If you know that a log message is uninteresting, then you want to
throw it away, but count how many times it happened because the number
of times that an uninteresting log happens can be interesting.
That's exactly what I'm looking for
1.rsyslog gets message
2.if it's a notifiable error
if it's already "notified", increase notify counter
what do you do with the notify counter? do you want it spit out along
with other stats (in which case dyn_stats is the right answer) or do
you want to do something else?
I just though to use it as drop criteria. I was thinking something like:
#specific error msg received
increase counter
If counter>=5
drop message (it will be reported later)
else
forward
#specific ok message received
counter=0
forward
#scheduled task (each X minutes)
report current_counter
counter=0
drop message (don't log it)
else #not "notified"
notify error
log message
is there anything that resets "not notified"? or do you only want one
notification per syslog startup.
See above
3.if it's a recovery
log recovery
notify recovered
4.otherwise, log normally
In the above, notification could be a snmptrap to our monitoring
system, and "if notified" could be a "global" errorCount variable or
something similar...
keep in mind there are the global variables $\ that you can use for
this sort of flag, but checking them is relatively expensive, so you
should think about what you are really wanting here.
It may be good enough to not do any tracking of 'already notified' and
instead just do
if <log message type> then increase counter
and then spit the counters out to your monitoring system. If there
were no messages of that type, you have no message to your monitoring
system. If there were messages of that type, you have a notification
of how many times it happened that monitoring period. If the
monitoring period is relatively short (say 1-5 min), this may be
sufficient for your system.
Consider that I'm also trying to save "disk space" ie: not storing huge
amount of "droppeable" events
Seems dyn_stats is a good alternative, but I haven't time yet to play
with it.
Regards
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
