On Thu, 29 Dec 2016, mostolog--- via rsyslog wrote:
monitor logs/sec and alert if they jump much higher than normal
How could I do this using rsyslog? Is there a "counter" module?
impstats
overall, this isn't likely to happen once you get the system setup and running, so many places don't do anything special for this at all.
Our main concern is that, in the event of failure, as we are processing a lot of events it may fill disk with error messages tooo fast
define 'too fast'. And how do you tell the difference between your logging system having a problem and generating so many messages and the systems you are collecting logs from generating the messages?
If you setup thresholds and start throwing away messages that arrive faster than that, I will guarantee that one day you will find that you are throwing away legitimate logs that you care about as a result.
It's also rather tricky to define such threshold criteria, and expensive to track.
much better to just report the stats to your existing monitoring system and use it to decide that something is wrong.
David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
