On Fri, 27 Feb 2015, Ehua_Kassi wrote:
Thanks you for your quick reply,
I knew that SEC would be the next step for the log management system i set
up.
I just hoped that rsyslog could support a simple comparison of the last n
log of a specific host/severity
rsyslog does not remember logs that it's processed. It may be possible for you
to do something with global variables, but it would be very ugly if it's
possible.
if you get the same message from two different machines do you consider it
the same message or two different messages, both of which should generate
alerts?
I'm considering two different alert in order to see the impact that a link
failure could have on each host for example.
The main issue is that an alert is lost. I don't really care about alerting
every critical log in the 5 minute window. Just want to see which host is
complaining and briefly what it is saying.
A solution might be to divide my configuration with Rainerscript to put the
logs in different action for each host. But for scalability reason i'm not
really sure to implement this.
I don't think there is a reasonable way to do this as a general thing. If you
have just a couple hosts that you care about, you could make a separate ruleset
for each host and have if host1 then ruleset1, if host2 then ruleset2 type of
logic.
you can't use variables in anyplace that would let you do a generic version of
this.
i remain curious to know what is the outcome of using imfile with ommail. If
you can go further on on this point of configuration it will be great.
I don't understand your issue. Outputs (like ommail) don't care what input the
message arrived through. You do have the variable that tells you what input the
particular log arrived at, and that variable can be used in templates and
filtering logic, but there isn't anything in any output module that will do
different things depending on which input is used.
Please explain your issue a bit more.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
