Hi Clayton:
In message <e54865560910221059o63f35858xcd87d7aad4b59...@mail.gmail.com>,
Clayton Dukes writes:
>On Thu, Oct 22, 2009 at 1:55 PM, John P. Rouillard <rou...@cs.umb.edu>
>wrote:
>> In message <76a8b853-9c9d-47bc-b610-aa6aad0f2...@rmws.net>,
>> J Carvalho writes:
>>>I'd like to use sec to condense incoming syslog events. I had a system
>>>generate thousands of msgs per second and the result was a swamped
>>>syslog collector.
>>>Would it be possible to use SEC to:
>>>1. read the input stream
>>>2. pass msgs to the syslog file until it sees a msg storm
>>>3. condense the msgs based on time or msg count to prevent
>>> swamping syslog
>>>4. write a msg to the syslog file with a count of msgs processed
>>> during the 'storm'.
>>>5. continue processing input stream.
>>
>> Maybe I am missing something here, but where is the input stream in 1
>> coming from? It sounds like some application is using the syslog api
>> to send data to syslog directly and flooding it. There is no easy way
>> to get SEC in between the application and syslog.
>
>If you're using the latest version of php-syslog-ng it has a built in
>deduplication function. http://code.google.com/p/php-syslog-ng
>Integrating php-syslog-ng with SEC is quite simple, but let me know if
>you need help.
Well the OP was having an issue with syslog and the log server getting
overloaded. So assuming his syslog was dumping the data into a
database, there would be no data in the database to look at with any
tool. Also it's not clear what syslog server he is using.
When you discuss integrating SEC with php-syslog-ng do you mean SEC
does the analysis and puts the data into the database for
php-syslog-ng to retreive, or do you mean SEC grabs the data from the
database to do the analysis on?
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
