My intention is to create log rate metrics for different types of event (eg ASA connection build/break rates etc.) and filtering before sending forward to the central log collection point.
I actually do this sort of thing via omprog sending logs to sec (simple event correlator)
I create an output format that contains just the data I need to create rate metrics on in an easy to parse format (pipe delimited), and then I have a simple sec ruleset that parses the input and accumulates values into perl hash arrays. I then have a calendar rule in SEC that outputs and resets the counters every minute, resulting in per minute rate data for various things.
the sec rulset looks horribly ugly at first glance, but it's really the same thing repeated for each type of data (I feed it hostname, fromhost-ip and programname)
I'll post the full configs (including the sec config) when I get into the office tomorrow.
now, if you already need redis for something else, that's fine. But if you thought you needed it just to get rate info, there are other, arguably simpler or at least lighter-weight options.
as far as ASA build/break rates, you can use the %ASA-#-#### program IDs, or you can do like I do and parse/tag the logs with mmnormalize, producing a nice, parsed JSON of the important info that is well suited for going into Elasticsearch or doing further analysis on, and also tagging messages so that all the different build variations yield the same tag, as do all the breal variations, etc.
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
