp), but if you get the same message from
two different machines do you consider it the same message or two different
messages, both of which should generate alerts? SEC gives you the ability to do
this.
Rsyslog is not an event correlation engine and does not plan to grow into that
area.
David Lang
Hope i make me understand.
I think that imfile could solve my issue. As explained in documentation :
"note that ommail is especially well-suited to work in tandem with
imfile<http://www.rsyslog.com/doc/imfile.html> to watch files for the occurence of
specific things to be alerted on"
But i don't understand how to implement it in order to feet my needs.
Thanks for help , ?
Kassi Ehua
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
