Yes, this would be correct. In my example, a particular message string would be the same.
Example: Jul 31 13:45:03 server program: This is really bad Jul 31 13:45:03 server program: This is really bad Jul 31 13:45:03 server program: This is really bad So then is could be $msg == 'This is really bad' or perhaps $msg contains 'really bad'. But for me, matching the exact $msg would be fine. :P On Thu, Jul 31, 2008 at 10:38 AM, Rainer Gerhards <[EMAIL PROTECTED]> wrote: > To clarify: be "a" the event in question and "b" any other event. Two samples > of an event sequence: > > 1. a - a - a - b > 2. a - a - b - a > > Result: in case 1 an alert is triggered, in case 2 not. > > Is this understanding correct? > > rainer > > ----- Ursprüngliche Nachricht ----- > Von: "Julian Yap" <[EMAIL PROTECTED]> > An: "rsyslog-users" <[email protected]> > Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>; "[EMAIL PROTECTED]" <[EMAIL > PROTECTED]> > Gesendet: 31.07.08 21:59 > Betreff: Re: [rsyslog] Alert when multiple repeated lines are found > > That's pretty much it for now. I've written Alerts for single line > events. But for one particular event, it's only really a factor if it > happens tree times in a row. > > > On Thu, Jul 31, 2008 at 8:37 AM, Rainer Gerhards > <[EMAIL PROTECTED]> wrote: >> What exactly do you need to do except the "three in a row" alert? >> >> ----- Ursprüngliche Nachricht ----- >> Von: "Julian Yap" <[EMAIL PROTECTED]> >> An: "rsyslog-users" <[email protected]> >> Gesendet: 31.07.08 20:27 >> Betreff: Re: [rsyslog] Alert when multiple repeated lines are found >> >> Hmm, Nagios is a pain to set up. Looking for something more light >> weight... Was hoping that I could have consolidated lots of Alerts >> under Rsyslog. >> >> Any other suggestions besides Swatch? >> >> >> >> On 7/31/08, (private) HKS <[EMAIL PROTECTED]> wrote: >>> Not in rsyslogd itself, but you could do this with Swatch, Nagios, or >>> some other monitoring-type software. >>> >>> -HKS >>> >>> On Wed, Jul 30, 2008 at 6:18 PM, Julian Yap <[EMAIL PROTECTED]> wrote: >>>> Is there a way to set an Alert when multiple repeated lines are found in a >>>> log? >>>> >>>> I want to spawn an email Alert if a message is received 3 times. >>>> >>>> Example log lines: >>>> Jul 30 04:19:29 localhost program: Error detected >>>> Jul 30 05:19:29 localhost program: Error detected >>>> Jul 30 06:19:29 localhost program: Error detected >>>> >>>> Thanks, >>>> Julian >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> >>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
